WO2023246649A1 - Procédé de communication, appareil de communication et système de communication - Google Patents

Procédé de communication, appareil de communication et système de communication Download PDF

Info

Publication number
WO2023246649A1
WO2023246649A1 PCT/CN2023/100763 CN2023100763W WO2023246649A1 WO 2023246649 A1 WO2023246649 A1 WO 2023246649A1 CN 2023100763 W CN2023100763 W CN 2023100763W WO 2023246649 A1 WO2023246649 A1 WO 2023246649A1
Authority
WO
WIPO (PCT)
Prior art keywords
network element
akma
terminal device
function network
information
Prior art date
Application number
PCT/CN2023/100763
Other languages
English (en)
Chinese (zh)
Inventor
李�赫
吴�荣
吴义壮
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2023246649A1 publication Critical patent/WO2023246649A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation

Definitions

  • the present application relates to the field of wireless communication technology, and in particular to communication methods, communication devices and communication systems.
  • AF application function
  • both parties need to use an application key to encrypt the transmitted content.
  • the application key used by the terminal device is generated by the terminal device, and the application key used by the AF network element is generated by the application's authentication and key management for applications (AKMA) anchor function (AKMA).
  • anchor function generated by AAnF) network element and sent to AF network element.
  • the AF network element and the AAnF network element are located in the same public land mobile network, so the AF network element can connect to the AAnF network element and request the AAnF network element to obtain the application key.
  • the AF network element communicating with the terminal device may not be able to directly connect to the terminal device's home AAnF (home AAnF, hAAnF) network element.
  • the AF network element may not be able to obtain the application key, and thus the AF network element may not be able to obtain the application key. causing communication insecurity.
  • This application provides communication methods, communication devices and communication systems to ensure secure communication between terminal equipment and AF network elements.
  • embodiments of the present application provide a communication method, which can be executed by a network storage function network element or a module applied to a network storage function network element.
  • the network storage function network element receives a request message from the first network element, and the request message includes selection parameters; when the terminal device is in the roaming state, the network storage function network element responds according to the selection parameter, select the visited AKMA anchor point function network element that provides services for the terminal device; the network storage function network element sends a response message to the first network element, and the response message includes the information of the visited AKMA anchor point function network element.
  • the network storage function network element selects a visiting AKMA anchor point function network element.
  • This visiting AKMA anchor point function network element can not only serve as a transit node, but also generate terminal equipment and application function network elements.
  • the application key for secure communication between the terminal device and the application function network element enables the application function network element to accurately obtain the application key, which facilitates the use of the application key to encrypt the communication content between the terminal device and the application function network element, which helps to improve communication security. .
  • the network storage function network element selects to provide the terminal device with Visiting the AKMA anchor point function network element for services includes: when the network storage function network element stores the AKMA anchor point function network element corresponding to the selection parameter, the network storage function network element selects the AKMA anchor point corresponding to the selection parameter. Function network element, as the visiting AKMA anchor point function network element; or, when the network storage function network element does not store the AKMA anchor point function network element corresponding to the selection parameter, the network storage function network element selects the default AKMA anchor point The functional network element serves as the access AKMA anchor point functional network element.
  • the above solution can select a suitable network element to visit the AKMA anchor point function.
  • the selection parameter includes the routing identifier of the terminal device, information about the home public land mobile network HPLMN of the terminal device, information about the visited public land mobile network VPLMN where the first network element is located, or information about the terminal.
  • the device's VPLMN information includes the routing identifier of the terminal device, information about the home public land mobile network HPLMN of the terminal device, information about the visited public land mobile network VPLMN where the first network element is located, or information about the terminal.
  • the appropriate visiting AKMA anchor point function network element can be determined.
  • the selection parameter includes one or more of the HPLMN information of the terminal device, the VPLMN information of the first network element, or the VPLMN information of the terminal device; the network storage function network The terminal device determines that the terminal device is in the roaming state based on one or more of the HPLMN information of the terminal device, the VPLMN information of the first network element, or the VPLMN information of the terminal device.
  • the network storage function network element determines that the terminal device is in a roaming state based on the received indication information.
  • the network storage function network element determines that the terminal device is in the roaming state based on the PLMN information of the network storage function network element and the HPLMN information of the terminal device.
  • the terminal device being in the roaming state means that the terminal device is located in the visited network, or the application function network element communicating with the terminal device cannot directly connect to the home AKMA anchor function network of the terminal device. Yuan.
  • embodiments of the present application provide a communication method.
  • the method can be executed by a first network element or a module applied to the first network element.
  • the first network element can be a network open function network element or an application function network element. Yuan.
  • the first network element determines the selection parameters; the first network element sends the selection parameters to the network storage function network element, and the selection parameters are used to select the
  • the terminal device provides a service by visiting the AKMA anchor point function network element; the first network element receives the information of the visiting AKMA anchor point function network element from the network storage function network element; the first network element is based on the visiting AKMA anchor point function
  • the information of the network element is sent to the visiting AKMA anchor point function network element.
  • the request message requests the application key used for secure communication between the visiting application function network element and the terminal device.
  • the first network element when the terminal device is in the roaming state, the first network element requests the network storage function network element to select a visiting AKMA anchor point function network element.
  • the visiting AKMA anchor point function network element can either serve as a transit node or generate a terminal device.
  • the application key for secure communication with the application function network element enables the application function network element to accurately obtain the application key, which facilitates the use of the application key to encrypt the communication content between the terminal device and the application function network element, which helps To improve communication security.
  • the selection parameter includes the routing identifier of the terminal device, information about the home public land mobile network HPLMN of the terminal device, information about the visited public land mobile network VPLMN where the first network element is located, or information about the terminal.
  • the device's VPLMN information includes the routing identifier of the terminal device, information about the home public land mobile network HPLMN of the terminal device, information about the visited public land mobile network VPLMN where the first network element is located, or information about the terminal.
  • the appropriate visiting AKMA anchor point function network element can be determined.
  • the first network element determines the terminal based on one or more of the HPLMN information of the terminal device, the VPLMN information of the first network element, or the VPLMN information of the terminal device.
  • the device is roaming.
  • the first network element sends indication information to the terminal device, and the indication information indicates that the terminal device is in a roaming state.
  • the first network element determines the selection parameter, including: the first network element determines the selection parameter according to the first AKMA key identifier or the second AKMA key identifier; wherein, the first AKMA The key identifier includes the routing identifier of the terminal device, the AKMA temporary identifier of the terminal device, the HPLMN information of the terminal device, and the VPLMN information of the terminal device; the second AKMA key identifier includes the routing identifier of the terminal device, Information about the AKMA temporary identification of the terminal device and the HPLMN of the terminal device.
  • the first network element is the visiting application function network element, and the visiting application function network element receives the application session establishment request message from the terminal device; or, the first network element is the network opening Functional network element, the network open function network element receives the application key request message from the access application function network element.
  • embodiments of the present application provide a communication method, which can be executed by a terminal device or a module applied to the terminal device. Taking the terminal device executing this method as an example, the terminal device determines whether the terminal device is in a roaming state; when the terminal device is in a roaming state, the terminal device determines the first AKMA root key, and the first AKMA root key is used to determine the third AKMA root key. An application key, the first application key is used for secure communication between the terminal device and the visiting application function network element.
  • the terminal device when the terminal device is in the roaming state, the terminal device generates the first AKMA root key.
  • the first AKMA root key is used to determine the first application key.
  • the first application key is used for the terminal device to communicate with the visitor. Secure communication between application function network elements helps to accurately determine the key for communication with the visiting application function network elements.
  • the terminal device determines the first AKMA root key, including: the terminal device determines the first AKMA root key according to the second AKMA root key, and the HPLMN information of the terminal device and/or the VPLMN information of the terminal device. , determine the first AKMA root key, and the second AKMA root key is used to determine a second application key.
  • the second application key is used for secure communication between the terminal device and the home application function network element.
  • the terminal device determines the first AKMA root key, including: the terminal device based on the VPLMN information of the terminal device, the user permanent identity SUPI of the terminal device and the authentication server function root key, Determine the AKMA root key.
  • the terminal device determines that the terminal device is in a roaming state based on the received indication information.
  • embodiments of the present application provide a communication method, which can be executed by a visiting AKMA anchor point function network element or a module applied to a visiting AKMA anchor point function network element. Execute this by accessing the AKMA anchor function network element. For example, the visiting AKMA anchor function network element receives the first AKMA root key from the home AKMA anchor function network element; the visiting AKMA anchor function network element determines the access application based on the first AKMA root key. The first application key for secure communication between functional network elements and terminal equipment.
  • the access AKMA anchor point function network element stores the AKMA root key.
  • embodiments of the present application provide a communication method, which can be executed by the home AKMA anchor function network element or a module applied to the home AKMA anchor function network element.
  • the home AKMA anchor point function network element obtains the first AKMA root key; the home AKMA anchor point function network element sends the first AKMA to the visiting AKMA anchor point function network element Root key.
  • the first AKMA root key is used to determine the first application key.
  • the first application key is used for secure communication between the terminal device and the visiting application function network element.
  • the home AKMA anchor function network element obtains the first AKMA root key, including: the home AKMA anchor function network element determines the first AKMA root key based on the second AKMA root key. , the second AKMA root key is used to determine the second application key, and the second application key is used for secure communication between the terminal device and the home application function network element.
  • the home AKMA anchor point function network element determines the first AKMA root key based on the second AKMA root key, including: the home AKMA anchor point function network element determines the first AKMA root key based on the second AKMA root key. key, as well as the HPLMN information of the terminal device and/or the VPLMN information of the terminal device, to determine the first AKMA root key.
  • the home AKMA anchor function network element obtains the first AKMA root key, including: the home AKMA anchor function network element receives the first AKMA root key from the authentication server function network element. .
  • embodiments of the present application provide a communication method, which can be executed by the home AKMA anchor function network element or a module applied to the home AKMA anchor function network element.
  • the home AKMA anchor point function network element determines whether the terminal device is in the roaming state; when the terminal device is in the roaming state, the home AKMA anchor point function network element determines whether the terminal device is in the roaming state.
  • the key to determine the first AKMA root key is used to determine the first application key; wherein the first AKMA root key is used to determine the first application key, and the first application key is used for secure communication between the terminal device and the visiting application function network element ;
  • the second AKMA root key is used to determine a second application key, and the second application key is used for secure communication between the terminal device and the home application function network element.
  • the home AKMA anchor function network element After the home AKMA anchor function network element determines that the UE is in the roaming state, it can generate an AKMA root key for the visiting AKMA anchor function network element and send the AKMA root key to the visiting AKMA anchor function network element.
  • the key is used by the visiting AKMA anchor point function network element to achieve key isolation between different AKMA anchor point function network elements, that is, the visiting AKMA anchor point function network element and the home AKMA anchor point function network element use different AKMA root keys key, which helps ensure the security of the key and thereby improves the security of communication.
  • the home AKMA anchor point function network element stores the first AKMA root key.
  • the home AKMA anchor point function network element sends the first AKMA root key to the visiting AKMA anchor point function network element.
  • the home AKMA anchor function network element receives a request message from the visiting AKMA anchor function network element.
  • the request message is used to request to obtain the AKMA root key;
  • the home AKMA anchor function network element Sending the first AKMA root key to the visited AKMA anchor function network element includes: the home AKMA anchor function network element sends the first AKMA root key to the visited AKMA anchor function network element based on the request message.
  • the home AKMA anchor function network element determines the first AKMA root key based on the second AKMA root key, including: the home AKMA anchor function network element determines the first AKMA root key based on the second AKMA root key. ,by and the HPLMN information of the terminal device and/or the VPLMN information of the terminal device to determine the first AKMA root key.
  • the home AKMA anchor function network element determines whether the terminal device is in a roaming state, including: the home AKMA anchor function network element receives indication information from the authentication server function network element, and the indication information indicates The terminal device is in the roaming state; the home AKMA anchor point function network element determines that the terminal device is in the roaming state based on the indication information.
  • the home AKMA anchor point function network element determines whether the terminal device is in a roaming state, including: the home AKMA anchor point function network element determines whether the terminal device is in a roaming state based on the HPLMN information of the terminal device and/or the VPLMN of the terminal device. information to determine whether the terminal device is in roaming state.
  • embodiments of the present application provide a communication method, which can be executed by an authentication server functional network element or a module applied to the authentication server functional network element.
  • the authentication server functional network element determines whether the terminal device is in the roaming state; when the terminal device is in the roaming state, the authentication server functional network element determines whether the terminal device is in the roaming state based on the VPLMN information of the terminal device.
