WO2024000134A1 - Verification method and apparatus, device, and storage medium - Google Patents

Verification method and apparatus, device, and storage medium Download PDF

Info

Publication number
WO2024000134A1
WO2024000134A1 PCT/CN2022/101696 CN2022101696W WO2024000134A1 WO 2024000134 A1 WO2024000134 A1 WO 2024000134A1 CN 2022101696 W CN2022101696 W CN 2022101696W WO 2024000134 A1 WO2024000134 A1 WO 2024000134A1
Authority
WO
WIPO (PCT)
Prior art keywords
verification
terminal
response
network element
service network
Prior art date
Application number
PCT/CN2022/101696
Other languages
French (fr)
Chinese (zh)
Other versions
WO2024000134A9 (en
Inventor
梁浩然
陆伟
Original Assignee
北京小米移动软件有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京小米移动软件有限公司 filed Critical 北京小米移动软件有限公司
Priority to PCT/CN2022/101696 priority Critical patent/WO2024000134A1/en
Priority to CN202280002213.0A priority patent/CN117643087A/en
Publication of WO2024000134A1 publication Critical patent/WO2024000134A1/en
Publication of WO2024000134A9 publication Critical patent/WO2024000134A9/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]

Definitions

  • This application relates to the field of mobile communications, and in particular to a verification method, device, equipment and storage medium.
  • an NPN Non-Public Network, non-public network
  • PLMN Public Land Mobile Network, public land mobile network
  • the NPN is other than the operator.
  • the terminal completes the NPN registration through the core network device.
  • the core network device cannot verify the terminal's service network name.
  • the embodiments of the present application provide a verification method, device, equipment and storage medium to ensure the accuracy of the service network accessed by the terminal, thereby ensuring the reliability of the core network equipment providing network services to the terminal.
  • the technical solutions are as follows:
  • a verification method is provided, the method is executed by a terminal, the method includes:
  • a first verification response is sent to the first network element, where the first verification response indicates a verification result of the serving network identity.
  • a verification method is provided.
  • the method is executed by the first network element.
  • the method includes:
  • the first verification request being used to verify the service network identity of the terminal in a non-public network NPN scenario, the first verification request being determined based on the second verification request;
  • a verification method is provided, the method is executed by the second network element, and the method includes:
  • a verification device includes:
  • a receiving module configured to receive a first verification request sent by the first network element, where the first verification request is used to verify the service network identity of the terminal in a non-public network NPN scenario;
  • a sending module configured to send a first verification response to the first network element in response to the first verification request, where the first verification response indicates the verification result of the service network identity.
  • a verification device which device includes:
  • a receiving module configured to receive the second verification request sent by the second network element
  • a sending module configured to send a first verification request to the terminal.
  • the first verification request is used to verify the service network identity of the terminal in a non-public network NPN scenario.
  • the first verification request is based on the second Verification request confirmed;
  • a receiving module configured to receive a first verification response, where the first verification request indicates the verification result of the service network identity
  • a sending module configured to send the first verification response to the second network element.
  • a terminal includes: a processor; a transceiver connected to the processor; a memory for storing executable instructions of the processor; wherein the processor is configured to load and execute the executable instructions. Execute instructions to implement verification methods as described above.
  • a first network element includes: a processor; a transceiver connected to the processor; a memory for storing executable instructions of the processor; wherein the processor is Configured to load and execute executable instructions to implement verification methods as described above.
  • a second network element includes: a processor; a transceiver connected to the processor; a memory for storing executable instructions of the processor; wherein the processor is Configured to load and execute executable instructions to implement verification methods as described above.
  • a computer-readable storage medium stores executable program code.
  • the executable program code is loaded and executed by a processor to implement the verification method in the above aspect.
  • a chip is provided.
  • the chip includes programmable logic circuits and/or program instructions.
  • the chip is run on a terminal or a first network element or a second network element, it is used to implement the above aspects. Authentication method.
  • a computer program product is provided.
  • the computer program product is executed by a terminal or a processor of a first network element or a second network element, it is used to implement the verification method of the above aspect.
  • the solution provided by the embodiment of this application provides a method for verifying the service network identifier accessed by the terminal. Through verification, it can be confirmed whether the service network identifier accessed by the terminal itself is the same as the service network identifier stored in the core network device. , ensuring the accuracy of the service network that the terminal accesses, and thereby ensuring the reliability of the core network equipment providing network services to the terminal.
  • Figure 1 shows a block diagram of a communication system provided by an exemplary embodiment of the present application
  • Figure 2 shows a flow chart of an identity verification method provided by an exemplary embodiment of the present application
  • Figure 3 shows a flow chart of a verification method provided by an exemplary embodiment of the present application
  • Figure 4 shows a flow chart of another verification method provided by an exemplary embodiment of the present application.
  • Figure 5 shows a flow chart of yet another verification method provided by an exemplary embodiment of the present application.
  • Figure 6 shows a flow chart of yet another verification method provided by an exemplary embodiment of the present application.
  • Figure 7 shows a block diagram of a verification device provided by an exemplary embodiment of the present application.
  • Figure 8 shows a block diagram of another verification device provided by an exemplary embodiment of the present application.
  • Figure 9 shows a block diagram of yet another verification device provided by an exemplary embodiment of the present application.
  • Figure 10 shows a block diagram of yet another verification device provided by an exemplary embodiment of the present application.
  • Figure 11 shows a block diagram of yet another verification device provided by an exemplary embodiment of the present application.
  • Figure 12 shows a schematic structural diagram of a communication device provided by an exemplary embodiment of the present application.
  • first, second, third, etc. may be used in this application to describe various information, the information should not be limited to these terms. These terms are only used to distinguish information of the same type from each other.
  • first information may also be called second information, and similarly, the second information may also be called first information.
  • word “if” as used herein may be interpreted as "when” or “when” or “in response to determining.”
  • the information including but not limited to user equipment information, user personal information, etc.
