WO2023246649A1 - Communication method, communication apparatus and communication system - Google Patents

Abstract

The present application provides a communication method, a communication apparatus, and a communication system. In the method, when a terminal device is in a roaming state, a network storage function network element selects a visiting AKMA anchor point function network element. The visiting AKMA anchor point function network element can serve as a transfer node or generate an application key for secure communication between the terminal device and an application function network element. Therefore, the application function network element can accurately obtain the application key such that the terminal device and the application function network element encrypt communication content by using the application key, thereby improving the communication security.

Description

Communication method, communication device and communication system

Cross-references to related applications

This application claims priority to the Chinese patent application filed with the China Patent Office on June 24, 2022, with the application number 202210730849.9 and the application name "Communication method, communication device and communication system", the entire content of which is incorporated into this application by reference. middle.

Technical field

The present application relates to the field of wireless communication technology, and in particular to communication methods, communication devices and communication systems.

Background technique

In order to improve communication security, when a terminal device communicates with an application function (AF) network element, both parties need to use an application key to encrypt the transmitted content. Among them, the application key used by the terminal device is generated by the terminal device, and the application key used by the AF network element is generated by the application's authentication and key management for applications (AKMA) anchor function (AKMA). anchor function, generated by AAnF) network element and sent to AF network element.

When the terminal device is in a non-roaming state, the AF network element and the AAnF network element are located in the same public land mobile network, so the AF network element can connect to the AAnF network element and request the AAnF network element to obtain the application key.

However, when the terminal device is in the roaming state, the AF network element communicating with the terminal device may not be able to directly connect to the terminal device's home AAnF (home AAnF, hAAnF) network element. As a result, the AF network element may not be able to obtain the application key, and thus the AF network element may not be able to obtain the application key. causing communication insecurity.

Contents of the invention

This application provides communication methods, communication devices and communication systems to ensure secure communication between terminal equipment and AF network elements.

In the first aspect, embodiments of the present application provide a communication method, which can be executed by a network storage function network element or a module applied to a network storage function network element. Taking the network storage function network element to implement this method as an example, the network storage function network element receives a request message from the first network element, and the request message includes selection parameters; when the terminal device is in the roaming state, the network storage function network element responds according to the selection parameter, select the visited AKMA anchor point function network element that provides services for the terminal device; the network storage function network element sends a response message to the first network element, and the response message includes the information of the visited AKMA anchor point function network element.

In the above solution, when the terminal device is in the roaming state, the network storage function network element selects a visiting AKMA anchor point function network element. This visiting AKMA anchor point function network element can not only serve as a transit node, but also generate terminal equipment and application function network elements. The application key for secure communication between the terminal device and the application function network element enables the application function network element to accurately obtain the application key, which facilitates the use of the application key to encrypt the communication content between the terminal device and the application function network element, which helps to improve communication security. .

In a possible implementation method, the network storage function network element selects to provide the terminal device with Visiting the AKMA anchor point function network element for services includes: when the network storage function network element stores the AKMA anchor point function network element corresponding to the selection parameter, the network storage function network element selects the AKMA anchor point corresponding to the selection parameter. Function network element, as the visiting AKMA anchor point function network element; or, when the network storage function network element does not store the AKMA anchor point function network element corresponding to the selection parameter, the network storage function network element selects the default AKMA anchor point The functional network element serves as the access AKMA anchor point functional network element.

The above solution can select a suitable network element to visit the AKMA anchor point function.

In a possible implementation method, the selection parameter includes the routing identifier of the terminal device, information about the home public land mobile network HPLMN of the terminal device, information about the visited public land mobile network VPLMN where the first network element is located, or information about the terminal. One or more of the device's VPLMN information.

Through this solution, by selecting parameters, the appropriate visiting AKMA anchor point function network element can be determined.

In a possible implementation method, the selection parameter includes one or more of the HPLMN information of the terminal device, the VPLMN information of the first network element, or the VPLMN information of the terminal device; the network storage function network The terminal device determines that the terminal device is in the roaming state based on one or more of the HPLMN information of the terminal device, the VPLMN information of the first network element, or the VPLMN information of the terminal device.

Through this solution, it can be accurately determined whether the terminal device is in roaming state, which helps to accurately determine whether it is necessary to choose to visit the AKMA anchor function network element.

In a possible implementation method, the network storage function network element determines that the terminal device is in a roaming state based on the received indication information.

Through this solution, it can be accurately determined whether the terminal device is in roaming state, which helps to accurately determine whether it is necessary to choose to visit the AKMA anchor function network element.

In a possible implementation method, the network storage function network element determines that the terminal device is in the roaming state based on the PLMN information of the network storage function network element and the HPLMN information of the terminal device.

Through this solution, it can be accurately determined whether the terminal device is in roaming state, which helps to accurately determine whether it is necessary to choose to visit the AKMA anchor function network element.

In a possible implementation method, the terminal device being in the roaming state means that the terminal device is located in the visited network, or the application function network element communicating with the terminal device cannot directly connect to the home AKMA anchor function network of the terminal device. Yuan.

In the second aspect, embodiments of the present application provide a communication method. The method can be executed by a first network element or a module applied to the first network element. The first network element can be a network open function network element or an application function network element. Yuan. Taking the method of executing the first network element as an example, when the terminal device is in the roaming state, the first network element determines the selection parameters; the first network element sends the selection parameters to the network storage function network element, and the selection parameters are used to select the The terminal device provides a service by visiting the AKMA anchor point function network element; the first network element receives the information of the visiting AKMA anchor point function network element from the network storage function network element; the first network element is based on the visiting AKMA anchor point function The information of the network element is sent to the visiting AKMA anchor point function network element. The request message requests the application key used for secure communication between the visiting application function network element and the terminal device.

In the above scheme, when the terminal device is in the roaming state, the first network element requests the network storage function network element to select a visiting AKMA anchor point function network element. The visiting AKMA anchor point function network element can either serve as a transit node or generate a terminal device. The application key for secure communication with the application function network element enables the application function network element to accurately obtain the application key, which facilitates the use of the application key to encrypt the communication content between the terminal device and the application function network element, which helps To improve communication security.

In a possible implementation method, the selection parameter includes the routing identifier of the terminal device, information about the home public land mobile network HPLMN of the terminal device, information about the visited public land mobile network VPLMN where the first network element is located, or information about the terminal. One or more of the device's VPLMN information.

Through this solution, by selecting parameters, the appropriate visiting AKMA anchor point function network element can be determined.

In a possible implementation method, the first network element determines the terminal based on one or more of the HPLMN information of the terminal device, the VPLMN information of the first network element, or the VPLMN information of the terminal device. The device is roaming.

Through this solution, it can be accurately determined whether the terminal device is in roaming state, which helps to accurately determine whether it is necessary to choose to visit the AKMA anchor function network element.

In a possible implementation method, the first network element sends indication information to the terminal device, and the indication information indicates that the terminal device is in a roaming state.

Through this solution, it can be accurately determined whether the terminal device is in roaming state, which helps to accurately determine whether it is necessary to choose to visit the AKMA anchor function network element.

In a possible implementation method, the first network element determines the selection parameter, including: the first network element determines the selection parameter according to the first AKMA key identifier or the second AKMA key identifier; wherein, the first AKMA The key identifier includes the routing identifier of the terminal device, the AKMA temporary identifier of the terminal device, the HPLMN information of the terminal device, and the VPLMN information of the terminal device; the second AKMA key identifier includes the routing identifier of the terminal device, Information about the AKMA temporary identification of the terminal device and the HPLMN of the terminal device.

In a possible implementation method, the first network element is the visiting application function network element, and the visiting application function network element receives the application session establishment request message from the terminal device; or, the first network element is the network opening Functional network element, the network open function network element receives the application key request message from the access application function network element.

In the third aspect, embodiments of the present application provide a communication method, which can be executed by a terminal device or a module applied to the terminal device. Taking the terminal device executing this method as an example, the terminal device determines whether the terminal device is in a roaming state; when the terminal device is in a roaming state, the terminal device determines the first AKMA root key, and the first AKMA root key is used to determine the third AKMA root key. An application key, the first application key is used for secure communication between the terminal device and the visiting application function network element.

In the above solution, when the terminal device is in the roaming state, the terminal device generates the first AKMA root key. The first AKMA root key is used to determine the first application key. The first application key is used for the terminal device to communicate with the visitor. Secure communication between application function network elements helps to accurately determine the key for communication with the visiting application function network elements.

In a possible implementation method, the terminal device determines the first AKMA root key, including: the terminal device determines the first AKMA root key according to the second AKMA root key, and the HPLMN information of the terminal device and/or the VPLMN information of the terminal device. , determine the first AKMA root key, and the second AKMA root key is used to determine a second application key. The second application key is used for secure communication between the terminal device and the home application function network element.

In a possible implementation method, the terminal device determines the first AKMA root key, including: the terminal device based on the VPLMN information of the terminal device, the user permanent identity SUPI of the terminal device and the authentication server function root key, Determine the AKMA root key.

In a possible implementation method, the terminal device determines that the terminal device is in a roaming state based on the received indication information.

In the fourth aspect, embodiments of the present application provide a communication method, which can be executed by a visiting AKMA anchor point function network element or a module applied to a visiting AKMA anchor point function network element. Execute this by accessing the AKMA anchor function network element. For example, the visiting AKMA anchor function network element receives the first AKMA root key from the home AKMA anchor function network element; the visiting AKMA anchor function network element determines the access application based on the first AKMA root key. The first application key for secure communication between functional network elements and terminal equipment.

In a possible implementation method, the access AKMA anchor point function network element stores the AKMA root key.

In the fifth aspect, embodiments of the present application provide a communication method, which can be executed by the home AKMA anchor function network element or a module applied to the home AKMA anchor function network element. Taking the home AKMA anchor point function network element to implement this method as an example, the home AKMA anchor point function network element obtains the first AKMA root key; the home AKMA anchor point function network element sends the first AKMA to the visiting AKMA anchor point function network element Root key. The first AKMA root key is used to determine the first application key. The first application key is used for secure communication between the terminal device and the visiting application function network element.

In a possible implementation method, the home AKMA anchor function network element obtains the first AKMA root key, including: the home AKMA anchor function network element determines the first AKMA root key based on the second AKMA root key. , the second AKMA root key is used to determine the second application key, and the second application key is used for secure communication between the terminal device and the home application function network element.

In a possible implementation method, the home AKMA anchor point function network element determines the first AKMA root key based on the second AKMA root key, including: the home AKMA anchor point function network element determines the first AKMA root key based on the second AKMA root key. key, as well as the HPLMN information of the terminal device and/or the VPLMN information of the terminal device, to determine the first AKMA root key.

In a possible implementation method, the home AKMA anchor function network element obtains the first AKMA root key, including: the home AKMA anchor function network element receives the first AKMA root key from the authentication server function network element. .

In the sixth aspect, embodiments of the present application provide a communication method, which can be executed by the home AKMA anchor function network element or a module applied to the home AKMA anchor function network element. Taking the home AKMA anchor point function network element as an example to implement this method, the home AKMA anchor point function network element determines whether the terminal device is in the roaming state; when the terminal device is in the roaming state, the home AKMA anchor point function network element determines whether the terminal device is in the roaming state. key to determine the first AKMA root key; wherein the first AKMA root key is used to determine the first application key, and the first application key is used for secure communication between the terminal device and the visiting application function network element ; The second AKMA root key is used to determine a second application key, and the second application key is used for secure communication between the terminal device and the home application function network element.

In the above solution, after the home AKMA anchor function network element determines that the UE is in the roaming state, it can generate an AKMA root key for the visiting AKMA anchor function network element and send the AKMA root key to the visiting AKMA anchor function network element. The key is used by the visiting AKMA anchor point function network element to achieve key isolation between different AKMA anchor point function network elements, that is, the visiting AKMA anchor point function network element and the home AKMA anchor point function network element use different AKMA root keys key, which helps ensure the security of the key and thereby improves the security of communication.

In a possible implementation method, the home AKMA anchor point function network element stores the first AKMA root key.

In a possible implementation method, the home AKMA anchor point function network element sends the first AKMA root key to the visiting AKMA anchor point function network element.

In a possible implementation method, the home AKMA anchor function network element receives a request message from the visiting AKMA anchor function network element. The request message is used to request to obtain the AKMA root key; the home AKMA anchor function network element Sending the first AKMA root key to the visited AKMA anchor function network element includes: the home AKMA anchor function network element sends the first AKMA root key to the visited AKMA anchor function network element based on the request message.

In a possible implementation method, the home AKMA anchor function network element determines the first AKMA root key based on the second AKMA root key, including: the home AKMA anchor function network element determines the first AKMA root key based on the second AKMA root key. ,by and the HPLMN information of the terminal device and/or the VPLMN information of the terminal device to determine the first AKMA root key.

In a possible implementation method, the home AKMA anchor function network element determines whether the terminal device is in a roaming state, including: the home AKMA anchor function network element receives indication information from the authentication server function network element, and the indication information indicates The terminal device is in the roaming state; the home AKMA anchor point function network element determines that the terminal device is in the roaming state based on the indication information.

In a possible implementation method, the home AKMA anchor point function network element determines whether the terminal device is in a roaming state, including: the home AKMA anchor point function network element determines whether the terminal device is in a roaming state based on the HPLMN information of the terminal device and/or the VPLMN of the terminal device. information to determine whether the terminal device is in roaming state.

In a seventh aspect, embodiments of the present application provide a communication method, which can be executed by an authentication server functional network element or a module applied to the authentication server functional network element. Taking the authentication server functional network element executing this method as an example, the authentication server functional network element determines whether the terminal device is in the roaming state; when the terminal device is in the roaming state, the authentication server functional network element determines whether the terminal device is in the roaming state based on the VPLMN information of the terminal device. Determine the AKMA root key; wherein, the AKMA root key is used to determine the application key, and the application key is used for secure communication between the terminal device and the visiting application function network element.

In the above solution, after the authentication server function network element determines that the terminal device is in the roaming state, it can generate an AKMA root key and send the AKMA root key to the visiting AKMA anchor point function network element through the home AKMA anchor point function network element. The key is used by the visiting AKMA anchor point function network element to achieve key isolation between different AKMA anchor point function network elements, that is, the visiting AKMA anchor point function network element and the home AKMA anchor point function network element use different AKMA root keys key, which helps ensure the security of the key and thereby improves the security of communication.

In a possible implementation method, the authentication server functional network element stores the AKMA root key.

In a possible implementation method, the authentication server function network element sends the AKMA root key to the home AKMA anchor point function network element.

In a possible implementation method, the authentication server functional network element determines the AKMA root key based on the VPLMN information of the terminal device, including: the authentication server functional network element determines the AKMA root key based on the VPLMN information of the terminal device, the terminal The user permanent identification SUPI of the device and the authentication server function root key determine the AKMA root key.

In a possible implementation method, the authentication server function network element determines whether the terminal device is in a roaming state, including: the authentication server function network element determines whether the terminal device is in a roaming state based on the HPLMN information of the terminal device and the location where the authentication server function network element is located. One or more of the VPLMN information or the VPLMN information of the terminal device is used to determine whether the terminal device is in a roaming state.

In an eighth aspect, embodiments of the present application provide a communication device. The device may be a network storage function network element, or may be a chip for a network storage function network element. The device has the function of implementing any implementation method of the above-mentioned first aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above functions.