  • the authentication server function network element after the authentication server function network element determines that the terminal device is in the roaming state, it can generate an AKMA root key and send the AKMA root key to the visiting AKMA anchor point function network element through the home AKMA anchor point function network element.
  • the key is used by the visiting AKMA anchor point function network element to achieve key isolation between different AKMA anchor point function network elements, that is, the visiting AKMA anchor point function network element and the home AKMA anchor point function network element use different AKMA root keys key, which helps ensure the security of the key and thereby improves the security of communication.
  • the authentication server functional network element stores the AKMA root key.
  • the authentication server function network element sends the AKMA root key to the home AKMA anchor point function network element.
  • the authentication server functional network element determines the AKMA root key based on the VPLMN information of the terminal device, including: the authentication server functional network element determines the AKMA root key based on the VPLMN information of the terminal device, the terminal The user permanent identification SUPI of the device and the authentication server function root key determine the AKMA root key.
  • the authentication server function network element determines whether the terminal device is in a roaming state, including: the authentication server function network element determines whether the terminal device is in a roaming state based on the HPLMN information of the terminal device and the location where the authentication server function network element is located. One or more of the VPLMN information or the VPLMN information of the terminal device is used to determine whether the terminal device is in a roaming state.
  • inventions of the present application provide a communication device.
  • the device may be a network storage function network element, or may be a chip for a network storage function network element.
  • the device has the function of implementing any implementation method of the above-mentioned first aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • embodiments of the present application provide a communication device, which may be a first network element or a chip used for the first network element.
  • the device has the function of implementing any implementation method of the above second aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • embodiments of the present application provide a communication device, which may be a terminal device or a chip for the terminal device.
  • the device has the function of implementing any implementation method of the above third aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software.
  • the hardware or software includes one or more functions related to the above Corresponding modules.
  • inventions of the present application provide a communication device.
  • the device may be a visiting AKMA anchor point function network element, or may be a chip used to visit an AKMA anchor point function network element.
  • the device has the function of implementing any implementation method of the fourth aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • inventions of the present application provide a communication device.
  • the device may be a home AKMA anchor point function network element, or may be a chip used for the home AKMA anchor point function network element.
  • the device has the function of realizing any implementation method of the fifth aspect or the sixth aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • embodiments of the present application provide a communication device, which may be an authentication server functional network element, or may be a chip used for the authentication server functional network element.
  • the device has the function of implementing any implementation method of the seventh aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • embodiments of the present application provide a communication device, including a processor coupled to a memory, and the processor is configured to call a program stored in the memory to execute any implementation of the above-mentioned first to seventh aspects.
  • the memory may be located within the device or external to the device.
  • the processor can be one or more.
  • embodiments of the present application provide a communication device, including a processor and a memory; the memory is used to store computer instructions, and when the device is running, the processor executes the computer instructions stored in the memory, so that the device Execute any implementation method in the above first to seventh aspects.
  • an embodiment of the present application provides a communication device, including units or means for executing each step of any implementation method in the above-mentioned first to seventh aspects.
  • embodiments of the present application provide a communication device, including a processor and an interface circuit.
  • the processor is configured to communicate with other devices through the interface circuit and perform any implementation method in the above-mentioned first to seventh aspects.
  • the processor includes one or more.
  • embodiments of the present application further provide a computer-readable storage medium, in which instructions are stored, which, when run on a communication device, enable the above-described first to seventh aspects. Any implementation method of is executed.
  • embodiments of the present application further provide a computer program product.
  • the computer program product includes a computer program or instructions.
  • the computer program or instructions are run by a communication device, any one of the above-mentioned first to seventh aspects is enabled.
  • the implementation method is executed.
  • embodiments of the present application further provide a chip system, including: a processor, configured to execute any implementation method in the above-mentioned first to seventh aspects.
  • embodiments of the present application also provide a communication system, which includes a network storage function network element for performing any implementation method of the first aspect, and a network storage function network element for performing any implementation method of the second aspect. the first network element.
  • embodiments of the present application further provide a communication system, which includes a visiting AKMA anchor point function network element for performing any of the implementation methods of the fourth aspect, and a visiting AKMA anchor point function network element for performing any of the implementation methods of the fifth aspect.
  • the home AKMA anchor function network element that implements the method.
  • embodiments of the present application also provide a communication method, including: when the terminal device is in a roaming state, the first network element determines the selection parameters; the first network element sends a first request to the network storage function network element news, the first The request message includes the selection parameter; the network storage function network element selects the visiting AKMA anchor point function network element that provides services for the terminal device according to the selection parameter in the first request message; the network storage function network element The functional network element sends a response message to the first network element, where the response message includes information about the visiting AKMA anchor functional network element.
  • Figure 1 is a schematic diagram of a communication system provided by an embodiment of the present application.
  • Figure 2 is a schematic diagram of the 5G network architecture based on service-based architecture
  • Figure 3 is a schematic diagram of the 5G network architecture based on point-to-point interface
  • Figure 4 is an architectural diagram of adding AKMA related functions to the 5G network
  • FIG. 5 is a schematic diagram of a KAKMA generation method provided by an embodiment of the present application.
  • Figure 6 is a schematic diagram of a method of using K AKMA provided by the embodiment of the present application.
  • Figure 7 is a schematic diagram of a method of using K AKMA provided by the embodiment of the present application.
  • Figure 8 is a schematic diagram of the AKMA roaming architecture provided in this embodiment.
  • Figure 9(a) is a schematic flow chart of a communication method provided by an embodiment of the present application.
  • Figure 9(b) is a schematic flow chart of a communication method provided by an embodiment of the present application.
  • Figure 9(c) is a schematic flow chart of a communication method provided by an embodiment of the present application.
  • Figure 10 is a schematic flow chart of a communication method provided by an embodiment of the present application.
  • Figure 11 is a schematic flow chart of a communication method provided by an embodiment of the present application.
  • Figure 12 is a schematic flow chart of a communication method provided by an embodiment of the present application.
  • Figure 13 is a schematic diagram of a communication device provided by an embodiment of the present application.
  • Figure 14 is a schematic diagram of a communication device provided by an embodiment of the present application.
  • the system includes a network storage function network element and a first network element.
  • the system also includes a home AKMA.
  • the system shown in Figure 1 can be used in the fifth generation (5G) network architecture shown in Figures 2 to 4.
  • 5G fifth generation
  • 6G sixth generation
  • Network architecture, etc. are not limited by this application.
  • the first network element is used to determine selection parameters when the terminal device is in a roaming state; and send a first request message to the network storage function network element, where the first request message includes the selection parameter.
  • the network storage function network element is configured to receive the first request message from the first network element; and select the visiting AKMA anchor point function network element that provides services for the terminal device according to the selection parameter in the first request message. ; Send a response message to the first network element, where the response message includes information about the visited AKMA anchor point function network element.
  • the first network element is also used to receive the response message.
  • the first network element is also configured to send a second request message to the visited AKMA anchor function network element according to the information of the visited AKMA anchor function network element.
  • the second request message requests The first application key used for secure communication between the visiting application function network element and the terminal device; the visiting AKMA anchor point function network element is used to receive the second request message; obtain the first AKMA root key; according to The first AKMA root key determines the first application key; and sends the first application key to the first network element.
  • the home AKMA anchor function network element is used to obtain the first AKMA root key; and send the first AKMA root key to the visiting AKMA anchor function network element; the visiting AKMA
  • the anchor function network element is specifically configured to receive the first AKMA root key from the home AKMA anchor function network element.
  • the home AKMA anchor function network element is specifically used to determine the first AKMA root key based on the second AKMA root key, and the second AKMA root key is used to determine the second application.
  • the second application key is used for secure communication between the terminal device and the home application function network element.
  • the home AKMA anchor point function network element is specifically configured to determine the second AKMA root key and the HPLMN information of the terminal device and/or the VPLMN information of the terminal device.
  • the first AKMA root key is specifically configured to determine the second AKMA root key and the HPLMN information of the terminal device and/or the VPLMN information of the terminal device. The first AKMA root key.
  • the home AKMA anchor function network element is specifically configured to receive the first AKMA root key from the authentication server function network element.
  • the first network element is a visiting application function network element; the visiting application function network element is also used to receive an application session establishment request message from the terminal device, where the application session establishment request message includes information used to determine the selection parameters.
  • the first network element is a network open function network element; the network open function network element also receives an application key request message from a visiting application function network element, where the application key request message includes information used to determine the selection parameters.
  • the network storage function network element is specifically used to select the AKMA anchor point function corresponding to the selection parameter when the network storage function network element stores the AKMA anchor point function network element corresponding to the selection parameter.
  • network element as the visiting AKMA anchor point function network element; or, when the network storage function network element does not store the AKMA anchor point function network element corresponding to the selection parameter, select the default AKMA anchor point function network element as the visiting AKMA anchor function network element.
  • the selection parameter includes one or more of the HPLMN information of the terminal device, the VPLMN information of the first network element, or the VPLMN information of the terminal device; the network storage function network element, and is also used to determine that the terminal device is in a roaming state based on one or more of the HPLMN information of the terminal device, the VPLMN information of the first network element, or the VPLMN information of the terminal device.
  • the network storage function network element is also used to determine that the terminal device is in a roaming state based on the received indication information.
  • the network storage function network element is also used to determine that the terminal device is in a roaming state based on the PLMN information of the network storage function network element and the HPLMN information of the terminal device.
  • the first network element is also configured to use one or more of the HPLMN information of the terminal device, the VPLMN information of the first network element, or the VPLMN information of the terminal device. , confirm that the terminal device is in roaming state.
  • the first network element is also configured to send indication information to the terminal device, where the indication information indicates that the terminal device is in a roaming state.
  • the first network element is specifically configured to determine the selection parameter according to the first AKMA key identifier or the second AKMA key identifier; wherein the first AKMA key identifier includes the terminal device The routing identifier, the AKMA temporary identifier of the terminal device, the HPLMN information of the terminal device, and the VPLMN information of the terminal device; the second AKMA key identifier includes the routing identifier of the terminal device, the AKMA temporary identifier of the terminal device and the HPLMN information of the terminal device.
  • next generation mobile communication network system Next Generation System
  • 5G network architecture Next Generation Mobile communication network system
  • This architecture not only supports wireless access technologies defined by the 3GPP standards group (such as long term evolution (LTE) access technology, 5G radio access network (RAN) access technology, etc.) to be connected to the 5G core Core network (CN), and supports the use of non-3GPP (non-3GPP) access technology through non-3GPP interworking function (N3IWF) or next generation packet data gateway (ngPDG) Access to the core network.
  • LTE long term evolution
  • RAN radio access network
  • CN 5G core Core network
  • N3IWF non-3GPP interworking function
  • ngPDG next generation packet data gateway
  • FIG. 2 is a schematic diagram of the 5G network architecture based on service-based architecture.
  • the 5G network architecture shown in Figure 2 may include access network equipment and core network equipment. Terminal equipment is connected to the data network (DN) through access network equipment and core network equipment.
  • the core network equipment includes but is not limited to some or all of the following network elements: authentication server function (AUSF) network element (not shown in the figure), unified data management (UDM) network element Element, unified data repository (UDR) network element, network repository function (NRF) network element (not shown in the figure), network exposure function (NEF) network element (not shown in the figure) shown), application function (AF) network element, policy control function (PCF) network element, access and mobility management function (AMF) network element, session management function (session management function, SMF) network element, user plane function (UPF) network element, binding support function (BSF) network element (not shown in the figure).
  • AUSF authentication server function
  • UDM unified data management
  • UDR network repository function
  • the terminal equipment can be user equipment (UE), mobile station, mobile terminal equipment, etc.
  • Terminal devices can be widely used in various scenarios, such as device-to-device (D2D), vehicle to everything (V2X) communication, machine-type communication (MTC), and the Internet of Things (internet of things, IOT), virtual reality, augmented reality, industrial control, autonomous driving, telemedicine, smart grid, smart furniture, smart office, smart wear, smart transportation, smart city, etc.
  • Terminal devices can be mobile phones, tablets, computers with wireless transceiver functions, wearable devices, vehicles, urban air vehicles (such as drones, helicopters, etc.), ships, robots, robotic arms, smart home devices, etc.
  • Long-term keys and related functions are stored in the terminal device. When the terminal device performs two-way authentication with core network elements (such as AMF network elements and AUSF network elements), it will use long-term keys and related functions to verify the authenticity of the network.
  • core network elements such as AMF network elements and AUSF network elements
  • the access network equipment may be a wireless access network equipment (RAN equipment) or a wired access network equipment.
  • wireless access network equipment includes 3GPP access network equipment, untrusted non-3GPP access network equipment and trusted non-3GPP access network equipment.
  • 3GPP access network equipment includes but is not limited to: evolved base stations (evolved NodeB, eNodeB) in LTE, next generation base stations (next generation NodeB, gNB) in 5G mobile communication systems, base stations or completed base stations in future mobile communication systems Modules or units with partial functions, such as centralized units (CU), distributed units (DU), etc.