  • data including but not limited to data used for analysis, stored data, displayed data, etc.
  • signals involved in this application All are authorized by the user or fully authorized by all parties, and the collection, use and processing of relevant data need to comply with relevant laws, regulations and standards of relevant countries and regions.
  • FIG. 1 shows a block diagram of a communication system provided by an exemplary embodiment of the present application.
  • the communication system may include: a terminal 10, a core network device 20 and a verification server 30.
  • the number of terminals 10 is usually multiple and distributed in one or more cells.
  • the terminal 10 is managed by the core network equipment 20 .
  • the terminal 10 may include various handheld devices, vehicle-mounted devices, wearable devices, computing devices or other processing devices connected to wireless modems with wireless communication functions, as well as various forms of user equipment (User Equipment, UE), mobile stations ( Mobile Station, MS) and so on.
  • UE User Equipment
  • MS Mobile Station
  • the core network device 20 is a device deployed in the core network.
  • the core network device 20 mainly functions to provide user connections, manage users, and carry services, and serves as an interface for the bearer network to provide to external networks.
  • the core network device 20 can communicate with the authentication server 30, so as to verify the identity information of the terminal 10 through the authentication server 30.
  • the core network equipment 20 in the 5G NR system may include AMF (Access and Mobility Management Function) network elements, AUSF (Authentication Service Function), UDM (Unified Data Management, Unified data management), UPF (User Plane Function, user plane function), SMF (Session Management Function, network element and session management function) network element, etc.
  • the terminal will start the registration process, and the core network equipment and authentication server will verify the identity of the terminal.
  • the first network element is an AMF network element
  • the second network element is an AUSF network element
  • the third network element is a UDM network element
  • the fourth network element is an NSSAAF network element
  • the authentication server is an AAA server.
  • Figure 2 shows a flow chart of an identity verification method provided by an exemplary embodiment of the present application. Referring to Figure 2, the method includes:
  • Step 201 The terminal sends identity verification information including SUCI (Subscription Concealed Identifier) and service network identifier to the AMF network element.
  • SUCI Subscribescription Concealed Identifier
  • Step 202 The AMF network element receives the identity verification information sent by the terminal, and sends the main authentication information including SUCI and service network identification to the AUSF network element.
  • Step 203 The AUSF network element receives the primary authentication information and sends the identity acquisition information including SUCI and service network identity to the UDM network element.
  • Step 206 The AUSF network element receives the SUPI and AAA server identifier, and sends SUPI to the NSSAAF network element.
  • Step 207 The NSSAAF network element performs protocol conversion based on SUPI and sends SUPI to the AAA server.
  • Step 209 The AAA server sends identity authentication success information, SUPI and MSK to the NSSAAF network element.
  • the AUSF network element after the AUSF network element receives the identity authentication success information, SUPI and MSK, it can perform the terminal's service network identity verification process.
  • the terminal starts the registration process, so that the core network equipment and the verification server can perform the process of verifying the identity of the terminal, ensuring that the verification server and the terminal perform mutual identity verification, and then complete the identity registration.
  • the AUSF network element will also trigger the terminal's service network identification verification process to ensure the accuracy of the service network the terminal accesses, thereby ensuring the reliability of the core network equipment in providing network services to the terminal.
  • Figure 3 shows a flow chart of a verification method provided by an exemplary embodiment of the present application.
  • the exemplary method can be applied to the terminal, the first network element and the second network element as shown in Figure 1.
  • the method includes the following content At least some of:
  • Step 301 The second network element sends a second verification request to the first network element.
  • the second verification request is used to verify the service network identity of the terminal in the NPN scenario.
  • the NPN scenario is an SNPN (Stand-alone Non-Public Network, independent non-public network) scenario, that is to say, the second verification request is used to verify the service network identity of the terminal in the SNPN scenario.
  • the service network identifier is the service network identifier of the service network in the SNPN scenario.
  • the terminal is registered in the service network, and for the second network element, the second network element needs to verify the service network name of the service network to which the terminal is connected. Therefore, the second network element The network element sends a second verification request to the first network element, so as to verify the service network identity of the terminal through the second verification request.
  • the service network identifier indicates the service network name.
  • service network identifier 1 indicates service network name 1
  • service network identifier 2 indicates service network name 2
  • service network identifier 3 indicates service network name 3.
  • the second verification request includes at least one of the following:
  • Verification identifier indicates that the second verification request is used to verify the service network identity.
  • the second network element sends a second verification request including a verification identifier to the first network element.
  • the verification identifier indicates that the second verification request is used to verify the service network identity, then the first network element
  • the network element can determine the role of the second verification request based on the verification identifier included in the second verification request.
  • the second network element not only verifies the verification identifier, but also verifies the identity of the terminal. After the second network element verifies the identity of the terminal, it can verify the identity of the terminal in the second verification request. Carrying the authentication identifier by which the authentication of the terminal is successful.
  • the second network element first verifies the identity of the terminal. After the identity verification of the terminal is successful, the second network element can send a second verification request to the first network element, and the second verification request indicates The endpoint's authentication is successful and the authentication service network identity is also indicated.
  • the service network verification code refers to the verification code required to verify the service network identity.
  • the terminal can compare the verification code calculated by itself with the service network verification code to determine whether the service network identification stored by the second network element is the same as the service network identification stored by the terminal itself, and then determine the service network identification of the second network element. Whether it has been tampered with.
  • the service network verification code is calculated by the second network element, and then sent to the first network element through the second verification request, so that the first network element can send it to the terminal.
  • the verification random number refers to the random number required to verify the service network identity.
  • the verification random number is generated by the second network element, and then sent by the second network element to the first network element, and then sent by the first network element to the terminal, so that the terminal can verify the service network identity.
  • the timestamp is used to mark time. It can also be understood that the second network element adds a timestamp to the second verification request to indicate the sending time of the second verification request.
  • the terminal identification indicates the terminal.