In a ninth aspect, embodiments of the present application provide a communication device, which may be a first network element or a chip used for the first network element. The device has the function of implementing any implementation method of the above second aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above functions.

In a tenth aspect, embodiments of the present application provide a communication device, which may be a terminal device or a chip for the terminal device. The device has the function of implementing any implementation method of the above third aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software. The hardware or software includes one or more functions related to the above Corresponding modules.

In an eleventh aspect, embodiments of the present application provide a communication device. The device may be a visiting AKMA anchor point function network element, or may be a chip used to visit an AKMA anchor point function network element. The device has the function of implementing any implementation method of the fourth aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above functions.

In a twelfth aspect, embodiments of the present application provide a communication device. The device may be a home AKMA anchor point function network element, or may be a chip used for the home AKMA anchor point function network element. The device has the function of realizing any implementation method of the fifth aspect or the sixth aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above functions.

In a thirteenth aspect, embodiments of the present application provide a communication device, which may be an authentication server functional network element, or may be a chip used for the authentication server functional network element. The device has the function of implementing any implementation method of the seventh aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above functions.

In a fourteenth aspect, embodiments of the present application provide a communication device, including a processor coupled to a memory, and the processor is configured to call a program stored in the memory to execute any implementation of the above-mentioned first to seventh aspects. method. The memory may be located within the device or external to the device. And the processor can be one or more.

In a fifteenth aspect, embodiments of the present application provide a communication device, including a processor and a memory; the memory is used to store computer instructions, and when the device is running, the processor executes the computer instructions stored in the memory, so that the device Execute any implementation method in the above first to seventh aspects.

In a sixteenth aspect, an embodiment of the present application provides a communication device, including units or means for executing each step of any implementation method in the above-mentioned first to seventh aspects.

In a seventeenth aspect, embodiments of the present application provide a communication device, including a processor and an interface circuit. The processor is configured to communicate with other devices through the interface circuit and perform any implementation method in the above-mentioned first to seventh aspects. . The processor includes one or more.

In an eighteenth aspect, embodiments of the present application further provide a computer-readable storage medium, in which instructions are stored, which, when run on a communication device, enable the above-described first to seventh aspects. Any implementation method of is executed.

In a nineteenth aspect, embodiments of the present application further provide a computer program product. The computer program product includes a computer program or instructions. When the computer program or instructions are run by a communication device, any one of the above-mentioned first to seventh aspects is enabled. The implementation method is executed.

In a twentieth aspect, embodiments of the present application further provide a chip system, including: a processor, configured to execute any implementation method in the above-mentioned first to seventh aspects.

In a twenty-first aspect, embodiments of the present application also provide a communication system, which includes a network storage function network element for performing any implementation method of the first aspect, and a network storage function network element for performing any implementation method of the second aspect. the first network element.

In a twenty-second aspect, embodiments of the present application further provide a communication system, which includes a visiting AKMA anchor point function network element for performing any of the implementation methods of the fourth aspect, and a visiting AKMA anchor point function network element for performing any of the implementation methods of the fifth aspect. The home AKMA anchor function network element that implements the method.

In a twenty-third aspect, embodiments of the present application also provide a communication method, including: when the terminal device is in a roaming state, the first network element determines the selection parameters; the first network element sends a first request to the network storage function network element news, the first The request message includes the selection parameter; the network storage function network element selects the visiting AKMA anchor point function network element that provides services for the terminal device according to the selection parameter in the first request message; the network storage function network element The functional network element sends a response message to the first network element, where the response message includes information about the visiting AKMA anchor functional network element.

Description of the drawings

Figure 1 is a schematic diagram of a communication system provided by an embodiment of the present application;

Figure 2 is a schematic diagram of the 5G network architecture based on service-based architecture;

Figure 3 is a schematic diagram of the 5G network architecture based on point-to-point interface;

Figure 4 is an architectural diagram of adding AKMA related functions to the 5G network;

Figure 5 is a schematic diagram of a _KAKMA generation method provided by an embodiment of the present application;

Figure 6 is a schematic diagram of a method of using K _AKMA provided by the embodiment of the present application;

Figure 7 is a schematic diagram of a method of using K _AKMA provided by the embodiment of the present application;

Figure 8 is a schematic diagram of the AKMA roaming architecture provided in this embodiment;

Figure 9(a) is a schematic flow chart of a communication method provided by an embodiment of the present application;

Figure 9(b) is a schematic flow chart of a communication method provided by an embodiment of the present application;

Figure 9(c) is a schematic flow chart of a communication method provided by an embodiment of the present application;

Figure 10 is a schematic flow chart of a communication method provided by an embodiment of the present application;

Figure 11 is a schematic flow chart of a communication method provided by an embodiment of the present application;

Figure 12 is a schematic flow chart of a communication method provided by an embodiment of the present application;

Figure 13 is a schematic diagram of a communication device provided by an embodiment of the present application;

Figure 14 is a schematic diagram of a communication device provided by an embodiment of the present application.

Detailed ways

In order to ensure secure communication between terminal equipment and AF network elements, this application provides a communication system. Refer to Figure 1. The system includes a network storage function network element and a first network element. Optionally, the system also includes a home AKMA. Anchor function network element and access AKMA anchor function network element. The system shown in Figure 1 can be used in the fifth generation (5G) network architecture shown in Figures 2 to 4. Of course, it can also be used in future network architectures, such as the sixth generation (6th generation, 6G). Network architecture, etc., are not limited by this application.

The first network element is used to determine selection parameters when the terminal device is in a roaming state; and send a first request message to the network storage function network element, where the first request message includes the selection parameter. The network storage function network element is configured to receive the first request message from the first network element; and select the visiting AKMA anchor point function network element that provides services for the terminal device according to the selection parameter in the first request message. ; Send a response message to the first network element, where the response message includes information about the visited AKMA anchor point function network element. The first network element is also used to receive the response message.

In a possible implementation method, the first network element is also configured to send a second request message to the visited AKMA anchor function network element according to the information of the visited AKMA anchor function network element. The second request message requests The first application key used for secure communication between the visiting application function network element and the terminal device; the visiting AKMA anchor point function network element is used to receive the second request message; obtain the first AKMA root key; according to The first AKMA root key determines the first application key; and sends the first application key to the first network element.

In a possible implementation method, the home AKMA anchor function network element is used to obtain the first AKMA root key; and send the first AKMA root key to the visiting AKMA anchor function network element; the visiting AKMA The anchor function network element is specifically configured to receive the first AKMA root key from the home AKMA anchor function network element.

In a possible implementation method, the home AKMA anchor function network element is specifically used to determine the first AKMA root key based on the second AKMA root key, and the second AKMA root key is used to determine the second application. The second application key is used for secure communication between the terminal device and the home application function network element.

In a possible implementation method, the home AKMA anchor point function network element is specifically configured to determine the second AKMA root key and the HPLMN information of the terminal device and/or the VPLMN information of the terminal device. The first AKMA root key.

In a possible implementation method, the home AKMA anchor function network element is specifically configured to receive the first AKMA root key from the authentication server function network element.

In a possible implementation method, the first network element is a visiting application function network element; the visiting application function network element is also used to receive an application session establishment request message from the terminal device, where the application session establishment request message includes information used to determine the selection parameters.

In a possible implementation method, the first network element is a network open function network element; the network open function network element also receives an application key request message from a visiting application function network element, where the application key request message includes information used to determine the selection parameters.

In a possible implementation method, the network storage function network element is specifically used to select the AKMA anchor point function corresponding to the selection parameter when the network storage function network element stores the AKMA anchor point function network element corresponding to the selection parameter. network element as the visiting AKMA anchor point function network element; or, when the network storage function network element does not store the AKMA anchor point function network element corresponding to the selection parameter, select the default AKMA anchor point function network element as the visiting AKMA anchor function network element.

In a possible implementation method, the selection parameter includes one or more of the HPLMN information of the terminal device, the VPLMN information of the first network element, or the VPLMN information of the terminal device; the network storage function network element, and is also used to determine that the terminal device is in a roaming state based on one or more of the HPLMN information of the terminal device, the VPLMN information of the first network element, or the VPLMN information of the terminal device.

In a possible implementation method, the network storage function network element is also used to determine that the terminal device is in a roaming state based on the received indication information.

In a possible implementation method, the network storage function network element is also used to determine that the terminal device is in a roaming state based on the PLMN information of the network storage function network element and the HPLMN information of the terminal device.

In a possible implementation method, the first network element is also configured to use one or more of the HPLMN information of the terminal device, the VPLMN information of the first network element, or the VPLMN information of the terminal device. , confirm that the terminal device is in roaming state.

In a possible implementation method, the first network element is also configured to send indication information to the terminal device, where the indication information indicates that the terminal device is in a roaming state.

In a possible implementation method, the first network element is specifically configured to determine the selection parameter according to the first AKMA key identifier or the second AKMA key identifier; wherein the first AKMA key identifier includes the terminal device The routing identifier, the AKMA temporary identifier of the terminal device, the HPLMN information of the terminal device, and the VPLMN information of the terminal device; the second AKMA key identifier includes the routing identifier of the terminal device, the AKMA temporary identifier of the terminal device and the HPLMN information of the terminal device.

For the interaction between various network elements in the system and the specific execution, please refer to the following method embodiments and will not be described again here. In order to meet the challenges of wireless broadband technology and maintain the leading edge of 3GPP networks, the 3GPP standards group formulated the next generation mobile communication network system (Next Generation System) architecture, called 5G network architecture. This architecture not only supports wireless access technologies defined by the 3GPP standards group (such as long term evolution (LTE) access technology, 5G radio access network (RAN) access technology, etc.) to be connected to the 5G core Core network (CN), and supports the use of non-3GPP (non-3GPP) access technology through non-3GPP interworking function (N3IWF) or next generation packet data gateway (ngPDG) Access to the core network.

Figure 2 is a schematic diagram of the 5G network architecture based on service-based architecture. The 5G network architecture shown in Figure 2 may include access network equipment and core network equipment. Terminal equipment is connected to the data network (DN) through access network equipment and core network equipment. Among them, the core network equipment includes but is not limited to some or all of the following network elements: authentication server function (AUSF) network element (not shown in the figure), unified data management (UDM) network element Element, unified data repository (UDR) network element, network repository function (NRF) network element (not shown in the figure), network exposure function (NEF) network element (not shown in the figure) shown), application function (AF) network element, policy control function (PCF) network element, access and mobility management function (AMF) network element, session management function (session management function, SMF) network element, user plane function (UPF) network element, binding support function (BSF) network element (not shown in the figure).

The terminal equipment can be user equipment (UE), mobile station, mobile terminal equipment, etc. Terminal devices can be widely used in various scenarios, such as device-to-device (D2D), vehicle to everything (V2X) communication, machine-type communication (MTC), and the Internet of Things (internet of things, IOT), virtual reality, augmented reality, industrial control, autonomous driving, telemedicine, smart grid, smart furniture, smart office, smart wear, smart transportation, smart city, etc. Terminal devices can be mobile phones, tablets, computers with wireless transceiver functions, wearable devices, vehicles, urban air vehicles (such as drones, helicopters, etc.), ships, robots, robotic arms, smart home devices, etc. Long-term keys and related functions are stored in the terminal device. When the terminal device performs two-way authentication with core network elements (such as AMF network elements and AUSF network elements), it will use long-term keys and related functions to verify the authenticity of the network.

The access network equipment may be a wireless access network equipment (RAN equipment) or a wired access network equipment. Among them, wireless access network equipment includes 3GPP access network equipment, untrusted non-3GPP access network equipment and trusted non-3GPP access network equipment. 3GPP access network equipment includes but is not limited to: evolved base stations (evolved NodeB, eNodeB) in LTE, next generation base stations (next generation NodeB, gNB) in 5G mobile communication systems, base stations or completed base stations in future mobile communication systems Modules or units with partial functions, such as centralized units (CU), distributed units (DU), etc. Untrusted non-3GPP access network equipment includes but is not limited to: untrusted non-3GPP access gateway or N3IWF equipment, untrusted wireless local area network (WLAN) access point (access point, AP), switch ,router. Trusted non-3GPP access network equipment includes but is not limited to: trusted non-3GPP access gateways, trusted WLAN APs, switches, and routers. Wired access network equipment includes but is not limited to: wired access gateway, fixed telephone network equipment, switches, and routers.

Access network equipment and terminal equipment can be fixed-position or removable. Access network equipment and terminal equipment can be deployed on land, including indoors or outdoors, handheld or vehicle-mounted; they can also be deployed on water; they can also be deployed On planes, balloons and satellites in the sky. The embodiments of this application do not limit the application scenarios of access network equipment and terminal equipment.

AMF network elements include functions such as mobility management and access authentication/authorization. In addition, it is also responsible for transmitting user policies between the terminal device and the PCF.

SMF network elements include functions such as performing session management, executing control policies issued by PCF network elements, selecting UPF network elements, or allocating Internet Protocol (IP) addresses of terminal devices.

The UPF network element includes functions such as user plane data forwarding, session/flow level-based billing statistics or bandwidth limitation.

UDM network elements include functions such as execution and management of contract data or user access authorization.

UDR includes access functions for executing contract data, policy data or application data.

NEF network element is used to support the opening of capabilities and events.

AF network element transmits the requirements from the application side to the network side, such as QoS requirements or user status event subscriptions. AF can be a third-party functional entity or an application service deployed by an operator, such as IP Multimedia Subsystem (IMS) voice call service. Among them, AF network elements include AF network elements within the core network (that is, the operator's AF network elements) and third-party AF network elements (such as an enterprise's application server).

The PCF network element includes policy control functions such as session and service flow level billing, QoS bandwidth guarantee, mobility management, or terminal device policy decision-making. PCF network elements include access and mobility management policy control function (AM PCF) network elements and session management policy control function (session management PCF, SM PCF) network elements. Among them, the AM PCF network element is used to formulate AM policies and user policies for terminal equipment. The AM PCF network element can also be called the policy control network element (PCF for a UE) that provides services for terminal equipment). The SM PCF network element is used to formulate a session management policy (SM policy) for the session. The SM PCF network element can also be called a policy control network element that provides services for the session ((PCF for a PDU session)).

NRF network elements can be used to provide network element discovery functions and provide network element information corresponding to network element types based on requests from other network elements. NRF network elements also provide network element management services, such as network element registration, update, de-registration, network element status subscription and push, etc.

The BSF network element can provide functions such as BSF service registration/unregistration/update, connection detection with NRF network elements, session binding information creation, terminal device information acquisition, or session binding information query for duplicate IP addresses.

The AUSF network element is responsible for authenticating users to determine whether users or devices are allowed to access the network.

DN is a network located outside the operator's network. The operator's network can access multiple DNs. A variety of services can be deployed on the DN, which can provide data and/or voice services to terminal devices. For example, DN is a private network of a smart factory. The sensors installed in the workshop of the smart factory can be terminal devices. The control server of the sensor is deployed in the DN, and the control server can provide services for the sensor. The sensor can communicate with the control server, obtain instructions from the control server, and transmit the collected sensor data to the control server according to the instructions. For another example, DN is the internal office network of a company. The mobile phones or computers of employees of the company can be used as terminal devices. The employees' mobile phones or computers can access information and data resources on the company's internal office network.