  • Untrusted non-3GPP access network equipment includes but is not limited to: untrusted non-3GPP access gateway or N3IWF equipment, untrusted wireless local area network (WLAN) access point (access point, AP), switch ,router.
  • Trusted non-3GPP access network equipment includes but is not limited to: trusted non-3GPP access gateways, trusted WLAN APs, switches, and routers.
  • Wired access network equipment includes but is not limited to: wired access gateway, fixed telephone network equipment, switches, and routers.
  • Access network equipment and terminal equipment can be fixed-position or removable. Access network equipment and terminal equipment can be deployed on land, including indoors or outdoors, handheld or vehicle-mounted; they can also be deployed on water; they can also be deployed On planes, balloons and satellites in the sky. The embodiments of this application do not limit the application scenarios of access network equipment and terminal equipment.
  • AMF network elements include functions such as mobility management and access authentication/authorization. In addition, it is also responsible for transmitting user policies between the terminal device and the PCF.
  • SMF network elements include functions such as performing session management, executing control policies issued by PCF network elements, selecting UPF network elements, or allocating Internet Protocol (IP) addresses of terminal devices.
  • IP Internet Protocol
  • the UPF network element includes functions such as user plane data forwarding, session/flow level-based billing statistics or bandwidth limitation.
  • UDM network elements include functions such as execution and management of contract data or user access authorization.
  • UDR includes access functions for executing contract data, policy data or application data.
  • NEF network element is used to support the opening of capabilities and events.
  • AF network element transmits the requirements from the application side to the network side, such as QoS requirements or user status event subscriptions.
  • AF can be a third-party functional entity or an application service deployed by an operator, such as IP Multimedia Subsystem (IMS) voice call service.
  • IMS IP Multimedia Subsystem
  • AF network elements include AF network elements within the core network (that is, the operator's AF network elements) and third-party AF network elements (such as an enterprise's application server).
  • the PCF network element includes policy control functions such as session and service flow level billing, QoS bandwidth guarantee, mobility management, or terminal device policy decision-making.
  • PCF network elements include access and mobility management policy control function (AM PCF) network elements and session management policy control function (session management PCF, SM PCF) network elements.
  • AM PCF access and mobility management policy control function
  • SM PCF session management policy control function
  • the AM PCF network element is used to formulate AM policies and user policies for terminal equipment.
  • the AM PCF network element can also be called the policy control network element (PCF for a UE) that provides services for terminal equipment).
  • the SM PCF network element is used to formulate a session management policy (SM policy) for the session.
  • the SM PCF network element can also be called a policy control network element that provides services for the session ((PCF for a PDU session)).
  • NRF network elements can be used to provide network element discovery functions and provide network element information corresponding to network element types based on requests from other network elements. NRF network elements also provide network element management services, such as network element registration, update, de-registration, network element status subscription and push, etc.
  • the BSF network element can provide functions such as BSF service registration/unregistration/update, connection detection with NRF network elements, session binding information creation, terminal device information acquisition, or session binding information query for duplicate IP addresses.
  • the AUSF network element is responsible for authenticating users to determine whether users or devices are allowed to access the network.
  • DN is a network located outside the operator's network.
  • the operator's network can access multiple DNs.
  • a variety of services can be deployed on the DN, which can provide data and/or voice services to terminal devices.
  • DN is a private network of a smart factory.
  • the sensors installed in the workshop of the smart factory can be terminal devices.
  • the control server of the sensor is deployed in the DN, and the control server can provide services for the sensor.
  • the sensor can communicate with the control server, obtain instructions from the control server, and transmit the collected sensor data to the control server according to the instructions.
  • DN is the internal office network of a company.
  • the mobile phones or computers of employees of the company can be used as terminal devices.
  • the employees' mobile phones or computers can access information and data resources on the company's internal office network.
  • Npcf, Nudr, Nudm, Naf, Namf, and Nsmf are the service interfaces provided by the above-mentioned PCF, UDR, UDM, AF, AMF, and SMF respectively, and are used to call corresponding service operations.
  • N1, N2, N3, N4 and N6 are interface serial numbers. The meanings of these interface serial numbers are as follows:
  • N1 The interface between the AMF network element and the terminal device can be used to transmit non-access stratum (NAS) signaling (such as QoS rules from the AMF network element) to the terminal device.
  • NAS non-access stratum
  • N2 The interface between the AMF network element and the access network equipment, which can be used to transfer the core network side to the access network equipment. wireless bearer control information, etc.
  • N3 The interface between the access network equipment and the UPF network element, mainly used to transmit uplink and downlink user plane data between the access network equipment and the UPF network element.
  • N4 The interface between the SMF network element and the UPF network element can be used to transfer information between the control plane and the user plane, including controlling the delivery of user-oriented forwarding rules, QoS rules, traffic statistics rules, etc. Report information on the user interface.
  • N6 The interface between the UPF network element and the DN, used to transmit the uplink and downlink user data flows between the UPF network element and the DN.
  • Figure 3 is a schematic diagram of the 5G network architecture based on point-to-point interfaces.
  • the interfaces between the control plane network elements in Figure 2 are service-oriented interfaces, while the interfaces between the control plane network elements in Figure 3 are point-to-point interfaces.
  • N1, N2, N3, N4 and N6 interfaces can refer to the previous description.
  • N5 The interface between the AF network element and the PCF network element, which can be used to deliver application service requests and report network events.
  • N7 The interface between the PCF network element and the SMF network element, which can be used to deliver PDU session granularity and service data flow granularity control policies.
  • N8 The interface between AMF network elements and UDM network elements, which can be used by AMF network elements to obtain access and mobility management-related subscription data and authentication data from UDM network elements, and for AMF to register terminal device mobility with UDM Management related information, etc.
  • N9 The user plane interface between UPF network elements and UPF network elements, used to transmit uplink and downlink user data flows between UPF network elements.
  • N10 The interface between the SMF network element and the UDM network element, which can be used for the SMF network element to obtain session management-related contract data from the UDM network element, and for the SMF network element to register terminal device session-related information with UDM.
  • N11 The interface between the SMF network element and the AMF network element can be used to transfer PDU session tunnel information between the access network device and the UPF network element, transfer control messages sent to the terminal device, and transfer data sent to the access network device. Wireless resource control information of network-connected devices, etc.
  • N15 The interface between the PCF network element and the AMF network element, which can be used to deliver terminal device policies and access control-related policies.
  • N35 The interface between UDM network element and UDR network element, which can be used by UDM network element to obtain user subscription data information from UDR network element.
  • N36 The interface between PCF network element and UDR network element, which can be used by PCF network element to obtain policy-related contract data and application data-related information from UDR network element.
  • Figure 4 is an architectural diagram of adding AKMA related functions to the 5G network.
  • Figure 4 shows AKMA-related functions added to the 5G architecture shown in Figure 1.
  • AKMA-related functions can also be added to the 5G architecture shown in Figure 2. The principles are similar and will not be described again.
  • the AAnF network element is added in Figure 4.
  • the AAnF network element can request the AKMA root key (i.e., K AKMA ) from the AUSF, and then the AAnF network element determines the application key (i.e., K AF ) and K AF used by the AF based on K AKMA . effective time.
  • K AKMA AKMA root key
  • K AF application key
  • the AF network element needs to interact with the AAnF network element to obtain K AF and the effective time of K AF .
  • the location of the AF network element can be inside the 5G core network or outside the 5G core network. If AF network element Within the 5G core network, the AF network element can directly interact with the PCF network element. If the AF network element is outside the 5G core network, the AF network element can interact with the PCF network element via the NEF network element, that is, the NEF network element serves as the intermediate network element between the AF network element and the PCF network element.
  • the AUSF network element can generate K AKMA for the AAnF network element.
  • the above network elements or functions can be network elements in hardware devices, software functions running on dedicated hardware, or virtualization functions instantiated on a platform (for example, a cloud platform).
  • a platform for example, a cloud platform.
  • the above network element or function can be implemented by one device, or can be implemented by multiple devices together, or can be a functional module in one device, which is not specifically limited in the embodiments of this application.
  • the embodiment of the present application uses a UE as an example of a terminal device.
  • the UE described below can be replaced with a terminal device.
  • the AUSF network element, UDM network element, AMF network element, AAnF network element, AF network element, NEF network element, and NRF network element are respectively abbreviated as AUSF, UDM, AMF, AAnF, AF, NEF, and NRF. .
  • FIG. 5 is a schematic diagram of a KAKMA generation method provided by an embodiment of the present application. The method includes the following steps:
  • Step 501 AUSF sends an authentication request message to UDM. Accordingly, UDM receives the authentication request message.
  • the authentication request message includes a Subscription Permanent Identifier (SUPI) or a Subscription Concealed Identifier (SUCI).
  • the authentication request message is used to request an authentication vector from the UDM.
  • the authentication vector is used to trigger the core network.
  • the AMF provides SUCI to the AUSF
  • the authentication request message includes the SUCI.
  • the authentication request message includes SUPI.
  • the authentication request message may be a Numd_UEAuthentication Get Request message.
  • Step 502 UDM sends an authentication response message to AUSF. Accordingly, the AUSF receives the authentication response message.
  • the authentication response message includes the authentication vector.
  • the authentication response message also contains AKMA indication information.
  • the UE supporting the AKMA service means that the UE has the AKMA capability and the UE's services can use AKMA.
  • the authentication response message may be a Num_UEAuthentication_Get Response message.
  • Step 503 if the AUSF receives the AKMA indication information from the UDM, the AUSF generates K AKMA and AKMA key identifier (A-KID) based on the AUSF root key (K AUSF ) after the main authentication process is successfully completed. .
  • A-KID is used to identify K AKMA .
  • A-KID is in Network Access Identifier (NAI) format, which is username@exmaple.
  • the username part includes a routing identifier (RID) and an AKMA Temporary UE Identifier (A-TID).
  • RID is part of SUCI and is represented by 1 to 4 decimal digits.
  • A-TID is a temporary identification generated based on K AUSF .
  • the example part includes a home network identifier (HomeNetworkIdentifier), and the home network identifier may specifically be the identification information of the home public land mobile network (Home Public Land Mobile Network Identifier, HPLMN ID). Among them, the home public land mobile network is also called the home public land mobile network or the home public land mobile network.
  • this RID can be used by AMF to select AUSF.
  • AMF can select AUSF based on RID and HPLMN ID.
  • the RID can also be used by AUSF to select UDM.
  • AUSF selects UDM based on RID and HPLMN ID.
  • the UE after the main authentication process, the UE also generates K AKMA and A-KID based on K AUSF in the same method as AUSF.
  • Step 504 AUSF selects an AAnF and sends a key registration request message to the selected AAnF.
  • AAnF receives the key registration request message.
  • the key registration request message includes SUPI, A-KID and K AKMA .
  • the key registration request message can be a Naanf_AKMA_AnchorKey_Register Request message.
  • Step 505 AAnF sends a key registration response message to AUSF.
  • AUSF receives the key registration response message.
  • the key registration response message may be a Naanf_AKMA_AnchorKey_RegisterResponse message.
  • Step 506 AUSF deletes K AKMA and A-KID.
  • the UE and AAnF generate the same KAKMA , which facilitates subsequent UE and AF to use the KAKMA to derive other keys.
  • FIG. 6 is a schematic diagram of a method of using KAKMA provided by an embodiment of the present application.
  • AF belongs to a network element in the 3GPP core network.
  • the method includes the following steps:
  • Step 601 the UE sends an Application Session Establishment Request message to the AF.
  • the AF receives the application session establishment request message.
  • the application session establishment request message includes the A-KID, and the A-KID is used by AAnF to find the KAKMA corresponding to the A-KID.
  • the A-KID is generated by the UE in the main authentication process and K AKMA generation process before step 601.
  • the main authentication process and the K AKMA generation process are the processes shown in Figure 5.
  • Step 602 AF sends an application key request message to AAnF. Accordingly, AAnF receives the application key request message.
  • the application key request message includes A-KID and AF ID.
  • This A-KID comes from step 601.
  • This AFID is used to identify the AF.
  • the AF can select AAnF according to the RID of the UE.
  • the application key request message may be a Naanf_AKMA_ApplicationKey_Get_Request message.
  • Step 603 AAnF obtains KAKMA based on A-KID, generates K AF based on KAKMA and AF ID, and determines the validity time of K AF .
  • AAnF obtains A-KID and KAKMA corresponding to A-KID in the main authentication process and KAKMA generation process.
  • Step 604 AAnF sends an application key response message to AF. Accordingly, the AF receives the application key response message.
  • the application key response message includes K AF and the validity time of K AF .
  • the application key response message may be a Naanf_AKMA_ApplicationKey_Get Response message.
  • Step 605 The AF sends an Application Session Establishment Response message to the UE.
  • the UE receives the application session establishment response message.
  • the UE in any step after the main authentication process and the K AKMA generation process, the UE also generates K AF and determines the validity time of K AF according to the same method as AAnF.
  • UE and AAnF determine the validity time of the same K AF and K AF based on K AKMA , and AAnF sends the validity time of K AF and K AF to AF. Subsequently, the K AF can be used between UE and AF to compare the UE and AF.
  • the transmission content between AF is encrypted, which helps to improve communication security.
  • FIG. 7 is a schematic diagram of a method of using KAKMA provided by an embodiment of the present application.
  • AF belongs to a network element outside the 3GPP core network.
  • the method includes the following steps:
  • Step 701 The UE sends an application session establishment request message to the AF.
  • the AF receives the application session establishment request message.
  • the application session establishment request message includes the A-KID, and the A-KID is used by AAnF to find the KAKMA corresponding to the A-KID.
  • the A-KID is generated by the UE in the main authentication process and K AKMA generation process before step 701.
  • the main authentication process and the K AKMA generation process are the processes shown in Figure 5.
  • Step 702 AF sends an application key request message to NEF. Accordingly, NEF receives the application key request message.
  • the application key request message includes A-KID and AF ID.
  • This A-KID comes from step 701.
  • This AFID is used to identify the AF.
  • the application key request message may be a Nnef_AKMA_AFKey_Request message.
  • Step 703 NEF selects AAnF.
  • NEF can select AAnF according to the RID of the UE.
  • Step 704 NEF sends an application key request message to AAnF. Accordingly, AAnF receives the application key request message.
  • the application key request message includes A-KID and AF ID.
  • the application key request message may be a Naanf_AKMA_AFKey_Request message.
  • Step 705 AAnF obtains KAKMA based on A-KID, generates K AF based on KAKMA and AF ID, and determines the validity time of K AF .
  • AAnF obtains A-KID and KAKMA corresponding to A-KID in the main authentication process and KAKMA generation process.
  • Step 706 AAnF sends an application key response message to NEF. Accordingly, NEF receives the application key response message.
  • the application key response message includes K AF and the validity time of K AF .
  • the application key response message may be a Naanf_AKMA_AFKey_Response message.
  • Step 707 NEF sends an application key response message to AF. Accordingly, the AF receives the application key response message.
  • the application key response message includes K AF and the validity time of K AF .
  • the application key response message may be a Nnef_AKMA_AFKey_Response message.
  • Step 708 The AF sends an application session establishment response message to the UE.
  • the UE receives the application session establishment response message.