  • the second network element carries the terminal identification in the second verification request. Then, after receiving the terminal identification, the first network element can determine that it needs to send a verification request to the terminal indicated by the terminal identification.
  • the terminal identifier is SUPI, SUCI or other identifiers, which is not limited in the embodiments of the present application.
  • the second verification request includes the service network verification code
  • the second network element generates the MSK (Master Session Key, master shared key) based on the successful terminal identity verification, the verification random number and the service network identification. At least one of the fields determines the service network verification code.
  • the second network element may determine the service network verification code based on the MSK, the verification random number and the service network identifier.
  • Step 302 The first network element receives the second verification request sent by the second network element.
  • the first network element determines the terminal according to the second verification request, and sends the first verification request to the terminal.
  • the second verification request includes a terminal identification, and the terminal identification indicates the terminal.
  • the first network element determines the indicated terminal according to the terminal identification included in the second verification request, and then Send a first verification request to the determined terminal.
  • the first network element is an AMF network element or a SEAF network element. That is to say, the first network element in this application can be replaced by an AMF network element. Alternatively, the first network element in this application can be replaced by a SEAF network element.
  • the second network element is an AUSF network element. That is to say, the second network element in this application can be replaced by an AUSF network element.
  • the solution provided by the embodiment of this application provides a method for verifying the service network identifier accessed by the terminal. Through verification, it can be confirmed whether the service network identifier accessed by the terminal itself is the same as the service network identifier stored in the core network device. , ensuring the accuracy of the service network that the terminal accesses, and thereby ensuring the reliability of the core network equipment providing network services to the terminal.
  • the embodiment shown in Figure 3 explains the verification of the service network identification of the terminal. Specifically, how the terminal verifies the service network identity is explained.
  • the first verification response indicates that the service network identity of the terminal is successfully verified, and the terminal sends the first verification response if it is determined that certain conditions are met.
  • the terminal determines that the service network identifier of the first verification request has not been tampered with in the NPN scenario, it will continue to compare the terminal's own service network identifier with the service network identifier included in the first verification request. If it is determined to be the same, the terminal will respond to the first verification request. A verification request, sending a first verification response to the first network element, indicating that the terminal successfully verified the service network identity through the first verification response.
  • Verification identifier indicates that the first verification request is used to verify the service network identity.
  • the terminal verification code refers to the verification code verified by the second network element. Moreover, the terminal verification code is sent after the terminal successfully verifies the service network identity sent by the second network element. The terminal verification code can also indicate that the terminal successfully verifies the service network identity.
  • the terminal determines the first information verification code according to the first verification request, and when the first information verification code matches the first verification request, determines that the service network identifier of the first verification request in the NPN scenario has not been tamper.
  • the terminal after receiving the first verification request, can determine the first information verification code based on the information included in the first verification request.
  • the first information verification code can be used with the first verification request. If the first information verification code matches the first verification request, it is determined that the service network identifier of the first verification request in the NPN scenario has not been tampered with.
  • the embodiment of the present application is explained by taking the terminal returning a first verification response indicating that the service network identity verification is successful as an example. In some other embodiments, the terminal also returns a first verification response indicating that the service network identity verification fails.
  • the first verification response indicates that the terminal's service network identity verification failed.
  • the service network identity of the first verification request has not been tampered with, and the terminal's service network identity is consistent with the service included in the first verification request. If the network identifiers are different, the first verification response is sent to the first network element.
  • the terminal verifies the service network identification in the first verification request to confirm whether the service network identification has been tampered with. If the terminal determines that the service network identification has not been tampered with, but the service network identification of the terminal is different from the first verification request. If the service network identifiers in are different, the terminal will consider that communication cannot be performed using the terminal's service network identifier, and the terminal will send a first verification response.
  • the first verification response includes a terminal verification code, where the terminal verification code refers to a verification code verified by the second network element. Moreover, the terminal verification code is sent after the terminal fails to verify the service network identity sent by the second network element. The terminal verification code can also indicate that the terminal fails to verify the service network identity.
  • the embodiment of the present application is explained by taking the terminal returning a first verification response indicating that the service network identity verification is successful as an example.
  • the terminal also receives a second verification response sent by the first network element, and the second verification response instructs the second network element to confirm the first verification response sent by the terminal.
  • the first network element will send a second verification response to the terminal, so as to inform the second network element to confirm the first verification response sent by the terminal through the second verification response.
  • Figure 4 shows a flow chart of another verification method provided by an exemplary embodiment of the present application.
  • the method can be applied to the terminal, the first network element and the second network element as shown in Figure 1. This method include at least some of the following:
  • Step 401 In response to the first verification response, the second network element sends a fifth verification response to the first network element.
  • the fifth verification response instructs the second network element to confirm the first verification response sent by the terminal.
  • the second network element after receiving the first verification response sent by the first network element, the second network element will also confirm the first verification response. If the second network element confirms the first verification response, it will send the second verification response. Five verification responses.
  • the second network element determines the second information verification code based on at least one of the MSK generated by successful terminal identity verification and the verification result of the service network identity predicted by the second network element.
  • the verification result of the service network identity includes at least one of successful verification of the service network identity and failure of verification of the service network identity; based on the matching result of the second information verification code and the first verification response, it is determined whether to confirm the first verification response sent by the terminal.
  • the second network element will determine the second information verification code in advance, and determine the second information verification code by considering the success or failure of the service network identity verification. Then the second network element will determine the second information verification code based on the MSK and the third information verification code. The verification result of the service network identifier predicted by the second network element determines two second information verification codes. The second network element then determines which second information verification code the first verification response matches based on the two determined information verification codes, and then determines whether to confirm the first verification response sent by the terminal.
  • the second network element determines a second information verification code corresponding to the service network identity verification failure based on the MSK and the service network identity predicted by the second network element.
  • the verification result is to successfully determine a second information verification code corresponding to the successful verification of a service network identity.