In Figure 2, Npcf, Nudr, Nudm, Naf, Namf, and Nsmf are the service interfaces provided by the above-mentioned PCF, UDR, UDM, AF, AMF, and SMF respectively, and are used to call corresponding service operations. N1, N2, N3, N4 and N6 are interface serial numbers. The meanings of these interface serial numbers are as follows:

1), N1: The interface between the AMF network element and the terminal device can be used to transmit non-access stratum (NAS) signaling (such as QoS rules from the AMF network element) to the terminal device.

2), N2: The interface between the AMF network element and the access network equipment, which can be used to transfer the core network side to the access network equipment. wireless bearer control information, etc.

3), N3: The interface between the access network equipment and the UPF network element, mainly used to transmit uplink and downlink user plane data between the access network equipment and the UPF network element.

4), N4: The interface between the SMF network element and the UPF network element can be used to transfer information between the control plane and the user plane, including controlling the delivery of user-oriented forwarding rules, QoS rules, traffic statistics rules, etc. Report information on the user interface.

5), N6: The interface between the UPF network element and the DN, used to transmit the uplink and downlink user data flows between the UPF network element and the DN.

Figure 3 is a schematic diagram of the 5G network architecture based on point-to-point interfaces. For the introduction of the functions of the network elements, please refer to the introduction of the functions of the corresponding network elements in Figure 2 and will not be described again. The main difference between Figure 3 and Figure 2 is that the interfaces between the control plane network elements in Figure 2 are service-oriented interfaces, while the interfaces between the control plane network elements in Figure 3 are point-to-point interfaces.

In the architecture shown in Figure 3, the interface names and functions between each network element are as follows:

1), the meaning of N1, N2, N3, N4 and N6 interfaces can refer to the previous description.

2), N5: The interface between the AF network element and the PCF network element, which can be used to deliver application service requests and report network events.

3), N7: The interface between the PCF network element and the SMF network element, which can be used to deliver PDU session granularity and service data flow granularity control policies.

4), N8: The interface between AMF network elements and UDM network elements, which can be used by AMF network elements to obtain access and mobility management-related subscription data and authentication data from UDM network elements, and for AMF to register terminal device mobility with UDM Management related information, etc.

5), N9: The user plane interface between UPF network elements and UPF network elements, used to transmit uplink and downlink user data flows between UPF network elements.

6), N10: The interface between the SMF network element and the UDM network element, which can be used for the SMF network element to obtain session management-related contract data from the UDM network element, and for the SMF network element to register terminal device session-related information with UDM.

7), N11: The interface between the SMF network element and the AMF network element can be used to transfer PDU session tunnel information between the access network device and the UPF network element, transfer control messages sent to the terminal device, and transfer data sent to the access network device. Wireless resource control information of network-connected devices, etc.

8), N15: The interface between the PCF network element and the AMF network element, which can be used to deliver terminal device policies and access control-related policies.

9), N35: The interface between UDM network element and UDR network element, which can be used by UDM network element to obtain user subscription data information from UDR network element.

10), N36: The interface between PCF network element and UDR network element, which can be used by PCF network element to obtain policy-related contract data and application data-related information from UDR network element.

Figure 4 is an architectural diagram of adding AKMA related functions to the 5G network. Figure 4 shows AKMA-related functions added to the 5G architecture shown in Figure 1. Of course, AKMA-related functions can also be added to the 5G architecture shown in Figure 2. The principles are similar and will not be described again.

The AAnF network element is added in Figure 4. The AAnF network element can request the AKMA root key (i.e., K _AKMA ) from the AUSF, and then the AAnF network element determines the application key (i.e., K _AF ) and K _AF used by the AF based on K _AKMA . effective time.

In the AKMA scenario shown in Figure 4, the AF network element needs to interact with the AAnF network element to obtain K _AF and the effective time of K _AF . The location of the AF network element can be inside the 5G core network or outside the 5G core network. If AF network element Within the 5G core network, the AF network element can directly interact with the PCF network element. If the AF network element is outside the 5G core network, the AF network element can interact with the PCF network element via the NEF network element, that is, the NEF network element serves as the intermediate network element between the AF network element and the PCF network element.

In the AKMA scenario shown in Figure 4, the AUSF network element can generate K _AKMA for the AAnF network element.

It can be understood that the above network elements or functions can be network elements in hardware devices, software functions running on dedicated hardware, or virtualization functions instantiated on a platform (for example, a cloud platform). Optionally, the above network element or function can be implemented by one device, or can be implemented by multiple devices together, or can be a functional module in one device, which is not specifically limited in the embodiments of this application.

For ease of explanation, the embodiment of the present application uses a UE as an example of a terminal device. The UE described below can be replaced with a terminal device. And, in the embodiment of this application, the AUSF network element, UDM network element, AMF network element, AAnF network element, AF network element, NEF network element, and NRF network element are respectively abbreviated as AUSF, UDM, AMF, AAnF, AF, NEF, and NRF. .

In order to facilitate understanding of the present invention, a method of generating _KAKMA and a method of using _KAKMA are introduced below with reference to Figures 5 to 7.

Figure 5 is a schematic diagram of a _KAKMA generation method provided by an embodiment of the present application. The method includes the following steps:

Step 501: AUSF sends an authentication request message to UDM. Accordingly, UDM receives the authentication request message.

The authentication request message includes a Subscription Permanent Identifier (SUPI) or a Subscription Concealed Identifier (SUCI). The authentication request message is used to request an authentication vector from the UDM. The authentication vector is used to trigger the core network. Primary authentication with UE. When the AMF provides SUCI to the AUSF, the authentication request message includes the SUCI. When AMF provides SUPI to AUSF, the authentication request message includes SUPI.

The authentication request message may be a Numd_UEAuthentication Get Request message.

Step 502: UDM sends an authentication response message to AUSF. Accordingly, the AUSF receives the authentication response message.

The authentication response message includes the authentication vector.

If the UDM determines that the UE supports the AKMA service based on the UE's subscription information, the authentication response message also contains AKMA indication information. Among them, the UE supporting the AKMA service means that the UE has the AKMA capability and the UE's services can use AKMA.

The authentication response message may be a Num_UEAuthentication_Get Response message.

Step 503, if the AUSF receives the AKMA indication information from the UDM, the AUSF generates K _AKMA and AKMA key identifier (A-KID) based on the AUSF root key (K _AUSF ) after the main authentication process is successfully completed. .

Among them, A-KID is used to identify K _AKMA .

A-KID is in Network Access Identifier (NAI) format, which is username@exmaple. The username part includes a routing identifier (RID) and an AKMA Temporary UE Identifier (A-TID). RID is part of SUCI and is represented by 1 to 4 decimal digits. A-TID is a temporary identification generated based on K _AUSF . The example part includes a home network identifier (HomeNetworkIdentifier), and the home network identifier may specifically be the identification information of the home public land mobile network (Home Public Land Mobile Network Identifier, HPLMN ID). Among them, the home public land mobile network is also called the home public land mobile network or the home public land mobile network.

It should be noted that this RID can be used by AMF to select AUSF. For example, AMF can select AUSF based on RID and HPLMN ID. Select AUSF. The RID can also be used by AUSF to select UDM. For example, AUSF selects UDM based on RID and HPLMN ID.

Correspondingly, after the main authentication process, the UE also generates K _AKMA and A-KID based on K _AUSF in the same method as AUSF.

Step 504: AUSF selects an AAnF and sends a key registration request message to the selected AAnF. Correspondingly, AAnF receives the key registration request message.

The key registration request message includes SUPI, A-KID and K _AKMA .

The key registration request message can be a Naanf_AKMA_AnchorKey_Register Request message.

Step 505: AAnF sends a key registration response message to AUSF. Correspondingly, AUSF receives the key registration response message.

The key registration response message may be a Naanf_AKMA_AnchorKey_RegisterResponse message.

Step 506, AUSF deletes K _AKMA and A-KID.

Through the above solution, the UE and AAnF generate the same _KAKMA , which facilitates subsequent UE and AF to use the _KAKMA to derive other keys.

Figure 6 is a schematic diagram of a method of using _KAKMA provided by an embodiment of the present application. In this method, AF belongs to a network element in the 3GPP core network. The method includes the following steps:

Step 601, the UE sends an Application Session Establishment Request message to the AF. Correspondingly, the AF receives the application session establishment request message.

The application session establishment request message includes the A-KID, and the A-KID is used by AAnF to find _{the KAKMA} corresponding to the A-KID.

The A-KID is generated by the UE in the main authentication process and K _AKMA generation process before step 601. Among them, the main authentication process and the K _AKMA generation process are the processes shown in Figure 5.

Step 602: AF sends an application key request message to AAnF. Accordingly, AAnF receives the application key request message.

The application key request message includes A-KID and AF ID. This A-KID comes from step 601. This AFID is used to identify the AF.

Among them, the AF can select AAnF according to the RID of the UE.

The application key request message may be a Naanf_AKMA_ApplicationKey_Get_Request message.

Step 603: AAnF obtains _KAKMA based on A-KID, generates K _AF based on _KAKMA and AF ID, and determines the validity time of K _AF .

Among them, AAnF obtains A-KID and _KAKMA corresponding to A-KID in the main authentication process and _KAKMA generation process.

Step 604: AAnF sends an application key response message to AF. Accordingly, the AF receives the application key response message.

The application key response message includes K _AF and the validity time of K _AF .

The application key response message may be a Naanf_AKMA_ApplicationKey_Get Response message.

Step 605: The AF sends an Application Session Establishment Response message to the UE. Correspondingly, the UE receives the application session establishment response message.

It should be noted that in any step after the main authentication process and the K _AKMA generation process, the UE also generates K _AF and determines the validity time of K _AF according to the same method as AAnF.

In the above scheme, UE and AAnF determine the validity time of the same K _AF and K _AF based on K _AKMA , and AAnF sends the validity time of K _AF and K _AF to AF. Subsequently, the K _AF can be used between UE and AF to compare the UE and AF. The transmission content between AF is encrypted, which helps to improve communication security.

Figure 7 is a schematic diagram of a method of using _KAKMA provided by an embodiment of the present application. In this method, AF belongs to a network element outside the 3GPP core network. The method includes the following steps:

Step 701: The UE sends an application session establishment request message to the AF. Correspondingly, the AF receives the application session establishment request message.

The application session establishment request message includes the A-KID, and the A-KID is used by AAnF to find _{the KAKMA} corresponding to the A-KID.

The A-KID is generated by the UE in the main authentication process and K _AKMA generation process before step 701. Among them, the main authentication process and the K _AKMA generation process are the processes shown in Figure 5.

Step 702: AF sends an application key request message to NEF. Accordingly, NEF receives the application key request message.

The application key request message includes A-KID and AF ID. This A-KID comes from step 701. This AFID is used to identify the AF.

The application key request message may be a Nnef_AKMA_AFKey_Request message.

Step 703, NEF selects AAnF.

Among them, NEF can select AAnF according to the RID of the UE.

Step 704: NEF sends an application key request message to AAnF. Accordingly, AAnF receives the application key request message.

The application key request message includes A-KID and AF ID.

The application key request message may be a Naanf_AKMA_AFKey_Request message.

Step 705: AAnF obtains _KAKMA based on A-KID, generates K _AF based on _KAKMA and AF ID, and determines the validity time of K _AF .

Among them, AAnF obtains A-KID and _KAKMA corresponding to A-KID in the main authentication process and _KAKMA generation process.

Step 706: AAnF sends an application key response message to NEF. Accordingly, NEF receives the application key response message.

The application key response message includes K _AF and the validity time of K _AF .

The application key response message may be a Naanf_AKMA_AFKey_Response message.

Step 707: NEF sends an application key response message to AF. Accordingly, the AF receives the application key response message.

The application key response message includes K _AF and the validity time of K _AF .

The application key response message may be a Nnef_AKMA_AFKey_Response message.

Step 708: The AF sends an application session establishment response message to the UE. Correspondingly, the UE receives the application session establishment response message.

It should be noted that in any step after the main authentication process and the K _AKMA generation process, the UE also generates K _AF and determines the validity time of K _AF according to the same method as AAnF.

In the above scheme, UE and AAnF determine the validity time of the same K _AF and K _AF based on K _AKMA , and AAnF sends the validity time of K _AF and K _AF to AF. Subsequently, the K _AF can be used between UE and AF to compare the UE and AF. The transmission content between AF is encrypted, which helps to improve communication security.

Figure 8 is a schematic diagram of the AKMA roaming architecture provided in this embodiment. In this architecture, when the UE is located in the VPLMN, the UE is in the roaming state regardless of whether the AF is located in the VPLMN or the HPLMN. In another scenario (not shown in the figure), when the UE is located in the HPLMN and the AF is located in the VPLMN, the UE is also said to be in a roaming state. Therefore, in the embodiment of this application, the UE is in the roaming state and specifically includes the following three situations:

Scenario 1, the UE is located in the visited network (ie VPLMN), and the AF is located in the visited network (ie VPLMN).

Scenario 2, the UE is located in the visited network (that is, VPLMN), and the AF is located in the home network (that is, HPLMN).

Scenario 3, the UE is located in the home network (ie HPLMN) and the AF is located in the visited network (ie VPLMN).

Among them, the UE is located in HPLMN, which means that the operator providing services to the UE is the operator signed by the UE. The fact that the UE is located in the VPLMN means that the operator providing services to the UE is not the operator contracted by the UE. The AF is located in the HPLMN, which means that the AF has a contract with the HPLMN of the UE, or is pre-configured with relevant information connected to the HPLMN of the UE. The relevant information is, for example, the NEF address information of the HPLMN of the UE. The AF is located in the VPLMN, which means that the AF cannot directly interact with the HPLMN where the UE is located. For example, the AF has not signed a contract with the UE's HPLMN, or the relevant information of the HPLMN connected to the UE is not pre-configured, or the AF is only configured with the information of the PLMN where the AF is located. .

For the above scenarios 1 and 3, the vAF communicating with the UE is located in the VPLMN. If hAAnF generates the application key (i.e. K _AF ) for the vAF for secure communication between the UE and the vAF, since vAF and hAAnF belong to different PLMN, so vAF may not be able to directly connect to hAAnF, resulting in vAF being unable to request the application key from hAAnF.

For the above scenario 2, the hAF communicating with the UE is located in HPLMN, and the UE is located in VPLMN. Generally, hAAnF can generate an application key (i.e. K _AF ) for secure communication between the UE and hAF for hAF, and then in If hAF and hAAnF cannot connect, hAAnF may not be able to provide the application key to hAF.

In summary, when the UE is in the roaming state, the AF communicating with the UE may not be able to obtain the application key, resulting in the inability to encrypt the transmission content during communication between the UE and the AF, resulting in insecure communication.

In order to solve this problem, in the embodiment of the present application, an AAnF is selected in the visited network, and the AAnF is called a visited AAnF (vAAnF). The vAAnF can serve as a transit node, forwarding the key request from AF to hAAnF, and forwarding the application key distributed by hAAnF to AF, so that AF can obtain the application key. Or the vAAnF itself has the function of distributing application keys, then vAAnF can also distribute application keys for AF (which can be vAF or hAF). In addition, the embodiments of the present application can also solve the problem of key isolation between vAAnF and hAAnF.

Figure 9(a) is a schematic flowchart of a communication method provided by an embodiment of the present application. The method includes the following steps:

Step 901a: When the UE is in the roaming state, the first network element determines the selection parameters.

The first network element is NEF or AF.