  • the UE in any step after the main authentication process and the K AKMA generation process, the UE also generates K AF and determines the validity time of K AF according to the same method as AAnF.
  • UE and AAnF determine the validity time of the same K AF and K AF based on K AKMA , and AAnF sends the validity time of K AF and K AF to AF. Subsequently, the K AF can be used between UE and AF to compare the UE and AF.
  • the transmission content between AF is encrypted, which helps to improve communication security.
  • Figure 8 is a schematic diagram of the AKMA roaming architecture provided in this embodiment.
  • the UE when the UE is located in the VPLMN, the UE is in the roaming state regardless of whether the AF is located in the VPLMN or the HPLMN.
  • the UE In another scenario (not shown in the figure), when the UE is located in the HPLMN and the AF is located in the VPLMN, the UE is also said to be in a roaming state. Therefore, in the embodiment of this application, the UE is in the roaming state and specifically includes the following three situations:
  • the UE is located in the visited network (ie VPLMN), and the AF is located in the visited network (ie VPLMN).
  • the UE is located in the visited network (that is, VPLMN), and the AF is located in the home network (that is, HPLMN).
  • the UE is located in the home network (ie HPLMN) and the AF is located in the visited network (ie VPLMN).
  • the UE is located in HPLMN, which means that the operator providing services to the UE is the operator signed by the UE.
  • the fact that the UE is located in the VPLMN means that the operator providing services to the UE is not the operator contracted by the UE.
  • the AF is located in the HPLMN, which means that the AF has a contract with the HPLMN of the UE, or is pre-configured with relevant information connected to the HPLMN of the UE.
  • the relevant information is, for example, the NEF address information of the HPLMN of the UE.
  • the AF is located in the VPLMN, which means that the AF cannot directly interact with the HPLMN where the UE is located.
  • the AF has not signed a contract with the UE's HPLMN, or the relevant information of the HPLMN connected to the UE is not pre-configured, or the AF is only configured with the information of the PLMN where the AF is located. .
  • the vAF communicating with the UE is located in the VPLMN. If hAAnF generates the application key (i.e. K AF ) for the vAF for secure communication between the UE and the vAF, since vAF and hAAnF belong to different PLMN, so vAF may not be able to directly connect to hAAnF, resulting in vAF being unable to request the application key from hAAnF.
  • K AF application key
  • the hAF communicating with the UE is located in HPLMN, and the UE is located in VPLMN.
  • hAAnF can generate an application key (i.e. K AF ) for secure communication between the UE and hAF for hAF, and then in If hAF and hAAnF cannot connect, hAAnF may not be able to provide the application key to hAF.
  • K AF application key
  • the AF communicating with the UE may not be able to obtain the application key, resulting in the inability to encrypt the transmission content during communication between the UE and the AF, resulting in insecure communication.
  • an AAnF is selected in the visited network, and the AAnF is called a visited AAnF (vAAnF).
  • the vAAnF can serve as a transit node, forwarding the key request from AF to hAAnF, and forwarding the application key distributed by hAAnF to AF, so that AF can obtain the application key.
  • the vAAnF itself has the function of distributing application keys, then vAAnF can also distribute application keys for AF (which can be vAF or hAF).
  • the embodiments of the present application can also solve the problem of key isolation between vAAnF and hAAnF.
  • Figure 9(a) is a schematic flowchart of a communication method provided by an embodiment of the present application. The method includes the following steps:
  • Step 901a When the UE is in the roaming state, the first network element determines the selection parameters.
  • the first network element is NEF or AF.
  • the AF can determine whether the UE is in a roaming state. For example, the AF receives an application session establishment request message from the UE, and the application session establishment request message includes A-KID, or includes A-KID and VPLMN ID, or includes A-KID'.
  • A-KID' is also called the first AKMA key identification
  • A-KID is also called the second AKMA key identification.
  • A-KID includes the information of RID, A-TID and HPLMN
  • A-KID' includes the information of RID, A-TID, HPLMN and VPLMN.
  • the information of HPLMN can be HPLMN ID, or other information that can identify HPLMN.
  • the information of the VPLMN can be the VPLMN ID, or other information that can identify the VPLMN. Therefore, the AF may determine that the UE is in the roaming state based on one or more of the UE's HPLMN information, the UE's VPLMN information, or the information of the PLMN where the AF is located (which may be a PLMN ID) received from the UE, where the PLMN information It can be a PLMN ID, or something else that can identify the PLMN Information.
  • the AF determines that the UE is in the roaming state. For another example, if the AF receives the UE's HPLMN ID from the UE, the AF compares the information of the PLMN where the AF is located with the UE's HPLMN ID. If the two are the same, the AF determines that the UE is in a non-roaming state. If they are different, then AF determines that the UE is in roaming state. For another example, if the AF receives the HPLMN ID from the UE but does not receive the VPLMN ID from the UE, the AF determines that the UE is in a non-roaming state.
  • the AF can determine whether the UE is in the roaming state. When the UE is in the roaming state, the AF sends indication information to the NEF, and the indication information indicates that the UE is in the roaming state.
  • NEF can also determine whether the UE is in roaming state. For example, the UE sends an application session establishment request message to the AF, and the application session establishment request message includes A-KID, or includes A-KID and VPLMN ID, or includes A-KID'. Then AF sends an application key request message to NEF.
  • the application key request message includes A-KID, or includes A-KID and VPLMN ID, or includes A-KID', and then NEF uses the UE's HPLMN information and the UE's VPLMN information or one or more of the information of the PLMN where the NEF is located, to determine that the UE is in the roaming state.
  • NEF determines that the UE is in roaming state. For another example, NEF receives the HPLMN ID of the UE, then NEF compares the information of the PLMN where NEF is located with the HPLMN ID of the UE. If the two are the same, NEF determines that the UE is in a non-roaming state. If they are different, NEF determines that the UE is in a non-roaming state. The UE is in roaming state. For another example, if NEF receives the HPLMN ID but does not receive the VPLMN ID, NEF determines that the UE is in a non-roaming state.
  • the selection parameters determined by the first network element include one or more of the routing identifier (RID) of the UE, the information of the HPLMN of the UE, the information of the VPLMN where the first network element is located, or the information of the VPLMN of the UE.
  • RID routing identifier
  • Step 902a The first network element sends a request message to the NRF. Accordingly, the NRF receives the request message.
  • the request message includes selection parameters.
  • Step 903a When the UE is in the roaming state, the NRF selects the vAAnF that provides services for the UE according to the selection parameters.
  • the specific determination method can refer to the aforementioned method of the first network element to determine whether the UE is in roaming state, which will not be described again.
  • the NRF When the NRF stores the AAnF corresponding to the selection parameter, the NRF selects the AAnF corresponding to the selection parameter as vAAnF. Or, when NRF does not store the AAnF corresponding to the selection parameter, the default AAnF is selected as vAAnF.
  • Step 904a The NRF sends a response message to the first network element.
  • the first network element receives the response message.
  • the response message includes vAAnF information, and the vAAnF information is used by the first network element to request from vAAnF an application key (K AF ) for secure communication between the AF and the UE.
  • the information of vAAnF may be identification information of vAAnF, address information of vAAnF or instanceID information of AAnF, etc., which is not limited in this application.
  • Step 905a The first network element sends a request message to vAAnF according to the vAAnF information. Accordingly, vAAnF receives the request message.
  • This request message requests an application key (K AF ) for secure communication between the AF and the UE.
  • K AF application key
  • vAAnF only serves as a transit node
  • vAAnF sends the request message to hAAnF
  • hAAnF generates an application key
  • hAAnF sends the application key to vAAnF
  • vAAnF then sends the application key to the first network element.
  • NEF further needs to send the application key to AF.
  • the vAAnF If the vAAnF is capable of generating an application key, the vAAnF generates an application key based on the request message. In one implementation method, after vAAnF receives the request message, it requests the AKMA root key from hAAnF, and then hAAnF sends the latest AKMA root key (called K AKMA *) to vAAnF, so that vAAnF generates the AKMA root key based on K AKMA *. vAF and UE application keys for secure communication. Optionally, vAAnF also stores K AKMA * to facilitate subsequent use of the K AKMA *.
  • K AKMA * latest AKMA root key
  • hAAnF can obtain K AKMA * according to any of the following methods:
  • Method 1 hAAnF determines KAKMA * based on KAKMA .
  • This K AKMA can be used to generate application keys for secure communication between hAF and UE.
  • Method 2 hAAnF determines KAKMA * based on KAKMA and the HPLMN information of the UE and/or the VPLMN information of the UE.
  • Method 3 AUSF determines K AKMA * based on the UE's VPLMN information, SUPI and K AUSF , and then AUSF sends K AKMA * to hAAnF.
  • the first network element may also send indication information to the UE.
  • the indication information indicates that the UE is in the roaming state.
  • the indication information may be information about the VPLMN where the first network element is located, or binary bit information, or Enumerated bit information.
  • the UE After the UE receives the indication information, the UE is triggered to generate K AKMA *, which is the same as the K AKMA * generated by vAAnF or hAAnF. This method helps to enable UE and AF to use the same application key.
  • the NRF selects a vAAnF, which can not only serve as a transit node, but also generate an application key for secure communication between the UE and the AF, so that the AF can accurately obtain the application key and facilitate
  • the application key is used to encrypt communication content between UE and AF, which helps to improve communication security.
  • Figure 9(b) is a schematic flowchart of a communication method provided by an embodiment of the present application. The method includes the following steps:
  • Step 901b hAAnF determines whether the UE is in roaming state.
  • the AUSF determines whether the UE is in the roaming state, and then the AUSF sends indication information to hAAnF.
  • the indication information indicates that the UE is in the roaming state
  • hAAnF determines that the UE is in the roaming state based on the indication information.
  • hAAnF determines whether the UE is in a roaming state based on the UE's HPLMN information and/or the UE's VPLMN information. For example, if hAAnF receives the VPLMN ID of the UE from the UE, hAAnF determines that the UE is in the roaming state. For another example, hAAnF receives the HPLMN ID of the UE from the UE, then hAAnF compares the information of the PLMN where hAAnF is located with the HPLMN ID of the UE. If the two are the same, hAAnF determines that the UE is in a non-roaming state.
  • hAAnF determines that the UE is in roaming state. For another example, if hAAnF receives the HPLMN ID of the UE from the UE, but does not receive the VPLMN ID of the UE from the UE, then hAAnF determines that the UE is in a non-roaming state.
  • Step 902b When the UE is in the roaming state, hAAnF determines the first AKMA root key (also called KAKMA *) based on the second AKMA root key (also called KAKMA ).
  • K AKMA * is used to determine the first application key, which is used for secure communication between the UE and the visited AF (ie, vAF).
  • K AKMA is used to determine the second application key, which is used for secure communication between the UE and the home AF (ie, hAF).
  • hAAnF determines KAKMA * based on KAKMA and the HPLMN information of the UE and/or the VPLMN information of the UE.
  • hAAnF can actively send K AKMA * to hAAnF, or hAAnF receives a request message from vAAnF, which is used to request to obtain the AKMA root key, then hAAnF can send K AKMA * to vAAnF based on the request message. *.
  • hAAnF receives K AKMA *, it can generate the first application key based on K AKMA *, and then send the first application key to the vAF. Subsequently, the first application key is used for encrypted communication between the UE and the vAF.
  • hAAnF can store the K AKMA *.
  • hAAnF after hAAnF determines that the UE is in roaming state, it can generate the AKMA root key for vAAnF. And sends the AKMA root key to vAAnF, which is used by vAAnF, thereby achieving key isolation between different AAnFs, that is, vAAnF and hAAnF use different AKMA root keys, which helps ensure key security. Thereby improving the security of communication.
  • Figure 9(c) is a schematic flowchart of a communication method provided by an embodiment of the present application. The method includes the following steps:
  • Step 901c AUSF determines whether the UE is in roaming state.
  • the AUSF determines whether the UE is in a roaming state based on the UE's HPLMN information and/or the UE's VPLMN information. For example, if the AUSF receives the VPLMN ID of the UE from the UE, the AUSF determines that the UE is in the roaming state. For another example, the AUSF receives the UE's HPLMN ID from the UE, then the AUSF compares the information of the PLMN where the AUSF is located with the UE's HPLMN ID. If the two are the same, the AUSF determines that the UE is in a non-roaming state.
  • the AUSF determines that the UE is in the roaming state. For another example, if the AUSF receives the HPLMN ID of the UE from the UE, but does not receive the VPLMN ID of the UE from the UE, the AUSF determines that the UE is in a non-roaming state.
  • Step 902c When the UE is in the roaming state, the AUSF determines the AKMA root key (K AKMA *) based on the VPLMN information of the UE.
  • K AKMA * the AKMA root key
  • K AKMA * is used to determine the application key, which is used for secure communication between the UE and the visited AF (i.e. vAF).
  • AUSF determines K AKMA * based on the UE's VPLMN information, the UE's SUPI and K AUSF .
  • AUSF can store K AKMA *.
  • AUSF can also send K AKMA * to hAAnF, so that subsequently hAAnF can actively send K AKMA * to hAAnF, or hAAnF receives a request message from AAVnF, which is used to request to obtain the AKMA root key, then hAAnF can Send K AKMA * to vAAnF based on the request message.
  • hAAnF receives K AKMA *, it can generate the first application key based on K AKMA *, and then send the first application key to the vAF. Subsequently, the first application key is used for encrypted communication between the UE and the vAF.
  • the AUSF after the AUSF determines that the UE is in the roaming state, it can generate the AKMA root key and send the AKMA root key to vAAnF via hAAnF.
  • the AKMA root key is used by vAAnF, thereby achieving key isolation between different AAnFs, that is vAAnF and hAAnF use different AKMA root keys, which helps ensure key security and thereby improves communication security.
  • FIG. 10 is a schematic flowchart of a communication method provided by an embodiment of the present application.
  • AF is a network element located in the 5G core network. The method includes the following steps:
  • Step 1000 Pre-configure the PLMN information on the AF.
  • the information of the PLMN where the AF is located refers to the information of the PLMN that the AF can connect to.
  • the PLMN information can be one or more, which means that the AF can access one or more PLMNs.
  • the information of the PLMN may be the information of the network elements of the corresponding PLMN, such as the address information of the NEF in the PLMN, the address information of the AAnF, or the address information of other core network elements such as the AMF.
  • the AF may be the AF of the visited network (also called visited AF or vAF) or the AF of the home network (also called home AF or hAF). Specifically, when the AF cannot connect to the HPLMN subscribed by the UE, it is said that the AF is the AF of the visited network. When the AF can be connected to the HPLMN subscribed by the UE, the AF is called the AF of the home network.
  • the information of the PLMN can be the VPLMN ID.
  • the information of the PLMN can be the HPLMN ID.
  • Step 1001 The UE sends an application session establishment request message to the AF.
  • the AF receives the application session establishment request message.
  • the application session establishment request message includes A-KID, which includes RID, HPLMN ID and A-TID.
  • the application session establishment request message includes the A-KID but does not include the VPLMN ID of the visited network where the UE is located.
  • the UE In another method, if the UE is currently located in a visited network, the UE also sends the VPLMN ID of the visited network where the UE is located to the AF.
  • the methods for the UE to send the VPLMN ID to the AF include but are limited to:
  • Method 1 Include the VPLMN ID in the application session establishment request message, that is, the VPLMN ID and A-KID are carried side by side in the application session establishment request message.
  • Method 2 The UE sends a separate message to the AF, which is a message different from the application session establishment request message.
  • the message includes the VPLMN ID.
  • Method 3 Add a VPLMN field to the A-KID of the application session establishment request message.
  • the VPLMN field includes the VPLMN ID.
  • the VPLMN field is set to the default value.
  • A-KID with the new VPLMN field will be called A-KID' below.
  • the AUSF when generating A-KID', the AUSF also needs to generate the same A-KID'. Therefore, when generating A-KID', the AUSF needs to determine whether it has received the VPLMN ID. If the VPLMN ID is received by the AUSF, the AUSF adds the VPLMN ID in the VPLMN field of A-KID'. If the VPLMN ID is not received, the AUSF sets the VPLMN field of A-KID' to the default value. Among them, the UE generates A-KID' before step 1001.
  • the AUSF obtains the VPLMN ID according to the following method: when the UDM determines that the UE is located in the visited network and the UE can use the AKMA service, the UDM sends the UE's VPLMN ID to the AUSF.
  • Step 1002 AF determines whether the UE is in roaming state.
  • This step is optional.
  • the UE is in the roaming state specifically including the following three situations. For details, please refer to the foregoing description.