  • the first verification response includes a terminal verification code
  • the second information verification is determined based on at least one of the MSK generated by successful terminal identity verification, the verification random number, and the verification result of the service network identification predicted by the second network element. code; when the verification result of the service network identity predicted by the second network element is the second information verification code corresponding to the failure, and the second information verification code is the same as the terminal verification code, it is determined that the first verification response failed; and when If the verification result of the service network identity predicted by the second network element is the second information verification code corresponding to success, and the second information verification code is the same as the terminal verification code, it is determined that the first verification response is successful.
  • the embodiment of the present application takes the case where the second information verification code and the terminal verification code are the same as an example for explanation.
  • the process is terminated. In this process, no further operations will be performed.
  • the first verification response indicates that the terminal's service network identity verification is successful
  • the second network element sends the fifth verification response
  • it sends update information to the third network element
  • the update information indicates that the third network element stores the terminal.
  • the service network identifier is used to receive an update response, and the update response instructs the third network element to confirm the update information.
  • the update information includes at least one of the following:
  • the identity verification identifier indicates that the service network identity verification was successful.
  • the third network element is a unified data management UDM network element.
  • the second network element will not update the service network identity after sending the fifth verification response, nor will it derive the key based on the service network identity.
  • Step 403 In response to the fifth verification response, the first network element sends a second verification response to the terminal.
  • the second verification response instructs the second network element to confirm the first verification response sent by the terminal.
  • the first network element after receiving the fifth verification response sent by the second network element, the first network element will notify the terminal of the fifth verification response sent by the second network element, and the first network element will then notify the terminal according to the fifth verification response.
  • the verification response determines the second verification response, and the second verification response is sent to the terminal.
  • the fifth verification response includes at least one of the following:
  • Verification identifier indicates that the first verification request is used to verify the service network identity.
  • the fifth verification response includes the terminal identification, and the first network element determines the terminal indicated by the terminal identification and sends the second verification response to the terminal.
  • the terminal identifier indicates the terminal.
  • the first network element can determine the terminal indicated by the terminal identifier based on the fifth verification response and send the second verification response to the terminal.
  • Step 404 The terminal receives the second verification response sent by the first network element, and the second verification response instructs the second network element to confirm the first verification response sent by the terminal.
  • the terminal when the terminal receives the second verification response sent by the first network element, it determines that the second network element confirms the first verification response sent by the terminal.
  • the terminal determines the key corresponding to the second network element based on the MSK generated by the current terminal identity verification success and the service network identity in the first verification request. .
  • the key corresponding to the second network element determined by the terminal is used for data transmission by the terminal.
  • the terminal can determine the key corresponding to the second network element based on the MSK and the service network identity in the first verification request, and then the transmitted data can be processed based on the key.
  • the data is encrypted and decrypted to facilitate data transmission by the terminal and ensure the reliability of the transmission.
  • the second network element will confirm the first verification response sent by the terminal, so that the terminal can determine that the second network element has also confirmed the service network identifier, ensuring that the service network the terminal accesses accuracy, thereby ensuring the reliability of core network equipment providing network services to terminals.
  • the terminal's first verification response indicates that the terminal's service network identity verification is successful.
  • the first verification response is alarm information, which means that the terminal updates the currently used service network identifier.
  • the following describes the situation in which the terminal determines that the first verification response is alarm information.
  • the first verification response is alarm information, and the terminal sends the first verification response when it is determined that certain conditions are met.
  • alarm information is generated in response to The first verification request sends alarm information to the first network element, and uses the service network identifier in the first verification request as the service network identifier used by the terminal.
  • the terminal uses the service network identifier in the first verification request as the service network identifier used by the terminal. Therefore, the service network identifier used by the terminal is the same as the service network identifier confirmed by the second network element.
  • the terminal when the terminal interacts with the second network element, the information needs to be forwarded through the first network element.
  • the service network name identifier reported by the terminal may be tampered with by the first network element, causing the second network element to be tampered with.
  • the service network identity received by the network element is different from the service network identity of the terminal itself. Therefore, after receiving the first verification request, the terminal needs to determine whether the service network identity in the first verification request has been tampered with based on the first verification request, and Determine whether the service network identifier of the terminal is the same as the service network identifier included in the first verification request, and determine the alarm information to be sent.
  • the first verification response includes at least one of the following:
  • Verification identifier indicates that the first verification request is used to verify the service network identity.
  • the terminal verification code refers to the verification code verified by the second network element. Moreover, the terminal verification code is sent after the terminal successfully verifies the service network identity sent by the second network element. The terminal verification code can also indicate that the terminal successfully verifies the service network identity.
  • the terminal determines the first information verification code according to the first verification request, and when the first information verification code matches the first verification request, determines that the service network identifier of the first verification request in the NPN scenario has not been tamper.
  • the terminal after receiving the first verification request, can determine the first information verification code based on the information included in the first verification request, and the first information verification code can be used with the first verification request. If the first information verification code matches the first verification request, it is determined that the service network identifier of the first verification request in the NPN scenario has not been tampered with.
  • the first verification request includes a service network verification code and a service network identification
  • the first information verification code is determined based on at least one of the MSK generated by successful terminal identity verification, a verification random number, and the service network identification.
  • the information verification code is the same as the service network verification code, it is determined that the first verification request in the NPN scenario has not been tampered with.
  • the terminal will obtain the MSK after performing identity authentication, and the first verification request also includes the service network verification code, then the terminal can determine the third verification code based on at least one of the MSK, verification random number and service network identification.
  • First information verification code and then comparing the first information verification code with the service network verification code, it can be determined whether the service network identification in the NPN scenario has been tampered with. Specifically, if the first information verification code is the same as the service network verification code, it means that the service network identity in the NPN scenario has not been tampered with. If the first information verification code is different from the service network verification code, it means that the service network in the NPN scenario has not been tampered with. The logo has been tampered with.
  • the embodiment of the present application takes the terminal returning alarm information indicating updating the service network identifier as an example for explanation.