When the first network element is an AF, the AF can determine whether the UE is in a roaming state. For example, the AF receives an application session establishment request message from the UE, and the application session establishment request message includes A-KID, or includes A-KID and VPLMN ID, or includes A-KID'. In the embodiment of this application, A-KID' is also called the first AKMA key identification, and A-KID is also called the second AKMA key identification. Among them, A-KID includes the information of RID, A-TID and HPLMN, and A-KID' includes the information of RID, A-TID, HPLMN and VPLMN. The information of HPLMN can be HPLMN ID, or other information that can identify HPLMN. The information of the VPLMN can be the VPLMN ID, or other information that can identify the VPLMN. Therefore, the AF may determine that the UE is in the roaming state based on one or more of the UE's HPLMN information, the UE's VPLMN information, or the information of the PLMN where the AF is located (which may be a PLMN ID) received from the UE, where the PLMN information It can be a PLMN ID, or something else that can identify the PLMN Information. For example, if the AF receives the UE's VPLMN ID from the UE, the AF determines that the UE is in the roaming state. For another example, if the AF receives the UE's HPLMN ID from the UE, the AF compares the information of the PLMN where the AF is located with the UE's HPLMN ID. If the two are the same, the AF determines that the UE is in a non-roaming state. If they are different, then AF determines that the UE is in roaming state. For another example, if the AF receives the HPLMN ID from the UE but does not receive the VPLMN ID from the UE, the AF determines that the UE is in a non-roaming state.

When the first network element is an NEF, the AF can determine whether the UE is in the roaming state. When the UE is in the roaming state, the AF sends indication information to the NEF, and the indication information indicates that the UE is in the roaming state.

Or when the first network element is NEF, NEF can also determine whether the UE is in roaming state. For example, the UE sends an application session establishment request message to the AF, and the application session establishment request message includes A-KID, or includes A-KID and VPLMN ID, or includes A-KID'. Then AF sends an application key request message to NEF. The application key request message includes A-KID, or includes A-KID and VPLMN ID, or includes A-KID', and then NEF uses the UE's HPLMN information and the UE's VPLMN information or one or more of the information of the PLMN where the NEF is located, to determine that the UE is in the roaming state. For example, if NEF receives the UE's VPLMN ID, NEF determines that the UE is in roaming state. For another example, NEF receives the HPLMN ID of the UE, then NEF compares the information of the PLMN where NEF is located with the HPLMN ID of the UE. If the two are the same, NEF determines that the UE is in a non-roaming state. If they are different, NEF determines that the UE is in a non-roaming state. The UE is in roaming state. For another example, if NEF receives the HPLMN ID but does not receive the VPLMN ID, NEF determines that the UE is in a non-roaming state.

The selection parameters determined by the first network element include one or more of the routing identifier (RID) of the UE, the information of the HPLMN of the UE, the information of the VPLMN where the first network element is located, or the information of the VPLMN of the UE.

Step 902a: The first network element sends a request message to the NRF. Accordingly, the NRF receives the request message.

The request message includes selection parameters.

Step 903a: When the UE is in the roaming state, the NRF selects the vAAnF that provides services for the UE according to the selection parameters.

Among them, NRF needs to determine whether the UE is in roaming. The specific determination method can refer to the aforementioned method of the first network element to determine whether the UE is in roaming state, which will not be described again.

When the NRF stores the AAnF corresponding to the selection parameter, the NRF selects the AAnF corresponding to the selection parameter as vAAnF. Or, when NRF does not store the AAnF corresponding to the selection parameter, the default AAnF is selected as vAAnF.

Step 904a: The NRF sends a response message to the first network element. Correspondingly, the first network element receives the response message.

The response message includes vAAnF information, and the vAAnF information is used by the first network element to request from vAAnF an application key (K _AF ) for secure communication between the AF and the UE. The information of vAAnF may be identification information of vAAnF, address information of vAAnF or instanceID information of AAnF, etc., which is not limited in this application.

Step 905a: The first network element sends a request message to vAAnF according to the vAAnF information. Accordingly, vAAnF receives the request message.

This request message requests an application key (K _AF ) for secure communication between the AF and the UE.

If the vAAnF only serves as a transit node, vAAnF sends the request message to hAAnF, hAAnF generates an application key, and then hAAnF sends the application key to vAAnF, and vAAnF then sends the application key to the first network element. It should be noted that if the first network element is NEF, NEF further needs to send the application key to AF.

If the vAAnF is capable of generating an application key, the vAAnF generates an application key based on the request message. In one implementation method, after vAAnF receives the request message, it requests the AKMA root key from hAAnF, and then hAAnF sends the latest AKMA root key (called K _AKMA *) to vAAnF, so that vAAnF generates the AKMA root key based on K _AKMA *. vAF and UE application keys for secure communication. Optionally, vAAnF also stores K _AKMA * to facilitate subsequent use of the K _AKMA *.

Among them, hAAnF can obtain K _AKMA * according to any of the following methods:

Method 1, hAAnF determines _KAKMA * based on _KAKMA .

This K _AKMA can be used to generate application keys for secure communication between hAF and UE.

Method 2: hAAnF determines _KAKMA * based on _KAKMA and the HPLMN information of the UE and/or the VPLMN information of the UE.

Method 3: AUSF determines K _AKMA * based on the UE's VPLMN information, SUPI and K _AUSF , and then AUSF sends K _AKMA * to hAAnF.

In an implementation method, the first network element may also send indication information to the UE. The indication information indicates that the UE is in the roaming state. The indication information may be information about the VPLMN where the first network element is located, or binary bit information, or Enumerated bit information. After the UE receives _the indication information, the UE is triggered to generate K _AKMA *, which is the same as the K _AKMA * generated by vAAnF or hAAnF. This method helps to enable UE and AF to use the same application key.

In the above scheme, when the UE is in the roaming state, the NRF selects a vAAnF, which can not only serve as a transit node, but also generate an application key for secure communication between the UE and the AF, so that the AF can accurately obtain the application key and facilitate The application key is used to encrypt communication content between UE and AF, which helps to improve communication security.

Figure 9(b) is a schematic flowchart of a communication method provided by an embodiment of the present application. The method includes the following steps:

Step 901b: hAAnF determines whether the UE is in roaming state.

In one implementation method, the AUSF determines whether the UE is in the roaming state, and then the AUSF sends indication information to hAAnF. When the indication information indicates that the UE is in the roaming state, hAAnF determines that the UE is in the roaming state based on the indication information.

In another implementation method, hAAnF determines whether the UE is in a roaming state based on the UE's HPLMN information and/or the UE's VPLMN information. For example, if hAAnF receives the VPLMN ID of the UE from the UE, hAAnF determines that the UE is in the roaming state. For another example, hAAnF receives the HPLMN ID of the UE from the UE, then hAAnF compares the information of the PLMN where hAAnF is located with the HPLMN ID of the UE. If the two are the same, hAAnF determines that the UE is in a non-roaming state. If they are different, , then hAAnF determines that the UE is in roaming state. For another example, if hAAnF receives the HPLMN ID of the UE from the UE, but does not receive the VPLMN ID of the UE from the UE, then hAAnF determines that the UE is in a non-roaming state.

Step 902b: When the UE is in the roaming state, hAAnF determines the first AKMA root key (also called _KAKMA *) based on the second AKMA root key (also called _KAKMA ).

K _AKMA * is used to determine the first application key, which is used for secure communication between the UE and the visited AF (ie, vAF). K _AKMA is used to determine the second application key, which is used for secure communication between the UE and the home AF (ie, hAF).

In one implementation method, hAAnF determines _KAKMA * based on _KAKMA and the HPLMN information of the UE and/or the VPLMN information of the UE.

After hAAnF determines K _AKMA *, hAAnF can actively send K _AKMA * to hAAnF, or hAAnF receives a request message from vAAnF, which is used to request to obtain the AKMA root key, then hAAnF can send K _{AKMA *} to vAAnF based on the request message. *. After hAAnF receives K _AKMA *, it can generate the first application key based on K _AKMA *, and then send the first application key to the vAF. Subsequently, the first application key is used for encrypted communication between the UE and the vAF. Optionally, hAAnF can store the K _AKMA *.

In the above scheme, after hAAnF determines that the UE is in roaming state, it can generate the AKMA root key for vAAnF. And sends the AKMA root key to vAAnF, which is used by vAAnF, thereby achieving key isolation between different AAnFs, that is, vAAnF and hAAnF use different AKMA root keys, which helps ensure key security. Thereby improving the security of communication.

Figure 9(c) is a schematic flowchart of a communication method provided by an embodiment of the present application. The method includes the following steps:

Step 901c: AUSF determines whether the UE is in roaming state.

In one implementation method, the AUSF determines whether the UE is in a roaming state based on the UE's HPLMN information and/or the UE's VPLMN information. For example, if the AUSF receives the VPLMN ID of the UE from the UE, the AUSF determines that the UE is in the roaming state. For another example, the AUSF receives the UE's HPLMN ID from the UE, then the AUSF compares the information of the PLMN where the AUSF is located with the UE's HPLMN ID. If the two are the same, the AUSF determines that the UE is in a non-roaming state. If the two are different , then the AUSF determines that the UE is in the roaming state. For another example, if the AUSF receives the HPLMN ID of the UE from the UE, but does not receive the VPLMN ID of the UE from the UE, the AUSF determines that the UE is in a non-roaming state.

Step 902c: When the UE is in the roaming state, the AUSF determines the AKMA root key (K _AKMA *) based on the VPLMN information of the UE.

Among them, K _AKMA * is used to determine the application key, which is used for secure communication between the UE and the visited AF (i.e. vAF).

In one implementation method, AUSF determines K _AKMA * based on the UE's VPLMN information, the UE's SUPI and K _AUSF .

Optionally, AUSF can store K _AKMA *.

Optionally, AUSF can also send K _AKMA * to hAAnF, so that subsequently hAAnF can actively send K _AKMA * to hAAnF, or hAAnF receives a request message from AAVnF, which is used to request to obtain the AKMA root key, then hAAnF can Send K _AKMA * to vAAnF based on the request message. After hAAnF receives K _AKMA *, it can generate the first application key based on K _AKMA *, and then send the first application key to the vAF. Subsequently, the first application key is used for encrypted communication between the UE and the vAF.

In the above scheme, after the AUSF determines that the UE is in the roaming state, it can generate the AKMA root key and send the AKMA root key to vAAnF via hAAnF. The AKMA root key is used by vAAnF, thereby achieving key isolation between different AAnFs, that is vAAnF and hAAnF use different AKMA root keys, which helps ensure key security and thereby improves communication security.

Figure 10 is a schematic flowchart of a communication method provided by an embodiment of the present application. In this method, AF is a network element located in the 5G core network. The method includes the following steps:

Step 1000: Pre-configure the PLMN information on the AF.

The information of the PLMN where the AF is located refers to the information of the PLMN that the AF can connect to. The PLMN information can be one or more, which means that the AF can access one or more PLMNs. The information of the PLMN may be the information of the network elements of the corresponding PLMN, such as the address information of the NEF in the PLMN, the address information of the AAnF, or the address information of other core network elements such as the AMF.

The AF may be the AF of the visited network (also called visited AF or vAF) or the AF of the home network (also called home AF or hAF). Specifically, when the AF cannot connect to the HPLMN subscribed by the UE, it is said that the AF is the AF of the visited network. When the AF can be connected to the HPLMN subscribed by the UE, the AF is called the AF of the home network.

When the AF is a vAF and the information of the PLMN where the vAF is located is preconfigured on the vAF, the information of the PLMN can be the VPLMN ID.

When the AF is a hAF and the information of the PLMN where the hAF is located is pre-configured on the hAF, the information of the PLMN can be the HPLMN ID.

Step 1001: The UE sends an application session establishment request message to the AF. Correspondingly, the AF receives the application session establishment request message.

The application session establishment request message includes A-KID, which includes RID, HPLMN ID and A-TID.

In one method, if the UE is currently located in the visited network, the application session establishment request message includes the A-KID but does not include the VPLMN ID of the visited network where the UE is located.

In another method, if the UE is currently located in a visited network, the UE also sends the VPLMN ID of the visited network where the UE is located to the AF. Among them, the methods for the UE to send the VPLMN ID to the AF include but are limited to:

Method 1: Include the VPLMN ID in the application session establishment request message, that is, the VPLMN ID and A-KID are carried side by side in the application session establishment request message.

Method 2: The UE sends a separate message to the AF, which is a message different from the application session establishment request message. The message includes the VPLMN ID.

Method 3: Add a VPLMN field to the A-KID of the application session establishment request message. When the UE is currently located in the visited network, the VPLMN field includes the VPLMN ID. When the UE is currently located in the home network, the VPLMN field is set to the default value. For the convenience of description, the A-KID with the new VPLMN field will be called A-KID' below.

It should be noted that if the UE generates A-KID', the AUSF also needs to generate the same A-KID'. Therefore, when generating A-KID', the AUSF needs to determine whether it has received the VPLMN ID. If the VPLMN ID is received by the AUSF, the AUSF adds the VPLMN ID in the VPLMN field of A-KID'. If the VPLMN ID is not received, the AUSF sets the VPLMN field of A-KID' to the default value. Among them, the UE generates A-KID' before step 1001.

In one implementation method, the AUSF obtains the VPLMN ID according to the following method: when the UDM determines that the UE is located in the visited network and the UE can use the AKMA service, the UDM sends the UE's VPLMN ID to the AUSF.

Step 1002: AF determines whether the UE is in roaming state.

This step is optional.

The UE is in the roaming state specifically including the following three situations. For details, please refer to the foregoing description.

In one implementation method, when the application session establishment request message includes the A-KID, but the UE does not send the VPLMN ID to the AF, the AF determines whether the information of the PLMN where the AF is located matches the HPLMN ID in the A-KID sent by the UE. If they are the same, it is determined that the UE is not in the roaming state; if they are different, it is determined that the UE is in the roaming state. It can be understood that "same" specifically refers to "includes". Specifically, if the HPLMN ID sent by the UE is included in the information of the PLMN where the AF is located, the UE is not in the roaming state; if the HPLMN ID sent by the UE is not included in the information of the PLMN where the AF is located, the UE is in the roaming state.

In another implementation method, when the application session establishment request message includes the A-KID and the UE also sends the VPLMN ID to the AF, the method for the AF to determine whether the UE is in the roaming state includes but is not limited to the following method 1 and Method 2.

Method 1, the AF determines whether the UE has sent the VPLMN ID to the AF. If the UE sends the VPLMN ID to the AF, the AF determines that the UE is in roaming state. If the UE does not send the VPLMN ID to the AF, the AF further determines whether the information of the PLMN where the AF is located is the same as the HPLMN ID sent by the UE. If they are the same, it is determined that the UE is not in the roaming state. If they are different, it is determined that the UE is in the roaming state.

It should be noted that for method 3 of sending the VPLMN ID described in step 1001, when the newly added VPLMN field is set to the default value, in step 1002, the AF determines that the VPLMN field is the default value, and then determines that the UE has not In roaming state. When the newly added VPLMN field is not the default value, for example, it is set to the information of the PLMN where the AF is located, then in step 1002, the AF determines that the UE is in the roaming state.

Method 2: The AF compares the information of the pre-configured PLMN where the AF is located with the HPLMN ID in A-KID or A-KID'. If they are the same, the AF determines that the UE is not in roaming state. If they are different, the AF determines that the UE is in roaming state.

Step 1003: AF determines selection parameters.

This selection parameter is also called the parameter for selecting AAnF.