  • the AF determines whether the information of the PLMN where the AF is located matches the HPLMN ID in the A-KID sent by the UE. If they are the same, it is determined that the UE is not in the roaming state; if they are different, it is determined that the UE is in the roaming state. It can be understood that "same” specifically refers to "includes”.
  • the UE is not in the roaming state; if the HPLMN ID sent by the UE is not included in the information of the PLMN where the AF is located, the UE is in the roaming state.
  • the method for the AF to determine whether the UE is in the roaming state includes but is not limited to the following method 1 and Method 2.
  • the AF determines whether the UE has sent the VPLMN ID to the AF. If the UE sends the VPLMN ID to the AF, the AF determines that the UE is in roaming state. If the UE does not send the VPLMN ID to the AF, the AF further determines whether the information of the PLMN where the AF is located is the same as the HPLMN ID sent by the UE. If they are the same, it is determined that the UE is not in the roaming state. If they are different, it is determined that the UE is in the roaming state.
  • step 1002 when the newly added VPLMN field is set to the default value, in step 1002, the AF determines that the VPLMN field is the default value, and then determines that the UE has not In roaming state.
  • the newly added VPLMN field is not the default value, for example, it is set to the information of the PLMN where the AF is located, then in step 1002, the AF determines that the UE is in the roaming state.
  • Method 2 The AF compares the information of the pre-configured PLMN where the AF is located with the HPLMN ID in A-KID or A-KID'. If they are the same, the AF determines that the UE is not in roaming state. If they are different, the AF determines that the UE is in roaming state.
  • Step 1003 AF determines selection parameters.
  • This selection parameter is also called the parameter for selecting AAnF.
  • step 1002 if step 1002 is not performed, that is, the AF does not need to determine whether the UE is in a roaming state, the selection parameters determined by the AF include RID, or include RID and HPLMN ID, or include RID, HPLMN ID and VLPMN ID.
  • the AF needs to determine whether the UE is in a roaming state.
  • the selection parameters determined by the AF include RID.
  • the selection parameters determined by the AF include one or more of the HPLMN ID, VPLMN ID or RID.
  • the AF also generates indication information indicating that the UE is in the roaming state. It should be noted that in another implementation method, when the UE is in the roaming state, the selection parameters determined by the AF can also be empty, or understood as uncertain selection parameters.
  • Step 1004 AF sends a discovery request message to the NRF. Accordingly, the NRF receives the discovery request message.
  • the discovery request message may be an Nnrf_NFDiscovery_Request message.
  • the discovery request message includes AAnF type information and is used to request an AAnF information.
  • AAnF information is used to connect to an AAnF, such as AAnF's address information, AAnF's instanceID information, etc.
  • the discovery request message also includes selection parameters.
  • the discovery request message also includes indication information indicating that the UE is in a roaming state.
  • Table 1 shows the selection parameters determined by the AF and the content carried in the discovery request message when step 1002 is not performed, that is, the AF does not need to determine whether the UE is in a roaming state.
  • Table 2 shows the selection parameters determined by the AF and the content carried in the discovery request message when performing step 1002, that is, when the AF needs to determine whether the UE is in a roaming state.
  • Step 1005 NRF determines that the UE is in roaming state, and selects vAAnF.
  • the NRF is the NRF in the visited network.
  • NRF selects AAnF based on the parameters carried in step 1004.
  • step 1002 when step 1002 is not executed, there are three implementation methods for the parameters carried in the discovery request message of step 1004. The three different methods in Table 1 are described below.
  • a possible implementation method is: NRF first determines whether the UE is in a roaming state. If the UE is in the roaming state, the NRF determines whether the AAnF corresponding to the RID is stored in the NRF. If so, it determines that the AAnF is vAAnF. If not, it determines that the default AAnF is vAAnF.
  • Another possible implementation method is: NRF first determines whether the AAnF corresponding to the RID is stored in the NRF. If so, determines that the AAnF is vAAnF. If not, the NRF determines whether the UE is in the roaming state.
  • NRF first determines whether the UE is in a roaming state, and if the UE is in a roaming state, determines that the default AAnF is vAAnF.
  • the NRF when the discovery request message in step 1004 carries the RID and HPLMN ID, the NRF first determines whether the UE is in the roaming state. Specifically, the NRF can determine whether the UE is in roaming state based on the HPLMN ID. If the UE is in the roaming state, the NRF determines whether there is an AAnF corresponding to the RID and/or HPLMN ID stored in the NRF. If so, it determines that the AAnF is vAAnF. If not, it determines that the default AAnF is vAAnF.
  • the NRF when the discovery request message in step 1004 carries the RID, HPLMN ID and VPLMN ID, the NRF first determines whether the UE is in the roaming state. If the UE is in the roaming state, the NRF determines whether there is an AAnF corresponding to at least one of the RID, HPLMN ID or VPLMN ID stored in the NRF. If there is, the AAnF is determined to be vAAnF. If not, the default AAnF is determined to be vAAnF. .
  • the method for NRF to determine whether the UE is in the roaming state can be: NRF compares the PLMN information of the NRF with the HPLMN ID of the UE. If they are the same, it means that the UE is not in the roaming state. If they are different, it means that the UE is not in the roaming state. In roaming state.
  • Scenario 2 When executing the above step 1002.
  • step 1002 when step 1002 is executed, there are at least seven implementation methods for the parameters carried in the discovery request message of step 1004. The seven different methods in Table 2 are described below.
  • the NRF when it is determined in step 1002 that the UE is not in the roaming state, and the discovery request message in step 1004 carries the RID, the NRF first determines that the UE is not in the roaming state, and then the NRF determines whether there is The AAnF corresponding to the RID is stored. If there is one, the AAnF is determined. If there is no AAnF, the default AAnF is determined.
  • the method for the NRF to determine that the UE is not in the roaming state can refer to the method in the above scenario 1. It should be noted that in this scenario, since the UE is not in a roaming state, the NRF does not need to determine vAAnF, but only determines an AAnF, which can be understood as hAAnF.
  • a possible implementation method is: NRF first determines whether the UE is in the roaming state. If the UE is in the roaming state, the NRF determines whether the AAnF corresponding to the RID is stored in the NRF. If so, it determines that the AAnF is vAAnF. If not, it determines that the default AAnF is vAAnF.
  • Another possible implementation method is: NRF first determines whether the AAnF corresponding to the RID is stored in the NRF. If so, determines that the AAnF is vAAnF.
  • the NRF determines whether the UE is in the roaming state. If the UE is in the roaming state, , then the default AAnF is determined to be vAAnF.
  • Another possible implementation method is: NRF first determines whether the UE is in a roaming state, and if the UE is in a roaming state, determines that the default AAnF is vAAnF. The method for the NRF to determine that the UE is in the roaming state may refer to the method in the above scenario 1.
  • the NRF when it is determined in step 1002 that the UE is in the roaming state, and the discovery request message in step 1004 carries the RID and indication information, the NRF first determines that the UE is in the roaming state based on the received indication information, and then the NRF determines Whether the AAnF corresponding to the RID is stored in the NRF, if so, determine the AAnF to be vAAnF, if not, determine the default AAnF to be vAAnF.
  • the NRF when it is determined in step 1002 that the UE is in the roaming state, and the discovery request message in step 1004 carries the HPLMN ID and/or VPLMN ID, the NRF first determines based on the received HPLMN ID and/or VPLMN ID. The UE is in roaming state. The NRF then determines whether the AAnF corresponding to the HPLMN ID and/or VPLMN ID is stored in the NRF. If so, the AAnF is determined to be vAAnF. If not, the default AAnF is determined to be vAAnF.
  • the NRF when it is determined in step 1002 that the UE is in the roaming state, and the discovery request message in step 1004 carries the RID, as well as the HPLMN ID and/or VPLMN ID, the NRF first determines the location of the UE according to the received HPLMN ID and/or VPLMN ID, confirms that the UE is in roaming state. The NRF then determines whether there is an AAnF corresponding to at least one of the RID, HPLMN ID or VPLMN ID stored in the NRF. If so, the AAnF is determined to be vAAnF. If not, the default AAnF is determined to be vAAnF.
  • the NRF when it is determined in step 1002 that the UE is in the roaming state, and the discovery request message in step 1004 carries the RID, HPLMN ID and/or VPLMN ID, and indication information, then the NRF first determines according to the received indication information , confirm that the UE is in roaming state. The NRF then determines whether there is an AAnF corresponding to at least one of the RID, HPLMN ID or VPLMN ID stored in the NRF. If so, the AAnF is determined to be vAAnF. If not, the default AAnF is determined to be vAAnF.
  • the NRF when it is determined in step 1002 that the UE is in the roaming state, and the discovery request message in step 1004 carries indication information, the NRF first determines that the UE is in the roaming state based on the received indication information. NRF then determines that the default AAnF is vAAnF.
  • NRF needs to ensure that the vAAnF selected each time is the same. Otherwise, if vAAnF is only used as a transit node and does not need to save the AKMA security context, NRF can select any AAnF as vAAnF.
  • Step 1006 NRF sends a discovery response message to AF. Accordingly, the AF receives the discovery response message.
  • the discovery response message may be an Nnrf_NFDiscovery_Response message.
  • the discovery response message includes vAAnF information.
  • Step 1007 AF sends an application key request message to vAAnF. Accordingly, vAAnF receives the application key request message.
  • the application key request message may be a Naanf_AKMA_ApplicationKey_Get_Request message.
  • the application key request message includes AF ID and A-KID, and the A-KID includes RID, A-TID and HPLMN ID.
  • the application key request message also includes the VPLMIN ID.
  • the VPLMN ID in the application key request message may come from step 1001.
  • the AF can obtain the VPLMN ID from the AF.
  • the application key request message can carry the VPLMN ID.
  • the application key request message does not need to carry the VPLMN ID.
  • the application key request message does not need to carry the VPLMN ID.
  • the application key request message includes AF ID and A-KID'
  • the A-KID' includes RID, A-TID, HPLMN ID and VPLMN ID. This situation is for the scenario where the message in step 1001 above carries A-KID'.
  • Step 1008 vAAnF sends an application key request message to hAAnF. Accordingly, hAAnF receives the application key request message.
  • the content in the application key request message is the same as the content in the application key request message in step 1007 above.
  • vAAnF selects hAAnF based on the RID in A-KID or the RID in A-KID'.
  • vAAnF also needs to confirm that the UE is in the roaming state before selecting hAAnF.
  • the method for vAAnF to determine that the UE is in the roaming state is the same as the method for NRF to determine that the UE is in the roaming state. Please refer to the above description.
  • Step 1009 hAAnF determines K AF and the validity time of K AF , or determines KAKMA *.
  • hAAnF determines the K AF and the validity time of the K AF . In the case where vAAnF needs to store the AKMA security context, hAAnF obtains K AKMA *.
  • the method for hAAnF to determine K AF and the effective time of K AF may refer to the description of the embodiment in Figure 6 or Figure 7 .
  • the method for hAAnF to determine K AKMA * includes but is not limited to: if hAAnF may have obtained K AKMA *, directly determine to use the K AKMA *. If hAAnF does not newly generate K AKMA *, hAAnF generates K AKMA * first. Specifically, after hAAnF determines that the UE is in the roaming state, hAAnF obtains KAKMA *. In a possible implementation method, if hAAnF has obtained K AKMA *, it is directly determined to use the K AKMA *. In another possible implementation, if hAAnF does not newly generate K AKMA *, hAAnF first generates K AKMA *. K AKMA * can be obtained according to K AKMA or obtained according to K AKMA.
  • KAKMA * KAKMA *
  • KAKMA * KDF ( KAKMA or KAUSF , first parameter, second parameter). This embodiment does not limit the number of specific parameters in the first parameter and the second parameter, nor does it limit the order in which the first parameter and the second parameter are used.
  • hAAnF generates KAKMA *
  • AUSF generates KAKMA * and sends KAKMA * to hAAnF, so hAAnF can obtain KAKMA *.
  • the methods for generating K AKMA * by AUSF or hAAnF include but are not limited to:
  • Method 1 hAAnF determines KAKMA * based on VPLMN ID and KAKMA .
  • VPLMNID is the first parameter number.
  • the second parameter can be other content or is not required. This embodiment does not limit whether to use the second parameter or the specific content of the second parameter.
  • hAAnF can obtain the VPLMN ID from AUSF.
  • hAAnF receives the Naanf_AKMA_AnchorKey_Registerrequest message from AUSF, which includes the VPLMN ID.
  • hAAnF can obtain the VPLMN ID from the UE, for example, hAAnF receives the A-KID' from the UE, and the A-KID' contains the VPLMN ID.
  • hAAnF can obtain the VPLMN ID from AF.
  • hAAnF receives the Naanf_AKMA_ApplicationKey_Getservice Request message from AF, which contains the VPLMN ID.
  • hAAnF determines KAKMA * based on VPLMN ID, HPLMN ID and KAKMA .
  • VPLMNID is the first parameter or the second parameter.
  • HPLMN ID is the second parameter or the first parameter.
  • hAAnF can obtain the VPLMN ID from AUSF.
  • hAAnF receives the Naanf_AKMA_AnchorKey_Registerrequest message from AUSF, which includes the VPLMN ID.
  • hAAnF can obtain the VPLMN ID from the UE, for example, hAAnF receives the A-KID' from the UE, and the A-KID' contains the VPLMN ID.
  • hAAnF can obtain the VPLMN ID from AF.
  • hAAnF receives the Naanf_AKMA_ApplicationKey_Getservice Request message from AF, which contains the VPLMN ID.
  • hAAnF can obtain the HPLMN ID from hAAnF, such as obtaining the HPLMN ID from the configuration information of hAAnF.
  • hAAnF can obtain the HPLMN ID from the UE, for example, hAAnF receives the A-KID or A-KID' from the UE, and the A-KID or A-KID' contains the HPLMN ID.
  • AUSF determines K AKMA * based on VPLMN ID, SUPI and K AUSF .
  • VPLMNID is the first parameter or the second parameter.
  • SUPI is the second parameter or the first parameter.
  • hAAnF determines K AKMA * based on a counter value and K AKMA .
  • the counter value needs to be automatically incremented by 1 every time it is used.
  • the first parameter is the counter value
  • the second parameter can be other content, or it is not needed. This embodiment does not limit whether to use the second parameter or the specific content of the second parameter.
  • hAAnF determines K AKMA * based on a string and K AKMA .
  • This embodiment does not limit the specific character string content.
  • This string is recorded by UE and hAAnF in advance.
  • the first parameter is a string, and the second parameter can be other content, or it is not needed. This embodiment does not limit whether to use the second parameter or the specific content of the second parameter.
  • hAAnF determines K AKMA * based on the discriminator and K AKMA .
  • the distinguisher can be a specific value, which is recorded by the UE and hAAnF in advance. For example, 0x01.
  • the first parameter is the discriminator
  • the second parameter can be other content, or it is not needed. This embodiment does not limit whether to use the second parameter or the specific content of the second parameter.
  • AUSF determines K AKMA * based on a counter value and K AKMA , or determines K AKMA * based on a counter value and K AUSF .
  • the counter value needs to be automatically incremented by 1 every time it is used.
  • the first parameter is the counter value
  • the second parameter can be other content, or it is not needed. This embodiment does not limit whether to use the second parameter or the specific content of the second parameter.
  • AUSF determines K AKMA * based on a string and K AKMA , or determines K AKMA * based on a string and K AUSF , and the string is recorded by UE and AUSF in advance.
  • the string "roaming", the string "VPLMN”.
  • This embodiment does not limit the specific character string content.
  • the first parameter is a string, and the second parameter can be other content, or it is not needed. This embodiment does not limit whether to use the second parameter or the specific content of the second parameter.
  • AUSF determines K AKMA * based on the discriminator and K AKMA .
  • the distinguisher can be a specific value, which is recorded by the UE and AUSF in advance.
  • the discriminator can be a specific value, such as 0x01.
  • the first parameter is the discriminator
  • the second parameter can be other content, or it is not needed. This embodiment does not limit whether to use the second parameter, and the second parameter the specific content of the number.
  • AUSF determines K AKMA * based on the discriminator and K AUSF .
  • the distinguisher can be a specific value, which is recorded by the UE and AUSF in advance.
  • the discriminator can be a specific value, such as 0x01.
  • the first parameter is the discriminator
  • the second parameter can be other content, or it is not needed. This embodiment does not limit whether to use the second parameter or the specific content of the second parameter.
  • AUSF determines K AKMA and K AKMA * based on the discriminator and K AUSF respectively.
  • the discriminator needs at least 2 values, which are used when generating K AKMA and K AKMA * respectively. This value is recorded by UE and AUSF in advance. For example, when the UE is not in the roaming state, 0x01 is used to generate K AKMA , and when the UE is in the non-roaming state, 0x02 is used to generate K AKMA *.
  • the first parameter is a discriminator, and this embodiment does not limit whether the second parameter is used or the specific content of the second parameter.
  • Method 12 AUSF determines K AKMA * based on a new FC value and K AUSF . Specifically, AUSF uses the new FC value, "AKMA", SUPI and K AUSF to generate K AKMA *.
  • This FC value is currently documented in standard TS 33.220v17.3.0. This embodiment does not limit the specific value of the new FC value.