  • the terminal will also receive a third verification response sent by the first network element, and the third verification response instructs the second network element to confirm the alarm information sent by the terminal.
  • the first network element will send a third verification response to the terminal, so as to inform the second network element to confirm the alarm information sent by the terminal through the third verification response.
  • Figure 5 shows a flow chart of yet another verification method provided by an exemplary embodiment of the present application.
  • the method can be applied to the terminal, the first network element and the second network element as shown in Figure 1. This method include at least some of the following:
  • Step 501 When the second network element determines that the first verification response is successful, in response to the alarm information, it sends a sixth verification response to the first network element.
  • the sixth verification response instructs the second network element to confirm the alarm information sent by the terminal,
  • the alarm information is sent when the service network identifier of the first verification request has not been tampered with in the NPN scenario, and the service network identifier of the terminal is different from the service network identifier included in the first verification request.
  • the second network element after receiving the alarm information sent by the first network element, the second network element will also confirm the alarm information. If the second network element confirms the alarm information, it will send a sixth verification response.
  • Step 502 The first network element receives the sixth verification response sent by the second network element.
  • Step 503 In response to the sixth verification response, the first network element sends a third verification response to the terminal.
  • the third verification response instructs the second network element to confirm the alarm information sent by the terminal.
  • the alarm information serves the first verification request in the NPN scenario. It is sent when the network identity has not been tampered with and the service network identity of the terminal is different from the service network identity included in the first verification request.
  • the first network element after receiving the sixth verification response sent by the second network element, the first network element will notify the terminal of the sixth verification response sent by the second network element, and the first network element will then notify the terminal according to the sixth verification response.
  • the verification response determines the third verification response, and the third verification response is sent to the terminal.
  • the first network element determines the terminal according to the sixth verification response, and sends the third verification response to the terminal.
  • the sixth verification response includes at least one of the following:
  • Verification identifier indicates that the first verification request is used to verify the service network identity.
  • the sixth verification response includes the terminal identification, and the first network element determines the terminal indicated by the terminal identification, and sends the third verification response to the terminal.
  • the terminal identifier indicates the terminal.
  • the first network element can determine the terminal indicated by the terminal identifier based on the sixth verification response and send the third verification response to the terminal.
  • the second network element receives the alarm information sent by the terminal, the second network element will also send update information to the third network element.
  • the update information instructs the third network element to store the service network identifier used by the terminal and receive Update response, the update response instructs the third network element to confirm the update information.
  • the second network element sends update information to the third network element.
  • the third network element can store the information included in the update information in the third network element according to the update information. in the network element, and the third network element will also return an update response to inform the second network element that the information has been stored.
  • the update information includes at least one of the following:
  • the identity verification identifier indicates that the service network identity verification was successful.
  • the third network element is a unified data management UDM network element.
  • the service network identifier will no longer be updated, and the key will not be derived based on the service network identifier.
  • Step 504 The terminal receives the third verification response sent by the first network element.
  • the terminal when the terminal receives the third verification response sent by the first network element, it determines that the second network element confirms the alarm information sent by the terminal, and then the terminal can transmit data through the service network element corresponding to the service network identifier.
  • the terminal determines the second network element corresponding to the MSK generated by the current terminal identity verification successfully and the service network identifier in the first verification request. key.
  • the key corresponding to the second network element determined by the terminal is used for data transmission by the terminal.
  • the terminal can determine the key corresponding to the second network element based on the MSK and the service network identity in the first verification request, and then the transmitted data can be processed based on the key.
  • the data is encrypted and decrypted to facilitate data transmission by the terminal and ensure the reliability of the transmission.
  • the terminal when the terminal determines that the service network identifier stored by itself is different from the service network identifier sent by the second network element, the terminal can update the service network identifier used by itself to the one in the first verification request.
  • the service network identification ensures the accuracy of the service network that the terminal accesses, thereby ensuring the reliability of the core network equipment in providing network services to the terminal.
  • the terminal sends a first verification response to indicate successful verification of the service network identity or sends alarm information as an example.
  • the terminal will also send error information to end the process under certain circumstances.
  • the first verification response is error information. If the terminal cannot parse the first verification request, the terminal sends the error information to the first network element in response to the first verification request.
  • the terminal receives the first verification request. If the terminal cannot parse the first verification request, it means that the terminal and the core network cannot communicate normally, so the terminal sends an error message to indicate that the verification cannot continue, and the end Verification process for service network identities.
  • the first verification response is error information.
  • the error information is sent to the first network element in response to the first verification request.
  • the terminal determines that the service network identifier of the first verification request has been tampered with, it means that the terminal and the core network device cannot communicate normally, so the terminal sends an error message to indicate that the verification cannot continue and ends the service network Identification verification process.
  • the terminal determines the first information verification code according to the first verification request, and determines that the service network identity of the first verification request in the NPN scenario has been tampered with when the first information verification code does not match the first verification request.
  • the first verification request includes a service network verification code and a service network identification.
  • the first information verification code is determined according to the first verification request, including:
  • the solution for the terminal to determine whether the service network identifier has been tampered with in the embodiment of the present application is similar to the above embodiment, and will not be described again here.
  • FIG. 6 is used as an example to describe the interaction between the terminal, the first network element, and the second network element after the terminal sends error information in this application.
  • Figure 6 shows a flow chart of yet another verification method provided by an exemplary embodiment of the present application. Referring to Figure 6, the method includes:
  • Step 601 The terminal sends error information to the first network element.
  • Step 602 The first network element receives the error information and sends the error information to the second network element.
  • Step 603 The second network element receives the error information.
  • Step 604 In response to the error information, the second network element sends a seventh verification response to the first network element.
  • the seventh verification response instructs the second network element to confirm the error information sent by the terminal.
  • the error information occurs when the terminal cannot parse the first verification request. In this case, it is sent in response to the first verification request, or, in the case where the service network identifier of the first verification request is tampered with in the NPN scenario, it is sent in response to the first verification request.