In one implementation method, if step 1002 is not performed, that is, the AF does not need to determine whether the UE is in a roaming state, the selection parameters determined by the AF include RID, or include RID and HPLMN ID, or include RID, HPLMN ID and VLPMN ID.

In another implementation method, if step 1002 is executed, the AF needs to determine whether the UE is in a roaming state. When the UE is not in roaming state, the selection parameters determined by the AF include RID. When the UE is in the roaming state, the selection parameters determined by the AF include one or more of the HPLMN ID, VPLMN ID or RID. Optionally, when the UE is in the roaming state, the AF also generates indication information indicating that the UE is in the roaming state. It should be noted that in another implementation method, when the UE is in the roaming state, the selection parameters determined by the AF can also be empty, or understood as uncertain selection parameters.

Step 1004: AF sends a discovery request message to the NRF. Accordingly, the NRF receives the discovery request message.

The discovery request message may be an Nnrf_NFDiscovery_Request message.

The discovery request message includes AAnF type information and is used to request an AAnF information. AAnF information is used to connect to an AAnF, such as AAnF's address information, AAnF's instanceID information, etc.

The discovery request message also includes selection parameters. Optionally, the discovery request message also includes indication information indicating that the UE is in a roaming state.

For example, the following Table 1 shows the selection parameters determined by the AF and the content carried in the discovery request message when step 1002 is not performed, that is, the AF does not need to determine whether the UE is in a roaming state.

Table 1

For example, the following Table 2 shows the selection parameters determined by the AF and the content carried in the discovery request message when performing step 1002, that is, when the AF needs to determine whether the UE is in a roaming state.

Table 2

Step 1005: NRF determines that the UE is in roaming state, and selects vAAnF.

Wherein, the NRF is the NRF in the visited network. NRF selects AAnF based on the parameters carried in step 1004.

The following describes the method for NRF to select AAnF based on the situation.

Situation 1: When the above step 1002 is not executed.

Referring to Table 1, when step 1002 is not executed, there are three implementation methods for the parameters carried in the discovery request message of step 1004. The three different methods in Table 1 are described below.

Regarding method 1 of Table 1, when the discovery request message in step 1004 carries the RID, a possible implementation method is: NRF first determines whether the UE is in a roaming state. If the UE is in the roaming state, the NRF determines whether the AAnF corresponding to the RID is stored in the NRF. If so, it determines that the AAnF is vAAnF. If not, it determines that the default AAnF is vAAnF. Another possible implementation method is: NRF first determines whether the AAnF corresponding to the RID is stored in the NRF. If so, determines that the AAnF is vAAnF. If not, the NRF determines whether the UE is in the roaming state. If the UE is in the roaming state, , then the default AAnF is determined to be vAAnF. Another possible implementation method is: NRF first determines whether the UE is in a roaming state, and if the UE is in a roaming state, determines that the default AAnF is vAAnF.

For method 2 in Table 1, when the discovery request message in step 1004 carries the RID and HPLMN ID, the NRF first determines whether the UE is in the roaming state. Specifically, the NRF can determine whether the UE is in roaming state based on the HPLMN ID. If the UE is in the roaming state, the NRF determines whether there is an AAnF corresponding to the RID and/or HPLMN ID stored in the NRF. If so, it determines that the AAnF is vAAnF. If not, it determines that the default AAnF is vAAnF.

For method 3 in Table 1, when the discovery request message in step 1004 carries the RID, HPLMN ID and VPLMN ID, the NRF first determines whether the UE is in the roaming state. If the UE is in the roaming state, the NRF determines whether there is an AAnF corresponding to at least one of the RID, HPLMN ID or VPLMN ID stored in the NRF. If there is, the AAnF is determined to be vAAnF. If not, the default AAnF is determined to be vAAnF. .

For the above three methods, the method for NRF to determine whether the UE is in the roaming state can be: NRF compares the PLMN information of the NRF with the HPLMN ID of the UE. If they are the same, it means that the UE is not in the roaming state. If they are different, it means that the UE is not in the roaming state. In roaming state.

Scenario 2: When executing the above step 1002.

Referring to Table 2, when step 1002 is executed, there are at least seven implementation methods for the parameters carried in the discovery request message of step 1004. The seven different methods in Table 2 are described below.

For method 1 in Table 2, when it is determined in step 1002 that the UE is not in the roaming state, and the discovery request message in step 1004 carries the RID, the NRF first determines that the UE is not in the roaming state, and then the NRF determines whether there is The AAnF corresponding to the RID is stored. If there is one, the AAnF is determined. If there is no AAnF, the default AAnF is determined. The method for the NRF to determine that the UE is not in the roaming state can refer to the method in the above scenario 1. It should be noted that in this scenario, since the UE is not in a roaming state, the NRF does not need to determine vAAnF, but only determines an AAnF, which can be understood as hAAnF.

Regarding method 2 of Table 2, when it is determined in step 1002 that the UE is in the roaming state, and the discovery request message in step 1004 carries the RID, a possible implementation method is: NRF first determines whether the UE is in the roaming state. If the UE is in the roaming state, the NRF determines whether the AAnF corresponding to the RID is stored in the NRF. If so, it determines that the AAnF is vAAnF. If not, it determines that the default AAnF is vAAnF. Another possible implementation method is: NRF first determines whether the AAnF corresponding to the RID is stored in the NRF. If so, determines that the AAnF is vAAnF. If not, the NRF determines whether the UE is in the roaming state. If the UE is in the roaming state, , then the default AAnF is determined to be vAAnF. Another possible implementation method is: NRF first determines whether the UE is in a roaming state, and if the UE is in a roaming state, determines that the default AAnF is vAAnF. The method for the NRF to determine that the UE is in the roaming state may refer to the method in the above scenario 1.

For method 3 in Table 2, when it is determined in step 1002 that the UE is in the roaming state, and the discovery request message in step 1004 carries the RID and indication information, the NRF first determines that the UE is in the roaming state based on the received indication information, and then the NRF determines Whether the AAnF corresponding to the RID is stored in the NRF, if so, determine the AAnF to be vAAnF, if not, determine the default AAnF to be vAAnF.

For method 4 in Table 2, when it is determined in step 1002 that the UE is in the roaming state, and the discovery request message in step 1004 carries the HPLMN ID and/or VPLMN ID, the NRF first determines based on the received HPLMN ID and/or VPLMN ID. The UE is in roaming state. The NRF then determines whether the AAnF corresponding to the HPLMN ID and/or VPLMN ID is stored in the NRF. If so, the AAnF is determined to be vAAnF. If not, the default AAnF is determined to be vAAnF.

For method 5 in Table 2, when it is determined in step 1002 that the UE is in the roaming state, and the discovery request message in step 1004 carries the RID, as well as the HPLMN ID and/or VPLMN ID, the NRF first determines the location of the UE according to the received HPLMN ID and/or VPLMN ID, confirms that the UE is in roaming state. The NRF then determines whether there is an AAnF corresponding to at least one of the RID, HPLMN ID or VPLMN ID stored in the NRF. If so, the AAnF is determined to be vAAnF. If not, the default AAnF is determined to be vAAnF.

For method 6 of Table 2, when it is determined in step 1002 that the UE is in the roaming state, and the discovery request message in step 1004 carries the RID, HPLMN ID and/or VPLMN ID, and indication information, then the NRF first determines according to the received indication information , confirm that the UE is in roaming state. The NRF then determines whether there is an AAnF corresponding to at least one of the RID, HPLMN ID or VPLMN ID stored in the NRF. If so, the AAnF is determined to be vAAnF. If not, the default AAnF is determined to be vAAnF.

Regarding method 7 of Table 2, when it is determined in step 1002 that the UE is in the roaming state, and the discovery request message in step 1004 carries indication information, the NRF first determines that the UE is in the roaming state based on the received indication information. NRF then determines that the default AAnF is vAAnF.

It should be noted that when vAAnF needs to save the AKMA security context, NRF needs to ensure that the vAAnF selected each time is the same. Otherwise, if vAAnF is only used as a transit node and does not need to save the AKMA security context, NRF can select any AAnF as vAAnF.

Step 1006: NRF sends a discovery response message to AF. Accordingly, the AF receives the discovery response message.

The discovery response message may be an Nnrf_NFDiscovery_Response message.

The discovery response message includes vAAnF information.

Step 1007: AF sends an application key request message to vAAnF. Accordingly, vAAnF receives the application key request message.

The application key request message may be a Naanf_AKMA_ApplicationKey_Get_Request message.

In one implementation method, the application key request message includes AF ID and A-KID, and the A-KID includes RID, A-TID and HPLMN ID. Optionally, the application key request message also includes the VPLMIN ID. Wherein, when the UE is in the visited network and the UE sends the VPLMN ID to the AF in step 1001, the VPLMN ID in the application key request message may come from step 1001. When the UE is in the home network and the AF is in the visited network, the AF can obtain the VPLMN ID from the AF. Among them, when vAAnF needs to store the AKMA security context, the application key request message can carry the VPLMN ID. When AAnF does not need to store the AKMA security context, the application key request message does not need to carry the VPLMN ID. Alternatively, when vAAnF can obtain the VPLMN ID by itself, the application key request message does not need to carry the VPLMN ID.

In another implementation method, the application key request message includes AF ID and A-KID', and the A-KID' includes RID, A-TID, HPLMN ID and VPLMN ID. This situation is for the scenario where the message in step 1001 above carries A-KID'.

Step 1008: vAAnF sends an application key request message to hAAnF. Accordingly, hAAnF receives the application key request message.

The content in the application key request message is the same as the content in the application key request message in step 1007 above.

Among them, vAAnF selects hAAnF based on the RID in A-KID or the RID in A-KID'.

It should be noted that vAAnF also needs to confirm that the UE is in the roaming state before selecting hAAnF. The method for vAAnF to determine that the UE is in the roaming state is the same as the method for NRF to determine that the UE is in the roaming state. Please refer to the above description.

Step 1009, hAAnF determines K _AF and the validity time of K _AF , or determines _KAKMA *.

In the case where vAAnF does not need to store the AKMA security context, hAAnF determines the K _AF and the validity time of the K _AF . In the case where vAAnF needs to store the AKMA security context, hAAnF obtains K _AKMA *.

The method for hAAnF to determine K _AF and the effective time of K _AF may refer to the description of the embodiment in Figure 6 or Figure 7 .

The method for hAAnF to determine K _AKMA * includes but is not limited to: if hAAnF may have obtained K _AKMA *, directly determine to use the K _AKMA *. If hAAnF does not newly generate K _AKMA *, hAAnF generates K _AKMA * first. Specifically, after hAAnF determines that the UE is in the roaming state, hAAnF obtains _KAKMA *. In a possible implementation method, if hAAnF has obtained K _AKMA *, it is directly determined to use the K _AKMA *. In another possible implementation, if hAAnF does not newly generate K _AKMA *, hAAnF first generates K _AKMA *. K _AKMA * can be obtained according to K _AKMA or obtained according to K AKMA.

hAAnF has obtained K _AKMA *, including hAAnF has generated K _AKMA *, or K _AKMA * is generated by AUSF and passed to hAAnF, hAAnF stores the K _AKMA * after receiving K _AKMA *. The method package for generating _KAKMA * from AUSF or hAAnF is _KAKMA *=KDF ( _KAKMA or _KAUSF , first parameter, second parameter). This embodiment does not limit the number of specific parameters in the first parameter and the second parameter, nor does it limit the order in which the first parameter and the second parameter are used.

In the embodiment of the present application, hAAnF generates _KAKMA *, or AUSF generates _KAKMA * and sends _KAKMA * to hAAnF, so hAAnF can obtain _KAKMA *. Among them, the methods for generating K _AKMA * by AUSF or hAAnF include but are not limited to:

Method 1, hAAnF determines _KAKMA * based on VPLMN ID and _KAKMA . At this time, VPLMNID is the first parameter number. The second parameter can be other content or is not required. This embodiment does not limit whether to use the second parameter or the specific content of the second parameter.

Among them, hAAnF can obtain the VPLMN ID from AUSF. For example, hAAnF receives the Naanf_AKMA_AnchorKey_Registerrequest message from AUSF, which includes the VPLMN ID. Alternatively, hAAnF can obtain the VPLMN ID from the UE, for example, hAAnF receives the A-KID' from the UE, and the A-KID' contains the VPLMN ID. Alternatively, hAAnF can obtain the VPLMN ID from AF. For example, hAAnF receives the Naanf_AKMA_ApplicationKey_Getservice Request message from AF, which contains the VPLMN ID.

Method 2, hAAnF determines _KAKMA * based on VPLMN ID, HPLMN ID and _KAKMA . At this time, VPLMNID is the first parameter or the second parameter. HPLMN ID is the second parameter or the first parameter.

Among them, hAAnF can obtain the VPLMN ID from AUSF. For example, hAAnF receives the Naanf_AKMA_AnchorKey_Registerrequest message from AUSF, which includes the VPLMN ID. Alternatively, hAAnF can obtain the VPLMN ID from the UE, for example, hAAnF receives the A-KID' from the UE, and the A-KID' contains the VPLMN ID. Alternatively, hAAnF can obtain the VPLMN ID from AF. For example, hAAnF receives the Naanf_AKMA_ApplicationKey_Getservice Request message from AF, which contains the VPLMN ID.

Among them, hAAnF can obtain the HPLMN ID from hAAnF, such as obtaining the HPLMN ID from the configuration information of hAAnF. Alternatively, hAAnF can obtain the HPLMN ID from the UE, for example, hAAnF receives the A-KID or A-KID' from the UE, and the A-KID or A-KID' contains the HPLMN ID.

Method 3, AUSF determines K _AKMA * based on VPLMN ID, SUPI and K _AUSF . At this time, VPLMNID is the first parameter or the second parameter. SUPI is the second parameter or the first parameter.

Method 4, hAAnF determines K _AKMA * based on a counter value and K _AKMA . The counter value needs to be automatically incremented by 1 every time it is used. At this time, the first parameter is the counter value, and the second parameter can be other content, or it is not needed. This embodiment does not limit whether to use the second parameter or the specific content of the second parameter.

Method 5, hAAnF determines K _AKMA * based on a string and K _AKMA . For example, the string "roaming", the string "VPLMN". This embodiment does not limit the specific character string content. This string is recorded by UE and hAAnF in advance. At this time, the first parameter is a string, and the second parameter can be other content, or it is not needed. This embodiment does not limit whether to use the second parameter or the specific content of the second parameter.

Method 6, hAAnF determines K _AKMA * based on the discriminator and K _AKMA . The distinguisher can be a specific value, which is recorded by the UE and hAAnF in advance. For example, 0x01. At this time, the first parameter is the discriminator, and the second parameter can be other content, or it is not needed. This embodiment does not limit whether to use the second parameter or the specific content of the second parameter.

Method 7, AUSF determines K _AKMA * based on a counter value and K _AKMA , or determines K _AKMA * based on a counter value and K _AUSF . The counter value needs to be automatically incremented by 1 every time it is used. At this time, the first parameter is the counter value, and the second parameter can be other content, or it is not needed. This embodiment does not limit whether to use the second parameter or the specific content of the second parameter.

Method 8, AUSF determines K _AKMA * based on a string and K _AKMA , or determines K _AKMA * based on a string and K _AUSF , and the string is recorded by UE and AUSF in advance. For example, the string "roaming", the string "VPLMN". This embodiment does not limit the specific character string content. At this time, the first parameter is a string, and the second parameter can be other content, or it is not needed. This embodiment does not limit whether to use the second parameter or the specific content of the second parameter.