  • the new FC value is the first parameter, and the second parameter can be other content or is not needed. This embodiment does not limit whether to use the second parameter or the specific content of the second parameter.
  • VPLMNID can come from UDM.
  • AUSF receives the Nudm_UEAuthentication_Get Response message from UDM, which contains the VPLMN ID.
  • the VPLMN ID comes from AMF.
  • AUSF receives the Nausf_UEAuthenticate_AuthenticationRequest message from AMF, which contains the VPLMN ID.
  • K AKMA is used to generate the key required when the UE communicates with the AF of the home network (i.e., hAF).
  • K AKMA * is used to generate the key required for the UE to communicate with the AF (i.e. vAF) of the visited network.
  • AUSF generates K AKMA *
  • the UE will also generate K AKMA * according to the method used by AUSF to generate K AKMA *, that is, the UE and AUSF generate the same K AKMA * according to the same method.
  • hAAnF generates K AKMA *
  • the UE will also generate K AKMA * according to the method used by hAAnF to generate K AKMA *, that is, the UE and hAAnF generate the same K AKMA * according to the same method.
  • K AKMA * generated by AUSF or hAAnF is used by vAAnF to generate an application key, and then vAAnF sends the application key to vAF, or of course to hAF.
  • the K AKMA * generated by the UE is used by the UE to generate an application key, and the application key generated by the UE and vAAnF is the same.
  • This application key is used for secure communication between UE and vAF/hAF.
  • Step 1010 hAAnF sends an application key response message to vAAnF. Accordingly, vAAnF receives the application key response message.
  • the application key response message may be a Naanf_AKMA_ApplicationKey_Get_Response message.
  • the application key response message includes the K AF and the validity time of the K AF .
  • the application key response message includes K AKMA *.
  • Step 1011 vAAnF stores KAKMA *, determines KAF based on KAKMA *, and determines the validity time of KAF .
  • step 1011 When the application key response message in step 1010 includes K AF and the validity time of K AF , this step 1011 is not executed.
  • step 1011 is executed.
  • KAKMA * determines K AF .
  • K AF can be determined based on AF ID and KAKMA *.
  • Step 1012 vAAnF sends an application key response message to AF. Accordingly, the AF receives the application key response message.
  • the application key response message may be a Naanf_AKMA_ApplicationKey_Get_Response message.
  • the application key response message includes K AF and the validity time of K AF , and the validity time of K AF and K AF is determined by hAAnF or vAAnF.
  • Step 1013 The AF sends an application session establishment response message to the UE.
  • the UE receives the application session establishment response message.
  • the application session establishment response message carries the VPLMN ID or indication information.
  • the VPLMN ID can come from the message in step 1001 above, or it can be obtained locally by AF.
  • the indication information instructs the UE to use K AKMA *, or indicates that the UE is in a roaming state, or indicates that the PLMN where the AF is located is different from the HPLMN of the UE.
  • Step 1014 the UE determines to use KAKMA * or KAKMA .
  • the UE determines to use KAKMA . At this time, the UE does not generate KAKMA *.
  • the UE determines to use K AKMA *.
  • the UE determines to use KAKMA *, and determines KAKMA * according to the same method as in step 1009.
  • the message in step 1013 does not carry indication information or VPLMN ID
  • the UE determines to use KAKMA .
  • the UE can determine whether the PLMN where the AF is located is the same as the HPLMN of the UE. If they are different, the UE determines to use KAKMA *; if they are the same, the UE determines to use KAKMA .
  • the UE determines that the UE is in the roaming state, the UE determines to use KAKMA *.
  • the UE determines K AF and the effective time of K AF based on KAKMA * or KAKMA , and performs secure communication with the AF based on the effective time of K AF and K AF .
  • the validity time of K AKMA * and the K AF and K AF generated based on K AKMA * are used in the scenario where the PLMN where the UE is located and the PLMN where the AF is located are different.
  • the validity time of K AKMA and the K AF and K AF generated based on K AKMA The time is used in the scenario where the PLMN where the UE is located and the PLMN where the AF is located are the same.
  • the UE can generate K AKMA * after step 1013, or the UE can also generate K at any time before any step before step 1013.
  • AKMA * In the case where the UE generates KAKMA * at any time before any step before step 1013, this embodiment does not limit the specific timing of generating KAKMA *. In a possible implementation, the UE first generates KAKMA * and KAKMA in any step before step 1013.
  • the UE determines to use KAKMA * to determine K AF and the validity time of K AF , then the UE can use the K AF and the validity time of K AF determined by KAKMA * to conduct secure communication with the AF. If neither the indication information nor the VPLMN ID is received in step 1013, the UE determines to use K AKMA to determine the validity time of K AF and K AF according to K AKMA , and uses the K AF and K AF determined according to K AKMA . Secure communication between valid time and AF. In another possible implementation, the UE can also generate K AKMA in any step before step 1013.
  • the UE can use K AKMA . Determine the validity time of K AF and K AF , and use K AKMA to determine the validity time of K AF and K AF and conduct safety between AF communication. If the indication information or VPLMN ID is received in step 1013, the UE determines to use K AKMA *. If K AKMA * has not been generated, it first generates K AKMA *, and then determines K AF and K AF validity time based on K AKMA *. And use the K AF and the validity time of the K AF determined according to K AKMA * for secure communication with the AF.
  • the UE can first generate K AKMA * in any step before step 1013. Subsequently, if no indication information is received in step 1013, and no VPLMN ID is received, the UE determines to use K AKMA , if K AKMA has not been generated, K AKMA is generated first, and then the UE uses K AKMA to determine the validity time of K AF and K AF , and uses the validity time of K AF and K AF determined according to K AKMA to proceed between AF Secure communications.
  • the UE determines to use K AKMA *, then the UE determines the K AF and K AF validity time according to K AKMA *, and uses the K AF and K AF determined according to K AKMA * Secure communication between valid time and AF.
  • the UE can determine whether it needs to generate KAKMA* or only generate KAKMA * according to the roaming state. Specifically, in one implementation, the UE compares the received PLMN ID with its own HPLMN ID. If different, it means that the UE is in roaming state. For example, the UE can receive the PLMN ID of the network where the UE is located from the broadcast message sent by the base station, and then the UE compares the PLMN ID with the HPLMN ID in the UE's SUPI. If they are different, it means that the UE is in roaming state. If they are the same, it means that the UE is in roaming state. Not roaming.
  • a suitable vAAnF can be selected for the UE.
  • the AF when the AF needs to determine whether the UE is in the roaming state, the AF sends different selection parameters to the NRF according to whether the UE is in the roaming state, and optionally also sends indication information, so that the NRF selects an appropriate vAAnF.
  • the selection logic of the NRF needs to be enhanced.
  • FIG. 11 is a schematic flowchart of a communication method provided by an embodiment of the present application.
  • AF is a network element located outside the 5G core network. The method includes the following steps:
  • Steps 1100 to 1103 are the same as steps 1000 to 1003 in the aforementioned embodiment of FIG. 10 .
  • step 1100, step 1102, and step 1103 are all optional steps.
  • step 1102 may not be performed. If the NEF does not have the ability to determine whether the UE is in the roaming state, step 1102 is performed and the AF sends information indicating that the UE is in the roaming state to the NEF. For the information indicating that the UE is in the roaming state, please refer to the relevant description of step 1004.
  • Step 1104 AF sends an application key request message to NEF. Accordingly, NEF receives the application key request message.
  • the application key request message includes the AF ID, and also includes the A-KID or A-KID'.
  • This AFID is used to identify the AF.
  • the A-KID includes RID, A-TID and HPLMN ID.
  • the A-KID' includes RID, A-TID, HPLMN ID and VPLMN ID.
  • the application key request message may be a Nnef_AKMA_AFKey_Request message.
  • the NEF may be the NEF of the visited network (i.e. vNEF) or the NEF of the home network (i.e. hNEF).
  • the application key request message also includes indication information or a VPLMN ID.
  • the indication information indicates that the UE is in the roaming state.
  • the indication information may be binary indication information, enumeration type indication information, etc.
  • the VPLMN The ID is also used to indicate that the UE is in roaming state.
  • the application key request message of step 1104 also includes selection parameters.
  • the application key request message may or may not contain A-KID or A-KID'.
  • Step 1105 NEF determines whether the UE is in roaming state.
  • Step 1105 is an optional step. This step 1105 and the above-mentioned step 1102 are performed as an alternative.
  • step 1105 is similar to step 1102, except that the operations performed by AF in step 1102 need to be replaced by NEF.
  • the NEF can compare the identification information of the PLMN where the NEF is located with the A-KID or the HPLMN ID in the A-KID'. If the two are different, it is determined that the UE is in the roaming state. If they are the same, it is determined that the UE is not in the roaming state. Roaming status.
  • Step 1106 NEF determines selection parameters.
  • Step 1106 is an optional step. This step 1106 and the above-mentioned step 1103 are performed as an alternative.
  • step 1106 is similar to step 1103, except that the operations performed by AF in step 1103 need to be replaced by NEF.
  • Step 1107 NEF sends a discovery request message to NRF. Accordingly, the NRF receives the discovery request message.
  • the discovery request message may be an Nnrf_NFDiscovery_Request message.
  • the discovery request message in step 1107 is the same message as the discovery request message in step 1004, that is, NEF forwards the discovery request message from AF.
  • the discovery request message in step 1107 and the discovery request message in step 1004 are different messages, but the two messages contain the same content.
  • Step 1108 NRF determines that the UE is in roaming state, and selects vAAnF according to the selection parameters.
  • step 1108 is the same as step 1005 in the aforementioned embodiment of FIG. 10 .
  • Step 1109 NRF sends a discovery response message to NEF. Accordingly, NEF receives the discovery response message.
  • the discovery response message may be an Nnrf_NFDiscovery_Response message.
  • the discovery response message includes vAAnF information.
  • Step 1110 NEF sends an application key request message to vAAnF. Accordingly, vAAnF receives the application key request message.
  • the application key request message may be a Naanf_AKMA_ApplicationKey_Get_Request message.
  • the specific implementation of the application key request message is the same as the application key request message in step 1007 in the embodiment of FIG. 10 .
  • Steps 1111 to 1114 are the same as steps 1008 to 1011 in the aforementioned embodiment of FIG. 10 .
  • Step 1115 vAAnF sends an application key response message to NEF. Accordingly, NEF receives the application key response message.
  • the application key response message may be a Naanf_AKMA_ApplicationKey_Get_Response message.
  • the application key response message includes K AF and the validity time of K AF , and the validity time of K AF and K AF is determined by hAAnF or vAAnF.
  • Step 1116 NEF sends an application key response message to AF. Accordingly, the AF receives the application key response message.
  • the application key response message may be a Naanf_AKMA_ApplicationKey_Get_Response message.
  • the application key response message includes K AF and the validity time of K AF , and the validity time of K AF and K AF is determined by hAAnF or vAAnF.
  • Steps 1117 to 1118 are the same as steps 1013 to 1014 in the aforementioned embodiment of FIG. 10 .
  • a suitable vAAnF can be selected for the UE.
  • NEF sends different selection parameters to the NRF according to whether the UE is in the roaming state, and optionally also sends indication information, so that the NRF selects an appropriate vAAnF.
  • the selection logic of the NRF needs to be enhanced.
  • the above solution also realizes the isolation of AKMA security context between different PLMNs, that is, when vAAnF needs to store the AKMA key, hAAnF stores K AKMA , and hAAnF stores K AKMA *, realizing that different AAnFs store different AKMAs. key.
  • Figure 12 is a schematic flowchart of a communication method provided by an embodiment of the present application.
  • the relevant steps in Figure 12 involving hNRF, vNRF and vAAnF are optional steps. Specifically, in the case where vAAnF stores the AKMA security context, these steps need to be performed, otherwise these steps do not need to be performed.
  • hAAnF actively sends K AKMA * to vAAnF after determining that the UE is in the roaming state, while the above Figures 10 and 11 In the embodiment, hAAnF sends K AKMA * to vAAnF based on the request of vAAnF.
  • the method includes the following steps:
  • Step 1201 The main authentication process is completed between the UE and the AUSF.
  • This process may refer to the embodiment of FIG. 6 or FIG. 7 .
  • both the UE and the AUSF After completing the main authentication process between the UE and the AUSF, both the UE and the AUSF generate and store K AKMA and A-KID.
  • Step 1202 AUSF determines whether the UE is in roaming state.
  • the AUSF sends an authentication request message to the UDM, and the authentication request message includes the UE's SUPI or SUCI.
  • UDM obtains the SNID from the SNname of the UE.
  • the SNID is the identification information of the PLMN where the AMF is located.
  • the AMF is the AMF of the network where the UE is currently located. Therefore, if the UE is in a VPLMN, the SNID is the VPLMN ID.
  • the UDM determines that the SNID is the VPLMN ID, it determines that the UE is in the roaming state, and then carries the VPLMN ID in the authentication response message sent to the AUSF. Therefore, the AUSF determines that the UE is in the roaming state based on the VPLMN ID in the authentication response message.
  • the AUSF compares the PLMN ID from the network where the AF is located with the HPLMN ID received from the UE. If they are the same, it is determined that the UE is not in the roaming state; if they are different, it indicates that the UE is in the roaming state.
  • the AUSF obtains the SNID from the AMF. If the UE is in VPLMN, the SNID is the VPLMN ID. When the AUSF determines that the SNID is the VPLMN ID, it determines that the UE is in the roaming state and saves the SNID.
  • Step 1203 When the UE is in the roaming state, the AUSF and the UE generate KAKMA * or KAKMA , and generate A-KID' or A-KID.
  • the UE In the case where vAAnF does not need to store the AKMA security context, the UE generates K AKMA and A-KID, or K AKMA and A-KID' .
  • the UE determines to generate K AKMA * and A-KID', or K AKMA * and A-KID. At the same time, the UE generates K AKMA. Also, generating K AKMA * and A-KID' is an optional step.
  • the K AKMA is identified by A-KID' or A-KID.
  • K AKMA * is identified by A-KID' or A-KID.
  • A-KID can identify both K AKMA and K AKMA *; or A-KID only identifies K AKMA , and A-KID' only identifies K AKMA *; or A-KID' identifies both K AKMA and K AKMA *.
  • A-KID' includes RID, A-TID and HPLMN ID
  • A-KID' includes RID, A-TID, HPLMN ID and VPLMN ID.
  • whether the AUSF/UE generates A-KID' has nothing to do with whether the UE is in roaming state. That is, AUSF/UE generates A-KID' regardless of whether the UE is in the roaming state, but whether the UE is in the roaming state will cause the content of the generated A-KID' to be different. Among them, if the UE is in roaming state, the VPLMN field in A-KID' is the VPLMN ID. If the UE is not in roaming state, the VPLMN field in A-KID' is the default value. Among them, AUSF can receive VPLMN ID from UDM or AMF. At this time, AUSF/UE no longer generates A-KID.
  • whether the AUSF/UE generates A-KID' is related to whether the UE is in roaming state. Specifically, if the UE is in the roaming state, the AUSF/UE generates A-KID', and the VPLMN field in A-KID' is the VPLMN ID. If the UE is not in roaming state, the AUSF generates A-KID.
  • AUSF may generate both A-KID and A-KID'. Then A-KID is used to identify K AKMA and A-KID' is used to identify K AKMA *. In the case where only A-KID is generated and A-KID' is not generated, A-KID is used to identify K AKMA * and K AKMA . Or, in the case where only A-KID' is generated and A-KID is not generated, A-KID' is used to identify K AKMA * and K AKMA .
  • Step 1204 AUSF sends a key registration request message to hAAnF. Accordingly, hAAnF receives the key registration request message.
  • the key registration request message can be a Naanf_AKMA_AnchorKey_Register Request message.
  • the key registration request message includes SUPI, K AKMA , A-KID, K AKMA * and A-KID', or Includes SUPI, KAKMA , A-KID and KAKMA *, or includes SUPI, KAKMA , KAKMA * and A-KID'.
  • the key registration request message includes SUPI, K AKMA and A-KID.
  • the key registration request message also includes roaming indication information.
  • the roaming indication information may be information about the VPLMN where the UE is located, that is, the VPLMN ID.
  • KAKMA * is not generated, when hAAnF determines that the UE is in the roaming state according to the roaming indication information, it generates KAKMA * or A-KID' (ie, step 1211).
  • the method for generating and implementing K AKMA * and A-KID' can be described with reference to the foregoing embodiments.
  • vAAnF When vAAnF stores the AKMA security context and needs to send the AKMA security context to vAAnF in advance, some or all of the following steps 1205 to 1213 need to be performed. Otherwise, there is no need to perform steps 1205 to 1213.
  • Step 1205 hAAnF selects vAAnF.
  • This step is optional.
  • hAAnF can select vAAnF based on selection parameters (the selection parameters are also referred to as parameters for selecting vAAnF). Regarding different implementation methods of selecting vAAnF according to the selection parameters, reference may be made to the description in the embodiment of FIG. 10 .
  • step 1205 there is no need to perform the following steps 1206 to 1209 and steps 1210a and 1210b. If this step 1205 is not performed, the following steps 1206 to 1209 and steps 1210a and 1210b need to be performed.
  • Step 1206 hAAnF sends a discovery request message to hNRF. Accordingly, hNRF receives the discovery request message.
  • the discovery request message includes the VPLMN ID and selection parameters.
  • This selection parameter is also called for selecting vAAnF parameters.
  • the discovery request message may be an Nnrf_NFDiscovery_Request message.