  • the second network element After the second network element confirms the received error information, it will terminate the key derivation process and will not store any information in the UDM.
  • Step 605 The first network element receives the seventh verification response sent by the second network element.
  • Step 607 The first network element receives the fourth verification response sent by the first network element, and the fourth verification response instructs the second network element to confirm the error information sent by the terminal.
  • the terminal determines that it needs to send error information, it means that the terminal has determined that the current status cannot communicate with the core network equipment, so the error information is sent to end the verification process of the service network identity, ensuring that the terminal verifies the service network The reliability of the identification, thereby ensuring the reliability of communication.
  • the receiving module 701 is configured to receive a first verification request sent by the first network element, where the first verification request is used to verify the service network identity of the terminal in a non-public network NPN scenario;
  • the first verification request includes at least one of the following:
  • the verification identifier indicates that the first verification request is used to verify the service network identity
  • Authentication identifier which indicates successful authentication of the terminal
  • the first verification response indicates that the service network identity of the terminal has been successfully verified, and the sending module 702 is used to perform the first verification request in the NPN scenario.
  • the service network identity of the first verification request has not been tampered with, and the service network identity of the terminal is the same as the first verification response. If the service network identifiers included in the verification requests are the same, a first verification response is sent to the first network element in response to the first verification request.
  • the device further includes:
  • the determination module 703 is configured to determine the key corresponding to the second network element based on the MSK generated by the current terminal identity verification successfully and the service network identifier in the first verification request.
  • the first verification response is alarm information.
  • the sending module 702 is also used to ensure that the service network identifier of the first verification request has not been tampered with in the NPN scenario, and the service network identifier of the terminal is consistent with the service network identifier included in the first verification request.
  • alarm information is generated, the alarm information is sent to the first network element in response to the first verification request, and the service network identifier in the first verification request is used as the service network identifier used by the terminal.
  • the first verification response includes at least one of the following:
  • the verification identifier indicates that the first verification request is used to verify the service network identity
  • the first verification response indicates that the terminal's service network identification fails to be verified.
  • the sending module 702 is also used to ensure that the service network identification of the first verification request has not been tampered with in the NPN scenario, and the terminal's service network identification is consistent with the third verification response.
  • a first verification response is sent to the first network element.
  • the device further includes:
  • Determining module 703, configured to determine the first information verification code according to the first verification request
  • the determination module 703 is configured to determine that the service network identifier of the first verification request in the NPN scenario has not been tampered with when the first information verification code matches the first verification request.
  • the first verification request includes the service network verification code and the service network identification
  • the determination module 703 is also used to generate at least one of the MSK, verification random number and service network identification based on successful terminal identity verification, Determine the first information verification code
  • the determination module 703 is also configured to determine that the service network identifier in the NPN scenario has not been tampered with when the first information verification code and the service network verification code are the same.
  • the receiving module 701 is also configured to receive a third verification response sent by the first network element, where the third verification response instructs the second network element to confirm the alarm information sent by the terminal.
  • the first verification response is error information
  • the sending module 702 is also configured to respond to the first verification request and send error information to the first network element when the terminal cannot parse the first verification request.
  • the first verification response is error information
  • the sending module 702 is also configured to respond to the first verification request when the service network identifier of the first verification request is tampered with in the NPN scenario. Yuan sends error message.
  • the device further includes:
  • Determining module 703, configured to determine the first information verification code according to the first verification request
  • the determination module 703 is also configured to determine that the service network identifier of the first verification request in the NPN scenario has been tampered with when the first information verification code does not match the first verification request.
  • the first verification request includes the service network verification code and the service network identification
  • the determination module 703 is also used to generate at least one of the MSK, verification random number and service network identification based on successful terminal identity verification, Determine the first information verification code
  • the determination module 703 is also configured to determine that the first verification request in the NPN scenario has been tampered with when the first information verification code and the service network verification code are different.
  • the receiving module 701 is also configured to receive a fourth verification response sent by the first network element.
  • the fourth verification response instructs the second network element to confirm the error information sent by the terminal.
  • the first network element is an AMF network element or a SEAF network element.
  • Figure 9 shows a block diagram of another verification device provided by an exemplary embodiment of the present application.
  • the device includes:
  • the receiving module 901 is used to receive the second verification request sent by the second network element
  • the sending module 902 is configured to send a first verification request to the terminal.
  • the first verification request is used to verify the service network identity of the terminal in a non-public network NPN scenario.
  • the first verification request is determined based on the second verification request;
  • the receiving module 901 is configured to receive a first verification response, and the first verification request indicates the verification result of the service network identity;
  • the sending module 902 is configured to send the first verification response to the second network element.
  • the sending module 902 is used to:
  • the second verification request includes at least one of the following:
  • the verification identifier indicates that the first verification request is used to verify the service network identity
  • Authentication identifier which indicates successful authentication of the terminal
  • the second verification request includes a terminal identification
  • the sending module is configured to determine the terminal indicated by the terminal identification.
  • the device further includes:
  • the receiving module 901 is configured to receive the fifth verification response sent by the second network element
  • the sending module 902 is also configured to send a second verification response to the terminal in response to the fifth verification response, where the second verification response instructs the second network element to confirm the first verification response sent by the terminal.
  • the sending module 902 is also used to:
  • the fifth verification response includes at least one of the following:
  • the verification identifier indicates that the first verification request is used to verify the service network identity
  • the receiving module 901 is also configured to receive the sixth verification response sent by the second network element
  • the sending module 902 is also configured to send a third verification response to the terminal in response to the sixth verification response.
  • the third verification response instructs the second network element to confirm the alarm information sent by the terminal.
  • the alarm information serves the first verification request in the NPN scenario. It is sent when the network identity has not been tampered with and the service network identity of the terminal is different from the service network identity included in the first verification request.