Method 9, AUSF determines K _AKMA * based on the discriminator and K _AKMA . The distinguisher can be a specific value, which is recorded by the UE and AUSF in advance. The discriminator can be a specific value, such as 0x01. At this time, the first parameter is the discriminator, and the second parameter can be other content, or it is not needed. This embodiment does not limit whether to use the second parameter, and the second parameter the specific content of the number.

Method 10, AUSF determines K _AKMA * based on the discriminator and K _AUSF . The distinguisher can be a specific value, which is recorded by the UE and AUSF in advance. The discriminator can be a specific value, such as 0x01. At this time, the first parameter is the discriminator, and the second parameter can be other content, or it is not needed. This embodiment does not limit whether to use the second parameter or the specific content of the second parameter.

Method 11, AUSF determines K _AKMA and K _AKMA * based on the discriminator and K _AUSF respectively. At this time, the discriminator needs at least 2 values, which are used when generating K _AKMA and K _AKMA * respectively. This value is recorded by UE and AUSF in advance. For example, when the UE is not in the roaming state, 0x01 is used to generate K _AKMA , and when the UE is in the non-roaming state, 0x02 is used to generate K _AKMA *. At this time, the first parameter is a discriminator, and this embodiment does not limit whether the second parameter is used or the specific content of the second parameter. For example, using 0x01, "AKMA", SUPI and K _AUSF generates K _AKMA , and using 0x02, "AKMA", SUPI and K _AUSF generates K _AKMA *. So in this example the first parameter is the discriminator and the second parameters are "AKMA" and SUPI.

Method 12: AUSF determines K _AKMA * based on a new FC value and K _AUSF . Specifically, AUSF uses the new FC value, "AKMA", SUPI and K _AUSF to generate K _AKMA *. This FC value is currently documented in standard TS 33.220v17.3.0. This embodiment does not limit the specific value of the new FC value. At this time, the new FC value is the first parameter, and the second parameter can be other content or is not needed. This embodiment does not limit whether to use the second parameter or the specific content of the second parameter.

Among them, VPLMNID can come from UDM. For example, AUSF receives the Nudm_UEAuthentication_Get Response message from UDM, which contains the VPLMN ID. Alternatively, the VPLMN ID comes from AMF. For example, AUSF receives the Nausf_UEAuthenticate_AuthenticationRequest message from AMF, which contains the VPLMN ID.

Among them, K _AKMA is used to generate the key required when the UE communicates with the AF of the home network (i.e., hAF). K _AKMA * is used to generate the key required for the UE to communicate with the AF (i.e. vAF) of the visited network.

It should be noted that if AUSF generates K _AKMA *, the UE will also generate K _AKMA * according to the method used by AUSF to generate K _AKMA *, that is, the UE and AUSF generate the same K _AKMA * according to the same method. If hAAnF generates K _AKMA *, the UE will also generate K _AKMA * according to the method used by hAAnF to generate K _AKMA *, that is, the UE and hAAnF generate the same K _AKMA * according to the same method.

Among them, K _AKMA * generated by AUSF or hAAnF is used by vAAnF to generate an application key, and then vAAnF sends the application key to vAF, or of course to hAF. The K _AKMA * generated by the UE is used by the UE to generate an application key, and the application key generated by the UE and vAAnF is the same. This application key is used for secure communication between UE and vAF/hAF.

Step 1010: hAAnF sends an application key response message to vAAnF. Accordingly, vAAnF receives the application key response message.

The application key response message may be a Naanf_AKMA_ApplicationKey_Get_Response message.

In the case where vAAnF does not need to store the AKMA security context, the application key response message includes the K _AF and the validity time of the K _AF .

In the case where vAAnF needs to store the AKMA security context, the application key response message includes K _AKMA *.

Step 1011, vAAnF stores _KAKMA *, determines _KAF based on _KAKMA *, and determines the validity time of _KAF .

When the application key response message in step 1010 includes K _AF and the validity time of K _AF , this step 1011 is not executed.

When the application key response message in step 1010 includes _KAKMA *, step 1011 is executed. Among them, according to _KAKMA * determines K _AF . For example, K _AF can be determined based on AF ID and _KAKMA *.

Step 1012, vAAnF sends an application key response message to AF. Accordingly, the AF receives the application key response message.

The application key response message may be a Naanf_AKMA_ApplicationKey_Get_Response message.

The application key response message includes K _AF and the validity time of K _AF , and the validity time of K _AF and K _AF is determined by hAAnF or vAAnF.

Step 1013: The AF sends an application session establishment response message to the UE. Correspondingly, the UE receives the application session establishment response message.

In one implementation method, when the vAAnF stores the AKMA security context and the UE is in the roaming state, the application session establishment response message carries the VPLMN ID or indication information.

Among them, the VPLMN ID can come from the message in step 1001 above, or it can be obtained locally by AF.

The indication information instructs the UE to use K _AKMA *, or indicates that the UE is in a roaming state, or indicates that the PLMN where the AF is located is different from the HPLMN of the UE.

Step 1014, the UE determines to use _KAKMA * or _KAKMA .

In the case where vAAnF does not need to store the AKMA security context, the UE determines to use _KAKMA . At this time, the UE does not generate _KAKMA *.

In the case where vAAnF needs to store the AKMA security context, the UE determines to use K _AKMA *.

In a possible implementation, when the message in step 1013 carries indication information or VPLMN ID, the UE determines to use _KAKMA *, and determines _KAKMA * according to the same method as in step 1009. When the message in step 1013 does not carry indication information or VPLMN ID, the UE determines to use _KAKMA . In another possible implementation, when the message in step 1013 does not carry indication information or VPLMN ID, the UE can determine whether the PLMN where the AF is located is the same as the HPLMN of the UE. If they are different, the UE determines to use _KAKMA *; if they are the same, the UE determines to use _KAKMA . In yet another implementation manner, when the UE determines that the UE is in the roaming state, the UE determines to use _KAKMA *.

Subsequently, the UE determines K _AF and the effective time of K _AF based on _KAKMA * or _KAKMA , and performs secure communication with the AF based on the effective time of K _AF and K _AF . At this time, the validity time of K _AKMA * and the K _AF and K _AF generated based on K _AKMA * are used in the scenario where the PLMN where the UE is located and the PLMN where the AF is located are different. The validity time of K _AKMA and the K _AF and K _AF generated based on K _AKMA The time is used in the scenario where the PLMN where the UE is located and the PLMN where the AF is located are the same.

It should be noted that when vAAnF needs to store the AKMA security context and the UE needs to use K _AKMA *, the UE can generate K _AKMA * after step 1013, or the UE can also generate K at any time before any step before step 1013. _AKMA *. In the case where the UE generates _KAKMA * at any time before any step before step 1013, this embodiment does not limit the specific timing of generating _KAKMA *. In a possible implementation, the UE first generates _KAKMA * and _KAKMA in any step before step 1013. Subsequently, if it receives the indication information or VPLMN ID in step 1013, the UE determines to use _KAKMA * to determine K _AF and the validity time of K _AF , then the UE can use the K _AF and the validity time of K _AF determined by _KAKMA * to conduct secure communication with the AF. If neither the indication information nor the VPLMN ID is received in step 1013, the UE determines to use K _AKMA to determine the validity time of K _AF and K _AF according to K _AKMA , and uses the K _AF and K _AF determined according to K _AKMA . Secure communication between valid time and AF. In another possible implementation, the UE can also generate K _AKMA in any step before step 1013. Subsequently, if no indication information is received in step 1013, and no VPLMN ID is received, the UE can use K _AKMA . Determine the validity time of K _AF and K _AF , and use K _AKMA to determine the validity time of K _AF and K _AF and conduct safety between AF communication. If the indication information or VPLMN ID is received in step 1013, the UE determines to use K _AKMA *. If K _AKMA * has not been generated, it first generates K _AKMA *, and then determines K _AF and K _AF validity time based on K _AKMA *. And use the K _AF and the validity time of the K _AF determined according to K _AKMA * for secure communication with the AF. In another possible implementation, the UE can first generate K _AKMA * in any step before step 1013. Subsequently, if no indication information is received in step 1013, and no VPLMN ID is received, the UE determines to use K _AKMA , if K _AKMA has not been generated, K _AKMA is generated first, and then the UE uses K _AKMA to determine the validity time of K _AF and K _AF , and uses the validity time of K _AF and K _AF determined according to K _AKMA to proceed between AF Secure communications. If the indication information or VPLMN ID is received in step 1013, the UE determines to use K _AKMA *, then the UE determines the K _AF and K _AF validity time according to K _AKMA *, and uses the K _AF and K _AF determined according to K _AKMA * Secure communication between valid time and AF.

It should be noted that, in the case where the UE can also generate _KAKMA * in any step before step 1013, the UE can determine whether it needs to generate KAKMA* or only generate _KAKMA * according to the roaming state. Specifically, in one implementation, the UE compares the received PLMN ID with its own HPLMN ID. If different, it means that the UE is in roaming state. For example, the UE can receive the PLMN ID of the network where the UE is located from the broadcast message sent by the base station, and then the UE compares the PLMN ID with the HPLMN ID in the UE's SUPI. If they are different, it means that the UE is in roaming state. If they are the same, it means that the UE is in roaming state. Not roaming.

With the above solution, when the UE is in the roaming state, a suitable vAAnF can be selected for the UE. Wherein, when the AF needs to determine whether the UE is in the roaming state, the AF sends different selection parameters to the NRF according to whether the UE is in the roaming state, and optionally also sends indication information, so that the NRF selects an appropriate vAAnF. In the case where the AF does not need to determine whether the UE is in the roaming state, in order to enable the NRF to select an appropriate vAAnF, the selection logic of the NRF needs to be enhanced. Moreover, the above solution also realizes the isolation of AKMA security context between different PLMNs, that is, when vAAnF needs to store the AKMA key, hAAnF stores K _AKMA , and hAAnF stores K _AKMA *, realizing that different AAnFs store different AKMAs. key. Figure 11 is a schematic flowchart of a communication method provided by an embodiment of the present application. In this method, AF is a network element located outside the 5G core network. The method includes the following steps:

Steps 1100 to 1103 are the same as steps 1000 to 1003 in the aforementioned embodiment of FIG. 10 .

Among them, step 1100, step 1102, and step 1103 are all optional steps.

If the NEF has the ability to determine whether the UE is in a roaming state, step 1102 may not be performed. If the NEF does not have the ability to determine whether the UE is in the roaming state, step 1102 is performed and the AF sends information indicating that the UE is in the roaming state to the NEF. For the information indicating that the UE is in the roaming state, please refer to the relevant description of step 1004.

Step 1104: AF sends an application key request message to NEF. Accordingly, NEF receives the application key request message.

The application key request message includes the AF ID, and also includes the A-KID or A-KID'. This AFID is used to identify the AF. Among them, the A-KID includes RID, A-TID and HPLMN ID. The A-KID' includes RID, A-TID, HPLMN ID and VPLMN ID.

The application key request message may be a Nnef_AKMA_AFKey_Request message.

The NEF may be the NEF of the visited network (i.e. vNEF) or the NEF of the home network (i.e. hNEF).

If the above step 1102 is performed, the application key request message also includes indication information or a VPLMN ID. The indication information indicates that the UE is in the roaming state. The indication information may be binary indication information, enumeration type indication information, etc. The VPLMN The ID is also used to indicate that the UE is in roaming state.

It should be noted that if the above step 1103 is performed, the application key request message of step 1104 also includes selection parameters. When the application key request message contains a selection parameter, the application key request message may or may not contain A-KID or A-KID'. Regarding the specific implementation method of selecting parameters, reference may be made to the description of the embodiment in FIG. 10 .

Step 1105: NEF determines whether the UE is in roaming state.

Step 1105 is an optional step. This step 1105 and the above-mentioned step 1102 are performed as an alternative.

The specific implementation method of step 1105 is similar to step 1102, except that the operations performed by AF in step 1102 need to be replaced by NEF. For example, the NEF can compare the identification information of the PLMN where the NEF is located with the A-KID or the HPLMN ID in the A-KID'. If the two are different, it is determined that the UE is in the roaming state. If they are the same, it is determined that the UE is not in the roaming state. Roaming status.

Step 1106, NEF determines selection parameters.

Step 1106 is an optional step. This step 1106 and the above-mentioned step 1103 are performed as an alternative.

The specific implementation method of step 1106 is similar to step 1103, except that the operations performed by AF in step 1103 need to be replaced by NEF.

Step 1107: NEF sends a discovery request message to NRF. Accordingly, the NRF receives the discovery request message.

The discovery request message may be an Nnrf_NFDiscovery_Request message.

In one implementation method, the discovery request message in step 1107 is the same message as the discovery request message in step 1004, that is, NEF forwards the discovery request message from AF.

In another implementation method, the discovery request message in step 1107 and the discovery request message in step 1004 are different messages, but the two messages contain the same content.

.

Step 1108: NRF determines that the UE is in roaming state, and selects vAAnF according to the selection parameters.

The specific implementation of step 1108 is the same as step 1005 in the aforementioned embodiment of FIG. 10 .

Step 1109: NRF sends a discovery response message to NEF. Accordingly, NEF receives the discovery response message.

The discovery response message may be an Nnrf_NFDiscovery_Response message.

The discovery response message includes vAAnF information.

Step 1110: NEF sends an application key request message to vAAnF. Accordingly, vAAnF receives the application key request message.

The application key request message may be a Naanf_AKMA_ApplicationKey_Get_Request message.

The specific implementation of the application key request message is the same as the application key request message in step 1007 in the embodiment of FIG. 10 .

Steps 1111 to 1114 are the same as steps 1008 to 1011 in the aforementioned embodiment of FIG. 10 .

Step 1115, vAAnF sends an application key response message to NEF. Accordingly, NEF receives the application key response message.

The application key response message may be a Naanf_AKMA_ApplicationKey_Get_Response message.

The application key response message includes K _AF and the validity time of K _AF , and the validity time of K _AF and K _AF is determined by hAAnF or vAAnF.

Step 1116: NEF sends an application key response message to AF. Accordingly, the AF receives the application key response message.

The application key response message may be a Naanf_AKMA_ApplicationKey_Get_Response message.

The application key response message includes K _AF and the validity time of K _AF , and the validity time of K _AF and K _AF is determined by hAAnF or vAAnF.

Steps 1117 to 1118 are the same as steps 1013 to 1014 in the aforementioned embodiment of FIG. 10 .

With the above solution, when the UE is in the roaming state, a suitable vAAnF can be selected for the UE. Among them, when AF/NEF needs to determine whether the UE is in the roaming state, NEF sends different selection parameters to the NRF according to whether the UE is in the roaming state, and optionally also sends indication information, so that the NRF selects an appropriate vAAnF. In the case where the AF/NEF does not need to determine whether the UE is in the roaming state, in order to enable the NRF to select an appropriate vAAnF, the selection logic of the NRF needs to be enhanced. Moreover, the above solution also realizes the isolation of AKMA security context between different PLMNs, that is, when vAAnF needs to store the AKMA key, hAAnF stores K _AKMA , and hAAnF stores K _AKMA *, realizing that different AAnFs store different AKMAs. key.