  • Step 1207 hNRF selects vNRF based on VPLMN ID.
  • Step 1208 hNRF sends a discovery request message to vAAnF. Accordingly, vAAnF receives the discovery request message.
  • the discovery request message includes selection parameters.
  • the discovery request message may be an Nnrf_NFDiscovery_Request message.
  • Step 1209 vNRF selects vAAnF.
  • vNRF selects vAAnF according to the selection parameters. For details, please refer to the description of the embodiment in Figure 10.
  • Step 1210a vNRF sends a discovery response message to hNRF. Accordingly, hNRF receives the discovery response message.
  • the discovery response message includes vAAnF information.
  • the discovery response message may be an Nnrf_NFDiscovery_Response message.
  • Step 1210b hNRF sends a discovery response message to hAAnF. Accordingly, hAAnF receives the discovery response message.
  • the discovery response message includes vAAnF information.
  • the discovery response message may be an Nnrf_NFDiscovery_Response message.
  • Step 1211 When the UE is in the roaming state, the UE and hAAnF generate K AKMA * or A-KID'.
  • KAKMA * is not generated in the above step 1203, and the UE does not generate KAKMA * before executing step 1211, then KAKMA * needs to be generated in step 1211.
  • the specific implementation method of generating K AKMA * is similar to step 1203.
  • A-KID' is not generated in the above step 1203, and the UE does not generate A-KID' before executing step 1211, then A-KID' needs to be generated in step 1211.
  • the specific implementation method of generating A-KID' is similar to step 1203.
  • step 1211 is executed, there is no order restriction between step 1211 and the foregoing steps. Step 1211 only needs to be executed before step 1212.
  • Step 1212 hAAnF sends a key registration request message to vAAnF. Accordingly, vAAnF receives the key registration request message.
  • the key registration request message can be a Naanf_AKMA_AnchorKey_Register Request message.
  • the key registration request message includes SUPI, K AKMA * and A-KID'.
  • Step 1213 vAAnF stores SUPI, K AKMA * and A-KID'.
  • the UE will also generate KAKMA * or KAKMA according to the method used by AUSF to generate KAKMA * or KAKMA . That is, the UE and the AUSF generate the same KAKMA * or KAKMA in the same method.
  • the UE will also generate K AKMA * or K AKMA according to the method used by hAAnF to generate K AKMA * or K AKMA , that is, the UE and hAAnF generate the same K according to the same method.
  • AKMA * or K AKMA if AUSF generates KAKMA * or KAKMA , the UE will also generate KAKMA * or KAKMA according to the method used by AUSF to generate KAKMA * or KAKMA .
  • K AKMA * generated by AUSF or hAAnF is used by vAAnF to generate an application key, and then vAAnF sends the application key to vAF, or of course to hAF.
  • the K AKMA * generated by the UE is used by the UE to generate an application key, and the application key generated by the UE and vAAnF is the same.
  • This application key is used for secure communication between UE and vAF/hAF.
  • K AKMA * and A-KID' from AUSF or hAAnF, and actively send K AKMA * and A-KID' to vAAnF to store K AKMA * and A-KID' on vAAnF to facilitate subsequent vAAnF
  • K AKMA * Generate a security key (i.e. K AF ) for communication between the UE and the vAF, realizing key update when the UE is in a roaming state.
  • K AF security key
  • the network storage function network element NEF
  • the first network element such as AF, NEF
  • the terminal device such as UE
  • the home AKMA anchor function network element hAAnF
  • the visiting AKMA anchor function network element vAAnF or the authentication server function network element (AUSF) includes hardware structures and/or software modules that perform corresponding functions.
  • Figures 13 and 14 are schematic structural diagrams of possible communication devices provided by embodiments of the present application. These communication devices can be used to implement the network storage function network element (NRF), the first network element (such as AF, NEF), terminal equipment (such as UE), home AKMA anchor function network element (hAAnF), By accessing the functions of the AKMA Anchor Function Network Element (vAAnF) or the Authentication Server Function Network Element (AUSF), the beneficial effects of the above method embodiments can also be achieved.
  • the communication device may be a network storage function network element (NRF), a first network element (such as AF, NEF), a terminal device (such as UE), or a home AKMA anchor function network element (hAAnF).
  • NEF network storage function network element
  • the first network element such as AF, NEF
  • terminal equipment such as UE
  • home AKMA anchor function network element (hAAnF) visiting AKMA anchor function network element (vAAnF) or authentication server function network element (AUSF) module (such as a chip).
  • hAAnF home AKMA anchor function network element
  • vAAnF visiting AKMA anchor function network element
  • AUSF authentication server function network element
  • the communication device 1300 shown in FIG. 13 includes a processing unit 1310 and a transceiver unit 1320.
  • the communication device 1300 is used to implement the network storage function network element (NRF), the first network element (such as AF, NEF), the terminal equipment (such as UE), the home AKMA anchor function network element (hAAnF), and the visiting network element in the above method embodiment.
  • NEF network storage function network element
  • AF AF
  • NEF network element
  • UE terminal equipment
  • hAAnF home AKMA anchor function network element
  • hAAnF home AKMA anchor function network element
  • hAAnF home AKMA anchor function network element
  • the transceiver unit 1320 is used to receive a request message from the first network element, where the request message includes selection parameters; the processing unit 1310, When the terminal device is in the roaming state, according to the selection parameter, the visiting AKMA anchor point function network element that provides services for the terminal device is selected; the transceiver unit 1320 is also used to send a response message to the first network element.
  • the response message Contains information about accessing the AKMA anchor function network element.
  • the processing unit 1310 is specifically configured to select the AKMA anchor point function network element corresponding to the selection parameter when the network storage function network element stores the AKMA anchor point function network element corresponding to the selection parameter.
  • the anchor point function network element serves as the visiting AKMA anchor point function network element; or, when the network storage function network element does not store the AKMA anchor point function network element corresponding to the selection parameter, the default AKMA anchor point function network element is selected.
  • the processing unit 1310 is also configured to determine that the terminal device is in a roaming state based on the received indication information.
  • the processing unit 1310 is also configured to determine that the terminal device is in a roaming state based on the PLMN information of the network storage function network element and the HPLMN information of the terminal device.
  • the processing unit 1310 is used to determine the selection parameters when the terminal device is in the roaming state; the transceiver unit 1320 is used to send messages to the network
  • the storage function network element sends the selection parameter, which is used to select the visiting AKMA anchor point function network element that provides services for the terminal device; receives the information of the visiting AKMA anchor point function network element from the network storage function network element; by and sending a request message to the visited AKMA anchor point function network element according to the information of the visited AKMA anchor point function network element.
  • the request message requests an application key for secure communication between the visited application function network element and the terminal device. .
  • the processing unit 1310 is also configured to determine based on one or more of the HPLMN information of the terminal device, the VPLMN information of the first network element, or the VPLMN information of the terminal device.
  • the terminal device is in roaming state.
  • the processing unit 1310 is specifically configured to determine the selection parameter according to the first AKMA key identifier or the second AKMA key identifier; wherein the first AKMA key identifier includes the route of the terminal device. identification, the AKMA temporary identification of the terminal equipment, the HPLMN information of the terminal equipment and the VPLMN information of the terminal equipment; the second AKMA key identification includes the routing identification of the terminal equipment, the AKMA temporary identification of the terminal equipment and the HPLMN information of the terminal device.
  • the processing unit 1310 is used to determine whether the terminal device is in a roaming state; when the terminal device is in a roaming state, determine the first AKMA root key, the third An AKMA root key is used to determine the first application key, which is used for secure communication between the terminal device and the visiting application function network element.
  • the processing unit 1310 is specifically configured to determine the first AKMA root key based on the second AKMA root key and the HPLMN information of the terminal device and/or the VPLMN information of the terminal device. , the second AKMA root key is used to determine the second application key, and the second application key is used for secure communication between the terminal device and the home application function network element.
  • the processing unit 1310 is specifically configured to determine the AKMA root key based on the VPLMN information of the terminal device, the user permanent identity SUPI of the terminal device, and the authentication server function root key.
  • the processing unit 1310 is also configured to determine that the terminal device is in a roaming state based on the received indication information.
  • the transceiver unit 1320 is used to receive the AKMA root key from the home AKMA anchor function network element; the processing unit 1310 is used to The AKMA root key determines the application key used for secure communication between the access application function network element and the terminal device.
  • the processing unit 1310 is used to obtain the first AKMA root key; the transceiver unit 1320 is used to send a message to the visiting AKMA anchor function network element.
  • the first AKMA root key is sent.
  • the first AKMA root key is used to determine the first application key.
  • the first application key is used for secure communication between the terminal device and the visited application function network element.
  • the processing unit 1310 is specifically configured to determine the first AKMA root key according to the second AKMA root key, and the second AKMA root key is used to determine the second application key.
  • the second application key is used for secure communication between the terminal device and the home application function network element.
  • the processing unit 1310 is specifically configured to determine the first AKMA root key based on the second AKMA root key and the HPLMN information of the terminal device and/or the VPLMN information of the terminal device. key.
  • the processing unit 1310 is used to determine whether the terminal device is in the roaming state; key to determine the first AKMA root key; wherein the first AKMA root key is used to determine the first application key, and the first application key is used for secure communication between the terminal device and the visiting application function network element ;
  • the second The AKMA root key is used to determine the second application key, which is used for secure communication between the terminal device and the home application function network element.
  • the transceiver unit 1320 is configured to send the first AKMA root key to the visiting AKMA anchor point function network element.
  • the transceiver unit 1320 is configured to receive a request message from the visited AKMA anchor function network element, where the request message is used to request to obtain the AKMA root key; based on the request message, send a request message to the visited AKMA anchor function network element.
  • the point function network element sends the first AKMA root key.
  • the processing unit 1310 is specifically configured to determine the first AKMA root key based on the second AKMA root key and the HPLMN information of the terminal device and/or the VPLMN information of the terminal device. key.
  • the transceiver unit 1320 is configured to receive indication information from the authentication server functional network element, which indicates that the terminal device is in a roaming state; the processing unit 1310 is configured to determine the terminal device based on the indication information. The terminal device is in roaming state.
  • the processing unit 1310 is configured to determine whether the terminal device is in a roaming state based on the HPLMN information of the terminal device and/or the VPLMN information of the terminal device.
  • the processing unit 1310 is used to determine whether the terminal device is in the roaming state; when the terminal device is in the roaming state, according to the VPLMN of the terminal device information to determine the AKMA root key; wherein, the AKMA root key is used to determine the application key, and the application key is used for secure communication between the terminal device and the visiting application function network element.
  • the transceiver unit 1320 is configured to send the AKMA root key to the home AKMA anchor point function network element.
  • the processing unit 1310 is configured to determine the AKMA root key based on the VPLMN information of the terminal device, the SUPI of the terminal device, and the authentication server function root key.
  • the processing unit 1310 is configured to perform the processing according to one or more of the HPLMN information of the terminal device, the VPLMN information of the authentication server functional network element, or the VPLMN information of the terminal device, Determine whether the terminal device is in roaming state.
  • the communication device 1400 shown in FIG. 14 includes a processor 1410 and an interface circuit 1420.
  • the processor 1410 and the interface circuit 1420 are coupled to each other.
  • the interface circuit 1420 may be a transceiver or an input-output interface.
  • the communication device 1400 may also include a memory 1430 for storing instructions executed by the processor 1410 or input data required for the processor 1410 to run the instructions or data generated after the processor 1410 executes the instructions.
  • the processor 1410 is used to implement the functions of the above processing unit 1310
  • the interface circuit 1420 is used to realize the functions of the above transceiver unit 1320.
  • the processor in the embodiment of the present application can be a central processing unit (Central Processing Unit, CPU), or other general-purpose processor, digital signal processor (Digital Signal Processor, DSP), or application specific integrated circuit. (Application Specific Integrated Circuit, ASIC), Field Programmable Gate Array (FPGA) or other programmable logic devices, transistor logic devices, hardware components or any combination thereof.
  • a general-purpose processor can be a microprocessor or any conventional processor.
  • the method steps in the embodiments of the present application may be implemented in hardware, or may be executed by a processor in software. implemented by instructions.
  • Software instructions can be composed of corresponding software modules, and the software modules can be stored in random access memory, flash memory, read-only memory, programmable read-only memory, erasable programmable read-only memory, electrically erasable programmable read-only memory In memory, register, hard disk, mobile hard disk, CD-ROM or any other form of storage medium well known in the art.
  • An exemplary storage medium is coupled to the processor such that the processor can read information from the storage medium and write information to the storage medium.
  • the storage medium can also be an integral part of the processor.
  • the processor and storage media may be located in an ASIC. Additionally, the ASIC can be located in the base station or terminal equipment. Of course, the processor and the storage medium may also exist as discrete components in the base station or terminal equipment.
  • the computer program product includes one or more computer programs or instructions.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, a base station, a user equipment, or other programmable device.
  • the computer program or instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another.
  • the computer program or instructions may be transmitted from a website, computer, A server or data center transmits via wired or wireless means to another website site, computer, server, or data center.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or data center that integrates one or more available media.
  • the available media may be magnetic media, such as floppy disks, hard disks, and tapes; optical media, such as digital video optical disks; or semiconductor media, such as solid-state hard drives.
  • the computer-readable storage medium may be volatile or nonvolatile storage media, or may include both volatile and nonvolatile types of storage media.
  • “at least one” refers to one or more, and “plurality” refers to two or more.
  • “And/or” describes the association of associated objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A exists alone, A and B exist simultaneously, and B exists alone, where A, B can be singular or plural.
  • the character “/” generally indicates that the related objects before and after are an “or” relationship; in the formula of this application, the character “/” indicates that the related objects before and after are a kind of "division” Relationship.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente demande concerne un procédé de communication, un appareil de communication et un système de communication. Dans le procédé, lorsqu'un dispositif terminal est dans un état d'itinérance, un élément de réseau à fonction de stockage de réseau sélectionne un élément de réseau à fonction de point d'ancrage AKMA visiteur. L'élément de réseau à fonction de point d'ancrage AKMA visiteur peut servir de nœud de transfert ou générer une clé d'application pour une communication sécurisée entre le dispositif terminal et un élément de réseau à fonction d'application. Par conséquent, l'élément de réseau à fonction d'application peut obtenir avec précision la clé d'application de telle sorte que le dispositif terminal et l'élément de réseau à fonction d'application cryptent un contenu de communication à l'aide de la clé d'application, ce qui permet d'améliorer la sécurité de communication.
PCT/CN2023/100763 2022-06-24 2023-06-16 Procédé de communication, appareil de communication et système de communication WO2023246649A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210730849.9A CN117336714A (zh) 2022-06-24 2022-06-24 通信方法、通信装置及通信系统
CN202210730849.9 2022-06-24