  • the sending module 902 is also used to:
  • the sixth verification response includes at least one of the following:
  • the verification identifier indicates that the first verification request is used to verify the service network identity
  • the identification verification identifier instructs the second network element to confirm the alarm information sent by the terminal;
  • the sixth verification response includes the terminal identification, and the sending module is also used to determine the terminal indicated by the terminal identification.
  • the receiving module 901 is also configured to receive the seventh verification response sent by the second network element;
  • the sending module 902 is also configured to send a fourth verification response to the terminal in response to the seventh verification response.
  • the fourth verification response instructs the second network element to confirm the error information sent by the terminal.
  • the error information occurs when the terminal cannot parse the first verification request. In this case, it is sent in response to the first verification request, or, in the case where the service network identifier of the first verification request is tampered with in the NPN scenario, it is sent in response to the first verification request.
  • the sending module 902 is also used to:
  • the seventh verification response includes at least one of the following:
  • the verification identifier indicates that the first verification request is used to verify the service network identity
  • the identification verification identifier instructs the second network element to confirm the error information sent by the terminal
  • the seventh verification response includes the terminal identification
  • the sending module 902 is also used to determine the terminal indicated by the terminal identification.
  • the first network element is an AMF network element or a SEAF network element.
  • the second network element is an AUSF network element.
  • Figure 10 shows a block diagram of yet another verification device provided by an exemplary embodiment of the present application.
  • the device includes:
  • Sending module 1001 configured to send a second verification request to the first network element
  • the receiving module 1002 is configured to receive a first verification response sent by the first network element, where the first verification response indicates the verification result of the service network identity.
  • the second verification request includes at least one of the following:
  • Authentication identifier which indicates successful authentication of the terminal
  • the second verification request includes the service network verification code.
  • the device further includes:
  • the determination module 1003 is configured to determine the service network verification code based on at least one of the MSK generated by successful terminal identity verification, a verification random number, and a service network identification.
  • the first verification response includes at least one of the following:
  • the verification identifier indicates that the first verification request is used to verify the service network identity
  • the device further includes:
  • Determining module 1003 configured to determine a second information verification code based on at least one of the MSK generated by successful terminal identity verification and the verification result of the service network identity predicted by the second network element.
  • the verification result includes a successful verification of the service network identity and a service At least one of the network identity verification failures;
  • the determination module 1003 is also configured to determine whether to confirm the first verification response sent by the terminal based on the matching result of the second information verification code and the first verification response.
  • the first verification response includes the terminal verification code
  • the determination module 1003 is also used in the verification result based on the MSK generated by successful terminal identity verification, the verification random number, and the service network identification predicted by the second network element. At least one item determines the second information verification code
  • the determination module 1003 is also configured to determine the first verification response when the verification result of the service network identity predicted by the second network element is the second information verification code corresponding to the failure, and the second information verification code is the same as the terminal verification code. fail;
  • the verification result of the service network identity predicted by the second network element is the second information verification code corresponding to success, and the second information verification code is the same as the terminal verification code, it is determined that the first verification response is successful.
  • the first verification response indicates that the service network identity verification is successful or indicates that the service network identity verification fails
  • the sending module 1001 is further configured to respond to the first verification response when it is determined that the first verification response is successful, A fifth verification response is sent to the first network element, and the fifth verification response instructs the second network element to confirm the first verification response sent by the terminal.
  • the fifth verification response includes at least one of the following:
  • the verification identifier indicates that the first verification request is used to verify the service network identity
  • the first verification response is alarm information
  • the sending module 1001 is configured to, when it is determined that the first verification response is successful, send a sixth verification response to the first network element in response to the alarm information.
  • the sixth verification The response instructs the second network element to confirm the alarm information sent by the terminal.
  • the alarm information has not been tampered with in the NPN scenario, and the service network identification of the terminal is different from the service network identification included in the first verification request. Send next.
  • the sixth verification response includes at least one of the following:
  • the verification identifier indicates that the first verification request is used to verify the service network identity
  • the identification verification identifier instructs the second network element to confirm the alarm information sent by the terminal;
  • the sending module 1001 is also configured to send update information to the third network element, where the update information instructs the third network element to store the service network identifier used by the terminal;
  • the receiving module 1002 is also configured to receive an update response, where the update response instructs the third network element to confirm the update information.
  • the update information includes at least one of the following:
  • the identity verification identifier indicates that the service network identity verification was successful.
  • the third network element is a unified data management UDM network element.
  • the first verification response is error information.
  • the sending module 1001 is also configured to send a seventh verification response to the first network element in response to the error information.
  • the seventh verification response instructs the second network element to confirm the error message sent by the terminal.
  • the error message is sent in response to the first verification request when the terminal is unable to parse the first verification request, or in response to the first verification when the service network identifier of the first verification request is tampered with in the NPN scenario. Request sent.
  • the first network element is an AMF network element or a SEAF network element.
  • the second network element is an AUSF network element.
  • Figure 12 shows a schematic structural diagram of a communication device provided by an exemplary embodiment of the present application.
  • the communication device includes: a processor 1201, a receiver 1202, a transmitter 1203, a memory 1204 and a bus 1205.
  • the processor 1201 includes one or more processing cores.
  • the processor 1201 executes various functional applications and information processing by running software programs and modules.
  • the receiver 1202 and the transmitter 1203 can be implemented as a communication component, and the communication component can be a communication chip.
  • Memory 1204 is connected to processor 1201 through bus 1205.
  • the memory 1204 can be used to store at least one program code, and the processor 1201 is used to execute the at least one program code to implement each step in the above method embodiment.
  • Memory 1204 may be implemented by any type of volatile or non-volatile storage device, or combination thereof, including but not limited to: magnetic or optical disks, electrically erasable programmable read-only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Static Read-Only Memory (SRAM), Read-Only Memory (ROM), Magnetic Memory, Flash Memory, Programmable Read-Only Memory (PROM).