Figure 12 is a schematic flowchart of a communication method provided by an embodiment of the present application. The relevant steps in Figure 12 involving hNRF, vNRF and vAAnF are optional steps. Specifically, in the case where vAAnF stores the AKMA security context, these steps need to be performed, otherwise these steps do not need to be performed. Moreover, in the case of performing relevant steps involving hNRF, vNRF and vAAnF, in the embodiment of Figure 12, hAAnF actively sends K _AKMA * to vAAnF after determining that the UE is in the roaming state, while the above Figures 10 and 11 In the embodiment, hAAnF sends K _AKMA * to vAAnF based on the request of vAAnF.

The method includes the following steps:

Step 1201: The main authentication process is completed between the UE and the AUSF.

This process may refer to the embodiment of FIG. 6 or FIG. 7 .

After completing the main authentication process between the UE and the AUSF, both the UE and the AUSF generate and store K _AKMA and A-KID.

Step 1202: AUSF determines whether the UE is in roaming state.

In one implementation method, the AUSF sends an authentication request message to the UDM, and the authentication request message includes the UE's SUPI or SUCI. UDM obtains the SNID from the SNname of the UE. The SNID is the identification information of the PLMN where the AMF is located. The AMF is the AMF of the network where the UE is currently located. Therefore, if the UE is in a VPLMN, the SNID is the VPLMN ID. When the UDM determines that the SNID is the VPLMN ID, it determines that the UE is in the roaming state, and then carries the VPLMN ID in the authentication response message sent to the AUSF. Therefore, the AUSF determines that the UE is in the roaming state based on the VPLMN ID in the authentication response message.

In another implementation method, the AUSF compares the PLMN ID from the network where the AF is located with the HPLMN ID received from the UE. If they are the same, it is determined that the UE is not in the roaming state; if they are different, it indicates that the UE is in the roaming state.

In yet another implementation, the AUSF obtains the SNID from the AMF. If the UE is in VPLMN, the SNID is the VPLMN ID. When the AUSF determines that the SNID is the VPLMN ID, it determines that the UE is in the roaming state and saves the SNID.

Step 1203: When the UE is in the roaming state, the AUSF and the UE generate _KAKMA * or _KAKMA , and generate A-KID' or A-KID.

In the case where vAAnF does not need to store the AKMA security context, the UE generates K _AKMA and A-KID, or K _AKMA and A-KID' _.

In the case where vAAnF needs to store the AKMA security context, the UE determines to generate K _AKMA * and A-KID', or K _AKMA * and A-KID. At the same time, the UE generates K _AKMA. Also, generating K _AKMA * and A-KID' is an optional step.

Among them, the implementation method of generating _KAKMA , A-KID, _KAKMA * and A-KID′ can be described with reference to the foregoing embodiments.

In the case where vAAnF does not need to store the AKMA security context, the K _AKMA is identified by A-KID' or A-KID.

In the case where vAAnF needs to store the AKMA security context, K _AKMA * is identified by A-KID' or A-KID.

Therefore, A-KID can identify both K _AKMA and K _AKMA *; or A-KID only identifies K _AKMA , and A-KID' only identifies K _AKMA *; or A-KID' identifies both K _AKMA and K _AKMA *.

Among them, A-KID' includes RID, A-TID and HPLMN ID, and A-KID' includes RID, A-TID, HPLMN ID and VPLMN ID.

In one implementation method, whether the AUSF/UE generates A-KID' has nothing to do with whether the UE is in roaming state. That is, AUSF/UE generates A-KID' regardless of whether the UE is in the roaming state, but whether the UE is in the roaming state will cause the content of the generated A-KID' to be different. Among them, if the UE is in roaming state, the VPLMN field in A-KID' is the VPLMN ID. If the UE is not in roaming state, the VPLMN field in A-KID' is the default value. Among them, AUSF can receive VPLMN ID from UDM or AMF. At this time, AUSF/UE no longer generates A-KID.

In another implementation method, whether the AUSF/UE generates A-KID' is related to whether the UE is in roaming state. Specifically, if the UE is in the roaming state, the AUSF/UE generates A-KID', and the VPLMN field in A-KID' is the VPLMN ID. If the UE is not in roaming state, the AUSF generates A-KID.

It should be noted that when generating A-KID' is related to whether the UE is in roaming state, AUSF may generate both A-KID and A-KID'. Then A-KID is used to identify K _AKMA and A-KID' is used to identify K _AKMA *. In the case where only A-KID is generated and A-KID' is not generated, A-KID is used to identify K _AKMA * and K _AKMA . Or, in the case where only A-KID' is generated and A-KID is not generated, A-KID' is used to identify K _AKMA * and K _AKMA .

Step 1204, AUSF sends a key registration request message to hAAnF. Accordingly, hAAnF receives the key registration request message.

The key registration request message can be a Naanf_AKMA_AnchorKey_Register Request message.

In one implementation method, in the case where vAAnF stores the AKMA security context and generates K _AKMA *, the key registration request message includes SUPI, K _AKMA , A-KID, K _AKMA * and A-KID', or Includes SUPI, _KAKMA , A-KID and _KAKMA *, or includes SUPI, _KAKMA , _KAKMA * and A-KID'.

In yet another implementation method, in the case where vAAnF does not need to store the AKMA security context, or in the case where K _AKMA * is not generated, the key registration request message includes SUPI, K _AKMA and A-KID.

Optionally, the key registration request message also includes roaming indication information. The roaming indication information may be information about the VPLMN where the UE is located, that is, the VPLMN ID. In the case where _KAKMA * is not generated, when hAAnF determines that the UE is in the roaming state according to the roaming indication information, it generates _KAKMA * or A-KID' (ie, step 1211). The method for generating and implementing K _AKMA * and A-KID' can be described with reference to the foregoing embodiments.

When vAAnF stores the AKMA security context and needs to send the AKMA security context to vAAnF in advance, some or all of the following steps 1205 to 1213 need to be performed. Otherwise, there is no need to perform steps 1205 to 1213.

Step 1205, hAAnF selects vAAnF.

This step is optional.

hAAnF can select vAAnF based on selection parameters (the selection parameters are also referred to as parameters for selecting vAAnF). Regarding different implementation methods of selecting vAAnF according to the selection parameters, reference may be made to the description in the embodiment of FIG. 10 .

If this step 1205 is performed, there is no need to perform the following steps 1206 to 1209 and steps 1210a and 1210b. If this step 1205 is not performed, the following steps 1206 to 1209 and steps 1210a and 1210b need to be performed.

Step 1206: hAAnF sends a discovery request message to hNRF. Accordingly, hNRF receives the discovery request message.

The discovery request message includes the VPLMN ID and selection parameters. This selection parameter is also called for selecting vAAnF parameters. For the specific implementation method of selecting parameters, please refer to the description of the embodiment in Figure 10.

The discovery request message may be an Nnrf_NFDiscovery_Request message.

Step 1207: hNRF selects vNRF based on VPLMN ID.

Step 1208: hNRF sends a discovery request message to vAAnF. Accordingly, vAAnF receives the discovery request message.

The discovery request message includes selection parameters.

The discovery request message may be an Nnrf_NFDiscovery_Request message.

Step 1209, vNRF selects vAAnF.

vNRF selects vAAnF according to the selection parameters. For details, please refer to the description of the embodiment in Figure 10.

Step 1210a: vNRF sends a discovery response message to hNRF. Accordingly, hNRF receives the discovery response message.

The discovery response message includes vAAnF information.

The discovery response message may be an Nnrf_NFDiscovery_Response message.

Step 1210b: hNRF sends a discovery response message to hAAnF. Accordingly, hAAnF receives the discovery response message.

The discovery response message includes vAAnF information.

The discovery response message may be an Nnrf_NFDiscovery_Response message.

Step 1211: When the UE is in the roaming state, the UE and hAAnF generate K _AKMA * or A-KID'.

If _KAKMA * is not generated in the above step 1203, and the UE does not generate _KAKMA * before executing step 1211, then _KAKMA * needs to be generated in step 1211. The specific implementation method of generating K _AKMA * is similar to step 1203.

If A-KID' is not generated in the above step 1203, and the UE does not generate A-KID' before executing step 1211, then A-KID' needs to be generated in step 1211. The specific implementation method of generating A-KID' is similar to step 1203.

It should be noted that if step 1211 is executed, there is no order restriction between step 1211 and the foregoing steps. Step 1211 only needs to be executed before step 1212.

Step 1212, hAAnF sends a key registration request message to vAAnF. Accordingly, vAAnF receives the key registration request message.

The key registration request message can be a Naanf_AKMA_AnchorKey_Register Request message.

The key registration request message includes SUPI, K _AKMA * and A-KID'.

Step 1213, vAAnF stores SUPI, K _AKMA * and A-KID'.

It should be noted that in this embodiment, if AUSF generates _KAKMA * or _KAKMA , the UE will also generate _KAKMA * or _KAKMA according to the method used by AUSF to generate _KAKMA * or _KAKMA . That is, the UE and the AUSF generate the same _KAKMA * or _KAKMA in the same method. If hAAnF generates K _AKMA * or K _AKMA , the UE will also generate K _AKMA * or K _AKMA according to the method used by hAAnF to generate K _AKMA * or K _AKMA , that is, the UE and hAAnF generate the same K according to the same method. _AKMA * or K _AKMA .

Among them, K _AKMA * generated by AUSF or hAAnF is used by vAAnF to generate an application key, and then vAAnF sends the application key to vAF, or of course to hAF. The K _AKMA * generated by the UE is used by the UE to generate an application key, and the application key generated by the UE and vAAnF is the same. This application key is used for secure communication between UE and vAF/hAF.

The above solution can generate K _AKMA * and A-KID' from AUSF or hAAnF, and actively send K _AKMA * and A-KID' to vAAnF to store K _AKMA * and A-KID' on vAAnF to facilitate subsequent vAAnF Use K _AKMA * Generate a security key (i.e. K _AF ) for communication between the UE and the vAF, realizing key update when the UE is in a roaming state.

It can be understood that, in order to implement the functions in the above embodiments, the network storage function network element (NRF), the first network element (such as AF, NEF), the terminal device (such as UE), and the home AKMA anchor function network element (hAAnF) The visiting AKMA anchor function network element (vAAnF) or the authentication server function network element (AUSF) includes hardware structures and/or software modules that perform corresponding functions. Those skilled in the art should easily realize that the units and method steps of each example described in conjunction with the embodiments disclosed in this application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software driving the hardware depends on the specific application scenarios and design constraints of the technical solution.

Figures 13 and 14 are schematic structural diagrams of possible communication devices provided by embodiments of the present application. These communication devices can be used to implement the network storage function network element (NRF), the first network element (such as AF, NEF), terminal equipment (such as UE), home AKMA anchor function network element (hAAnF), By accessing the functions of the AKMA Anchor Function Network Element (vAAnF) or the Authentication Server Function Network Element (AUSF), the beneficial effects of the above method embodiments can also be achieved. In the embodiment of the present application, the communication device may be a network storage function network element (NRF), a first network element (such as AF, NEF), a terminal device (such as UE), or a home AKMA anchor function network element (hAAnF). , visit the AKMA anchor function network element (vAAnF) or the authentication server function network element (AUSF), or can be applied to the network storage function network element (NRF), the first network element (such as AF, NEF), terminal equipment ( Such as UE), home AKMA anchor function network element (hAAnF), visiting AKMA anchor function network element (vAAnF) or authentication server function network element (AUSF) module (such as a chip).

The communication device 1300 shown in FIG. 13 includes a processing unit 1310 and a transceiver unit 1320. The communication device 1300 is used to implement the network storage function network element (NRF), the first network element (such as AF, NEF), the terminal equipment (such as UE), the home AKMA anchor function network element (hAAnF), and the visiting network element in the above method embodiment. Functions of AKMA Anchor Function Network Element (vAAnF) or Authentication Server Function Network Element (AUSF).

When the communication device 1300 is used to implement the functions of the network storage function network element (NRF) in the above method embodiment, the transceiver unit 1320 is used to receive a request message from the first network element, where the request message includes selection parameters; the processing unit 1310, When the terminal device is in the roaming state, according to the selection parameter, the visiting AKMA anchor point function network element that provides services for the terminal device is selected; the transceiver unit 1320 is also used to send a response message to the first network element. The response message Contains information about accessing the AKMA anchor function network element.

In a possible implementation method, the processing unit 1310 is specifically configured to select the AKMA anchor point function network element corresponding to the selection parameter when the network storage function network element stores the AKMA anchor point function network element corresponding to the selection parameter. The anchor point function network element serves as the visiting AKMA anchor point function network element; or, when the network storage function network element does not store the AKMA anchor point function network element corresponding to the selection parameter, the default AKMA anchor point function network element is selected. Serves as the access AKMA anchor point function network element.

In a possible implementation method, the processing unit 1310 is also configured to determine that the terminal device is in a roaming state based on the received indication information.

In a possible implementation method, the processing unit 1310 is also configured to determine that the terminal device is in a roaming state based on the PLMN information of the network storage function network element and the HPLMN information of the terminal device.

When the communication device 1300 is used to implement the functions of the first network element (such as AF or NEF) in the above method embodiment, the processing unit 1310 is used to determine the selection parameters when the terminal device is in the roaming state; the transceiver unit 1320 is used to send messages to the network The storage function network element sends the selection parameter, which is used to select the visiting AKMA anchor point function network element that provides services for the terminal device; receives the information of the visiting AKMA anchor point function network element from the network storage function network element; by and sending a request message to the visited AKMA anchor point function network element according to the information of the visited AKMA anchor point function network element. The request message requests an application key for secure communication between the visited application function network element and the terminal device. .

In a possible implementation method, the processing unit 1310 is also configured to determine based on one or more of the HPLMN information of the terminal device, the VPLMN information of the first network element, or the VPLMN information of the terminal device. The terminal device is in roaming state.

In a possible implementation method, the processing unit 1310 is specifically configured to determine the selection parameter according to the first AKMA key identifier or the second AKMA key identifier; wherein the first AKMA key identifier includes the route of the terminal device. identification, the AKMA temporary identification of the terminal equipment, the HPLMN information of the terminal equipment and the VPLMN information of the terminal equipment; the second AKMA key identification includes the routing identification of the terminal equipment, the AKMA temporary identification of the terminal equipment and the HPLMN information of the terminal device.

When the communication device 1300 is used to implement the functions of the terminal device in the above method embodiment, the processing unit 1310 is used to determine whether the terminal device is in a roaming state; when the terminal device is in a roaming state, determine the first AKMA root key, the third An AKMA root key is used to determine the first application key, which is used for secure communication between the terminal device and the visiting application function network element.

In a possible implementation method, the processing unit 1310 is specifically configured to determine the first AKMA root key based on the second AKMA root key and the HPLMN information of the terminal device and/or the VPLMN information of the terminal device. , the second AKMA root key is used to determine the second application key, and the second application key is used for secure communication between the terminal device and the home application function network element.

In one possible implementation method, the processing unit 1310 is specifically configured to determine the AKMA root key based on the VPLMN information of the terminal device, the user permanent identity SUPI of the terminal device, and the authentication server function root key.

In a possible implementation method, the processing unit 1310 is also configured to determine that the terminal device is in a roaming state based on the received indication information.

When the communication device 1300 is used to implement the function of visiting the AKMA anchor function network element in the above method embodiment, the transceiver unit 1320 is used to receive the AKMA root key from the home AKMA anchor function network element; the processing unit 1310 is used to The AKMA root key determines the application key used for secure communication between the access application function network element and the terminal device.