Publications (1)

Publication Number Publication Date
WO2023246649A1 true WO2023246649A1 (fr) 2023-12-28

Family

ID=89281724

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/100763 WO2023246649A1 (fr) 2022-06-24 2023-06-16 Procédé de communication, appareil de communication et système de communication

Country Status (2)

Country Link
CN (1) CN117336714A (fr)
WO (1) WO2023246649A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021093164A1 (fr) * 2020-01-16 2021-05-20 Zte Corporation Procédé, dispositif et système de mise à jour de clé d'ancrage dans un réseau de communication à des fins de communication chiffrée avec des applications de service
US20210392495A1 (en) * 2020-02-21 2021-12-16 Telefonaktiebolaget Lm Ericsson (Publ) Authentication server function selection in authentication and key management
WO2022038008A1 (fr) * 2020-08-17 2022-02-24 Telefonaktiebolaget Lm Ericsson (Publ) Établissement de sécurité pour réseaux non publics en 5g

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021093164A1 (fr) * 2020-01-16 2021-05-20 Zte Corporation Procédé, dispositif et système de mise à jour de clé d'ancrage dans un réseau de communication à des fins de communication chiffrée avec des applications de service
US20210392495A1 (en) * 2020-02-21 2021-12-16 Telefonaktiebolaget Lm Ericsson (Publ) Authentication server function selection in authentication and key management
WO2022038008A1 (fr) * 2020-08-17 2022-02-24 Telefonaktiebolaget Lm Ericsson (Publ) Établissement de sécurité pour réseaux non publics en 5g

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
CHINA MOBILE: "Discussion paper of AKMA roaming", 3GPP TSG-SA3 MEETING #107ADHOC-E S3-221456, 20 June 2022 (2022-06-20), XP052195772 *
NOKIA, NOKIA SHANGHAI BELL: "Solution on AKMA roaming", 3GPP TSG-SA3 MEETING #107ADHOC-E S3-221352, 20 June 2022 (2022-06-20), XP052195673 *
S3: "AKMA service support for roaming UE", 3GPP TSG-SA3 MEETING #105-E S3-214236, 1 November 2021 (2021-11-01), XP052073645 *

Also Published As

Publication number Publication date
CN117336714A (zh) 2024-01-02

Similar Documents

Publication Publication Date Title
US20210250767A1 (en) Systems and methods for accessing a network
US9820335B2 (en) System and method for sharing a common PDP context
WO2022033558A1 (fr) Procédé de gestion de relais et appareil de communication
US20230171672A1 (en) Route configuration method and apparatus
WO2019242525A1 (fr) Procédé de transmission de données, dispositif et système associés
US20230388863A1 (en) Communication method and apparatus
US20220263879A1 (en) Multicast session establishment method and network device
WO2021204277A1 (fr) Procédé, appareil et système de communication
WO2023185880A1 (fr) Procédé de détermination de dispositif de réseau d'accès
WO2023124875A1 (fr) Procédé et appareil de communication
WO2022194262A1 (fr) Procédé et appareil de communication de sécurité
WO2023246649A1 (fr) Procédé de communication, appareil de communication et système de communication
WO2021042381A1 (fr) Procédé, appareil et système de communication
WO2023082858A1 (fr) Procédé de détermination de politique de gestion de mobilité, appareil de communication et système de communication
WO2023197737A1 (fr) Procédé d'envoi de message, procédé de gestion de pin, appareil de communication et système de communication
WO2023040728A1 (fr) Procédé de sélection d'élément de réseau, appareil de communication et système de communication
WO2023169225A1 (fr) Procédé de gestion de pin, appareil de communication et système de communication
WO2023061207A1 (fr) Procédé de communication, appareil de communication et système de communication
WO2023179331A1 (fr) Procédé d'envoi de paquets de données, dispositif de communication et système de communication
WO2024078305A1 (fr) Procédé de communication, appareil de communication, et système de communication
WO2024092624A1 (fr) Procédé et dispositif de transfert de clé de chiffrement pour des utilisateurs itinérants dans des réseaux de communication
WO2023213156A1 (fr) Procédé de communication, appareil de communication et système de communication
WO2023020046A1 (fr) Procédé de communication et appareil de communication
WO2023001010A1 (fr) Procédé et dispositif de communication
WO2023213181A1 (fr) Procédé et appareil de communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23826298

Country of ref document: EP

Kind code of ref document: A1