When the communication device 1300 is used to implement the functions of the home AKMA anchor function network element in the above method embodiment, the processing unit 1310 is used to obtain the first AKMA root key; the transceiver unit 1320 is used to send a message to the visiting AKMA anchor function network element. The first AKMA root key is sent. The first AKMA root key is used to determine the first application key. The first application key is used for secure communication between the terminal device and the visited application function network element.

In a possible implementation method, the processing unit 1310 is specifically configured to determine the first AKMA root key according to the second AKMA root key, and the second AKMA root key is used to determine the second application key. The second application key is used for secure communication between the terminal device and the home application function network element.

In a possible implementation method, the processing unit 1310 is specifically configured to determine the first AKMA root key based on the second AKMA root key and the HPLMN information of the terminal device and/or the VPLMN information of the terminal device. key.

When the communication device 1300 is used to implement the function of the home AKMA anchor point function network element in the above method embodiment, the processing unit 1310 is used to determine whether the terminal device is in the roaming state; key to determine the first AKMA root key; wherein the first AKMA root key is used to determine the first application key, and the first application key is used for secure communication between the terminal device and the visiting application function network element ;The second The AKMA root key is used to determine the second application key, which is used for secure communication between the terminal device and the home application function network element.

In a possible implementation method, the transceiver unit 1320 is configured to send the first AKMA root key to the visiting AKMA anchor point function network element.

In a possible implementation method, the transceiver unit 1320 is configured to receive a request message from the visited AKMA anchor function network element, where the request message is used to request to obtain the AKMA root key; based on the request message, send a request message to the visited AKMA anchor function network element. The point function network element sends the first AKMA root key.

In a possible implementation method, the processing unit 1310 is specifically configured to determine the first AKMA root key based on the second AKMA root key and the HPLMN information of the terminal device and/or the VPLMN information of the terminal device. key.

In a possible implementation method, the transceiver unit 1320 is configured to receive indication information from the authentication server functional network element, which indicates that the terminal device is in a roaming state; the processing unit 1310 is configured to determine the terminal device based on the indication information. The terminal device is in roaming state.

In a possible implementation method, the processing unit 1310 is configured to determine whether the terminal device is in a roaming state based on the HPLMN information of the terminal device and/or the VPLMN information of the terminal device.

When the communication device 1300 is used to implement the function of the authentication server function network element in the above method embodiment, the processing unit 1310 is used to determine whether the terminal device is in the roaming state; when the terminal device is in the roaming state, according to the VPLMN of the terminal device information to determine the AKMA root key; wherein, the AKMA root key is used to determine the application key, and the application key is used for secure communication between the terminal device and the visiting application function network element.

In a possible implementation method, the transceiver unit 1320 is configured to send the AKMA root key to the home AKMA anchor point function network element.

In a possible implementation method, the processing unit 1310 is configured to determine the AKMA root key based on the VPLMN information of the terminal device, the SUPI of the terminal device, and the authentication server function root key.

In a possible implementation method, the processing unit 1310 is configured to perform the processing according to one or more of the HPLMN information of the terminal device, the VPLMN information of the authentication server functional network element, or the VPLMN information of the terminal device, Determine whether the terminal device is in roaming state.

More detailed descriptions about the above processing unit 1310 and the transceiver unit 1320 can be obtained directly by referring to the relevant descriptions in the above method embodiments, and will not be described again here.

The communication device 1400 shown in FIG. 14 includes a processor 1410 and an interface circuit 1420. The processor 1410 and the interface circuit 1420 are coupled to each other. It can be understood that the interface circuit 1420 may be a transceiver or an input-output interface. Optionally, the communication device 1400 may also include a memory 1430 for storing instructions executed by the processor 1410 or input data required for the processor 1410 to run the instructions or data generated after the processor 1410 executes the instructions.

When the communication device 1400 is used in the above method embodiment, the processor 1410 is used to implement the functions of the above processing unit 1310, and the interface circuit 1420 is used to realize the functions of the above transceiver unit 1320.

It can be understood that the processor in the embodiment of the present application can be a central processing unit (Central Processing Unit, CPU), or other general-purpose processor, digital signal processor (Digital Signal Processor, DSP), or application specific integrated circuit. (Application Specific Integrated Circuit, ASIC), Field Programmable Gate Array (FPGA) or other programmable logic devices, transistor logic devices, hardware components or any combination thereof. A general-purpose processor can be a microprocessor or any conventional processor.

The method steps in the embodiments of the present application may be implemented in hardware, or may be executed by a processor in software. implemented by instructions. Software instructions can be composed of corresponding software modules, and the software modules can be stored in random access memory, flash memory, read-only memory, programmable read-only memory, erasable programmable read-only memory, electrically erasable programmable read-only memory In memory, register, hard disk, mobile hard disk, CD-ROM or any other form of storage medium well known in the art. An exemplary storage medium is coupled to the processor such that the processor can read information from the storage medium and write information to the storage medium. Of course, the storage medium can also be an integral part of the processor. The processor and storage media may be located in an ASIC. Additionally, the ASIC can be located in the base station or terminal equipment. Of course, the processor and the storage medium may also exist as discrete components in the base station or terminal equipment.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer programs or instructions. When the computer program or instructions are loaded and executed on the computer, the processes or functions described in the embodiments of the present application are executed in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, a base station, a user equipment, or other programmable device. The computer program or instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, the computer program or instructions may be transmitted from a website, computer, A server or data center transmits via wired or wireless means to another website site, computer, server, or data center. The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or data center that integrates one or more available media. The available media may be magnetic media, such as floppy disks, hard disks, and tapes; optical media, such as digital video optical disks; or semiconductor media, such as solid-state hard drives. The computer-readable storage medium may be volatile or nonvolatile storage media, or may include both volatile and nonvolatile types of storage media.

In the various embodiments of this application, if there is no special explanation or logical conflict, the terms and/or descriptions between different embodiments are consistent and can be referenced to each other. The technical features in different embodiments are based on their inherent Logical relationships can be combined to form new embodiments.

In this application, "at least one" refers to one or more, and "plurality" refers to two or more. "And/or" describes the association of associated objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A exists alone, A and B exist simultaneously, and B exists alone, where A, B can be singular or plural. In the text description of this application, the character "/" generally indicates that the related objects before and after are an "or" relationship; in the formula of this application, the character "/" indicates that the related objects before and after are a kind of "division" Relationship.

It can be understood that the various numerical numbers involved in the embodiments of the present application are only for convenience of description and are not used to limit the scope of the embodiments of the present application. The size of the serial numbers of the above processes does not mean the order of execution. The execution order of each process should be determined by its function and internal logic.

Claims (30)

1. A communication method, characterized by including:

   The network storage function network element receives a request message from the first network element, where the request message includes selection parameters;

   When the terminal device is in the roaming state, the network storage function network element selects the visiting AKMA anchor point function network element that provides services for the terminal device according to the selection parameter;

   The network storage function network element sends a response message to the first network element, where the response message includes information about the visiting AKMA anchor point function network element.
2. The method of claim 1, wherein the network storage function network element selects a visiting AKMA anchor point function network element that provides services for the terminal device according to the selection parameter, including:

   When the network storage function network element stores the AKMA anchor point function network element corresponding to the selection parameter, the network storage function network element selects the AKMA anchor point function network element corresponding to the selection parameter as the visiting AKMA Anchor function network element; or,

   When the network storage function network element does not store the AKMA anchor point function network element corresponding to the selection parameter, the network storage function network element selects the default AKMA anchor point function network element as the visiting AKMA anchor point function network element. Yuan.
3. The method according to claim 1 or 2, characterized in that the selection parameters include the routing identifier of the terminal device, the information of the home public land mobile network HPLMN of the terminal device, the location of the first network element. One or more of the information of the visiting public land mobile network VPLMN or the information of the VPLMN of the terminal device.
4. The method according to any one of claims 1 to 3, characterized in that the selection parameters include information about the HPLMN of the terminal device, information about the VPLMN where the first network element is located, or information about the terminal device. One or more of the VPLMN information;

   The method also includes:

   The network storage function network element determines that the terminal device is in a location based on one or more of the HPLMN information of the terminal device, the VPLMN information of the first network element, or the VPLMN information of the terminal device. Roaming status.
5. The method according to any one of claims 1 to 3, characterized in that the method further includes:

   The network storage function network element determines that the terminal device is in a roaming state based on the received indication information.
6. The method according to any one of claims 1 to 3, characterized in that the method further includes:

   The network storage function network element determines that the terminal device is in a roaming state based on the PLMN information of the network storage function network element and the HPLMN information of the terminal device.
7. The method according to any one of claims 1 to 6, wherein the terminal device is in a roaming state when the terminal device is located in a visited network or an application function network communicating with the terminal device. The element cannot directly connect to the home AKMA anchor function network element of the terminal device.
8. A communication method, characterized by including:

   When the terminal device is in roaming state, the first network element determines the selection parameters;

   The first network element sends the selection parameter to the network storage function network element, where the selection parameter is used to select a visiting AKMA anchor point function network element that provides services for the terminal device;

   The first network element receives the information of visiting the AKMA anchor point function network element from the network storage function network element;

   The first network element sends a request to the visiting AKMA anchor function based on the information of the visiting AKMA anchor function network element. The energy network element sends a request message, where the request message requests an application key used for secure communication between the visiting application function network element and the terminal device.
9. The method of claim 8, wherein the selection parameters include the routing identifier of the terminal device, information about the home public land mobile network HPLMN of the terminal device, the visited public land mobile network where the first network element is located. One or more of the VPLMN information of the land mobile network or the VPLMN information of the terminal device.
10. The method according to claim 8 or 9, characterized in that the method further includes:

    The first network element determines that the terminal device is in roaming based on one or more of the HPLMN information of the terminal device, the VPLMN information of the first network element, or the VPLMN information of the terminal device. state.
11. The method according to any one of claims 8 to 10, characterized in that the method further includes:

    The first network element sends indication information to the terminal device, and the indication information indicates that the terminal device is in a roaming state.
12. The method according to any one of claims 8 to 11, characterized in that the first network element determines selection parameters, including:

    The first network element determines the selection parameter according to the first AKMA key identifier or the second AKMA key identifier;

    Wherein, the first AKMA key identifier includes the routing identifier of the terminal device, the AKMA temporary identifier of the terminal device, the HPLMN information of the terminal device, and the VPLMN information of the terminal device;

    The second AKMA key identifier includes the routing identifier of the terminal device, the AKMA temporary identifier of the terminal device, and the HPLMN information of the terminal device.
13. The method according to any one of claims 8 to 12, characterized in that,

    The first network element is the visited application function network element; the method further includes: the visited application function network element receives an application session establishment request message from the terminal device; or,

    The first network element is the network opening function network element; the method further includes: the network opening function network element receiving an application key request message from the visiting application function network element.
14. A communication method, characterized by including:

    The terminal device determines whether the terminal device is in a roaming state;

    When the terminal device is in a roaming state, the terminal device determines a first AKMA root key, the first AKMA root key is used to determine a first application key, and the first application key is used for the terminal Secure communication between the device and accessed application function network elements.
15. The method of claim 14, wherein the terminal device determines the first AKMA root key, including:

    The terminal device determines the first AKMA root key based on the second AKMA root key and the HPLMN information of the terminal device and/or the VPLMN information of the terminal device. The second AKMA root key is The key is used to determine the second application key, and the second application key is used for secure communication between the terminal device and the home application function network element.
16. The method of claim 14, wherein the terminal device determines the first AKMA root key, including:

    The terminal device determines the AKMA root key based on the VPLMN information of the terminal device, the user permanent identity SUPI of the terminal device, and the authentication server function root key.
17. The method according to any one of claims 14 to 16, characterized in that the method further includes:

    The terminal device determines that the terminal device is in a roaming state according to the received indication information.
18. A communication device, characterized by comprising a module for performing the method as described in any one of claims 1 to 7, or a module for performing the method as described in any one of claims 8 to 13, or Means for performing a method as claimed in any one of claims 14 to 17.
19. A communication device, characterized in that it includes: a processor and a memory; the memory is used to store computer instructions, and when the communication device is running, the processor executes the computer instructions stored in the memory to cause The communication device performs the method as described in any one of claims 1 to 7, or performs the method as described in any one of claims 8 to 13, or performs the method as described in any one of claims 14 to 17 .
20. A computer program product, characterized in that the computer program product includes a computer program or instructions that, when the computer program or instructions are run on a processor, cause the processor to execute as claimed in any one of claims 1 to 7 or perform the method as described in any one of claims 8 to 13, or perform the method as described in any one of claims 14 to 17.
21. A computer-readable storage medium, characterized in that a computer program or instructions are stored in the storage medium. When the computer program or instructions are executed by a communication device, the implementation as described in any one of claims 1 to 7 is achieved. Method, or implement the method as described in any one of claims 8 to 13, or implement the method as described in any one of claims 14 to 17.
22. A communication system, characterized by including a first network element and a network storage function network element;

    The first network element is used to determine selection parameters when the terminal device is in a roaming state; send a first request message to the network storage function network element, where the first request message includes the selection parameters;

    The network storage function network element is configured to receive the first request message from the first network element; and select a visit to provide services for the terminal device according to the selection parameter in the first request message. AKMA anchor function network element; sending a response message to the first network element, where the response message includes information about the visiting AKMA anchor function network element;

    The first network element is also configured to receive the response message.
23. The system of claim 22, wherein the system further includes the visiting AKMA anchor function network element;

    The first network element is further configured to send a second request message to the visited AKMA anchor function network element according to the information of the visited AKMA anchor function network element, where the second request message requests a visiting application. The first application key for secure communication between the functional network element and the terminal device;

    The visiting AKMA anchor point function network element is configured to receive the second request message; obtain the first AKMA root key; determine the first application key according to the first AKMA root key; and provide the The first network element sends the first application key.
24. The system of claim 23, wherein the system further includes a home AKMA anchor function network element;

    The home AKMA anchor function network element is used to obtain the first AKMA root key; and send the first AKMA root key to the visiting AKMA anchor function network element;

    The visiting AKMA anchor function network element is specifically configured to receive the first AKMA root key from the home AKMA anchor function network element.
25. The system of claim 24, wherein the home AKMA anchor function network element is specifically used to determine the first AKMA root key according to the second AKMA root key, and the second AKMA root key The key is used to determine the second application key. The second application key is used for security between the terminal device and the home application function network element. Full communication.
26. The system of claim 25, wherein the home AKMA anchor function network element is specifically configured to use the second AKMA root key, the HPLMN information of the terminal device and/or the The VPLMN information of the terminal device determines the first AKMA root key.
27. The system of claim 24, wherein the home AKMA anchor function network element is specifically configured to receive the first AKMA root key from the authentication server function network element.
28. The system according to any one of claims 22 to 27, wherein the first network element is a visiting application function network element;

    The visiting application function network element is further configured to receive an application session establishment request message from the terminal device, where the application session establishment request message includes information used to determine the selection parameter.
29. The system according to any one of claims 22 to 27, wherein the first network element is a network open function network element;

    The network opening function network element also receives an application key request message from the visiting application function network element, where the application key request message includes information used to determine the selection parameter.
30. A communication method, characterized by including:

    When the terminal device is in roaming state, the first network element determines the selection parameters;

    The first network element sends a first request message to the network storage function network element, where the first request message includes the selection parameter;

    The network storage function network element selects a visiting AKMA anchor point function network element that provides services for the terminal device according to the selection parameter in the first request message;

    The network storage function network element sends a response message to the first network element, where the response message includes information about the visiting AKMA anchor point function network element.