  • EEPROM electrically erasable programmable read-only Memory
  • EPROM Erasable Programmable Read-Only Memory
  • SRAM Static Read-Only Memory
  • ROM Read-Only Memory
  • Magnetic Memory Flash Memory
  • PROM Programmable Read-Only Memory
  • a computer-readable storage medium is also provided, with executable program code stored in the readable storage medium, and the executable program code is loaded and executed by the processor to implement each of the above methods.
  • the example provides an authentication method performed by a communication device.
  • a chip is provided.
  • the chip includes programmable logic circuits and/or program instructions.
  • the chip is run on a terminal, a first network element or a second network element, it is used to implement Verification methods as provided by various method embodiments.
  • a computer program product is provided.
  • the computer program product is executed by a processor of a terminal, a first network element, or a second network element, it is used to implement the verification method provided by each of the above method embodiments. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present application relates to the field of mobile communications, and discloses a verification method and apparatus, a device, and a storage medium. The method comprises: a terminal receiving a first verification request sent by a first network element, wherein the first verification request is used for verifying a service network identifier corresponding to the terminal in an NPN scenario; and in response to the first verification request, sending a first verification response to the first network element, wherein the first verification response indicates a verification result in respect of the service network identifier. The present application provides a method for verifying an identifier of a service network accessed by a terminal. Upon verification, whether the identifier of the service network accessed by the terminal is the same as a service network identifier stored in a core network device can be confirmed, so that the accuracy of the service network accessed by the terminal is ensured, and then the reliability of providing network service to the terminal by the core network device is ensured.

Description

验证方法、装置、设备及存储介质Verification methods, devices, equipment and storage media 技术领域Technical field
本申请涉及移动通信领域,特别涉及一种验证方法、装置、设备及存储介质。This application relates to the field of mobile communications, and in particular to a verification method, device, equipment and storage medium.
背景技术Background technique
在移动通信系统中,提供了一种NPN(Non-Public Network,非公共网络),该NPN不依赖于PLMN(Public Land Mobile Network,公共陆地移动网络),并且该NPN为除运营商以外的其他用户构建。而对于终端来说,终端通过核心网设备完成NPN的注册,但是,核心网设备无法验证终端的服务网络名称。In the mobile communication system, an NPN (Non-Public Network, non-public network) is provided, which does not depend on the PLMN (Public Land Mobile Network, public land mobile network), and the NPN is other than the operator. User built. For the terminal, the terminal completes the NPN registration through the core network device. However, the core network device cannot verify the terminal's service network name.
发明内容Contents of the invention
本申请实施例提供了一种验证方法、装置、设备及存储介质,保证了终端接入的服务网络的准确性,进而保证核心网设备为终端提供网络服务的可靠性。所述技术方案如下:The embodiments of the present application provide a verification method, device, equipment and storage medium to ensure the accuracy of the service network accessed by the terminal, thereby ensuring the reliability of the core network equipment providing network services to the terminal. The technical solutions are as follows:
根据本申请的一个方面,提供了一种验证方法,所述方法由终端执行,所述方法包括:According to one aspect of the present application, a verification method is provided, the method is executed by a terminal, the method includes:
接收第一网元发送的第一验证请求,所述第一验证请求用于在非公共网络NPN场景中对所述终端的服务网络标识进行验证;Receive a first verification request sent by the first network element, where the first verification request is used to verify the service network identity of the terminal in a non-public network NPN scenario;
响应于所述第一验证请求,向所述第一网元发送第一验证响应,所述第一验证响应指示所述服务网络标识的验证结果。In response to the first verification request, a first verification response is sent to the first network element, where the first verification response indicates a verification result of the serving network identity.
根据本申请的一个方面,提供了一种验证方法,所述方法由第一网元执行,所述方法包括:According to one aspect of the present application, a verification method is provided. The method is executed by the first network element. The method includes:
接收第二网元发送的第二验证请求;Receive the second verification request sent by the second network element;
向终端发送第一验证请求,所述第一验证请求用于在非公共网络NPN场景中对所述终端的服务网络标识进行验证,所述第一验证请求基于所述第二验证请求确定;Send a first verification request to the terminal, the first verification request being used to verify the service network identity of the terminal in a non-public network NPN scenario, the first verification request being determined based on the second verification request;
接收第一验证响应,所述第一验证请求指示所述服务网络标识的验证结果;Receive a first verification response, the first verification request indicating the verification result of the service network identity;
向第二网元发送所述第一验证响应。Send the first verification response to the second network element.
根据本申请的一个方面,提供了一种验证方法,所述方法由第二网元执行,所述方法包括:According to one aspect of the present application, a verification method is provided, the method is executed by the second network element, and the method includes:
向第一网元发送第二验证请求;Send a second verification request to the first network element;
接收所述第一网元发送的第一验证响应,所述第一验证响应指示所述服务网络标识的验证结果。Receive a first verification response sent by the first network element, where the first verification response indicates a verification result of the service network identity.
根据本申请的一个方面,提供了一种验证装置,所述装置包括:According to one aspect of the present application, a verification device is provided, and the device includes:
接收模块,用于接收第一网元发送的第一验证请求,所述第一验证请求用于在非公共网络NPN场景中对所述终端的服务网络标识进行验证;A receiving module configured to receive a first verification request sent by the first network element, where the first verification request is used to verify the service network identity of the terminal in a non-public network NPN scenario;
发送模块,用于响应于所述第一验证请求,向所述第一网元发送第一验证响应,所述第一验证响应指示所述服务网络标识的验证结果。A sending module, configured to send a first verification response to the first network element in response to the first verification request, where the first verification response indicates the verification result of the service network identity.
根据本申请的一个方面,提供了一种验证装置,所述装置包括:According to one aspect of the present application, a verification device is provided, which device includes:
接收模块,用于接收第二网元发送的第二验证请求;A receiving module, configured to receive the second verification request sent by the second network element;
发送模块,用于向终端发送第一验证请求,所述第一验证请求用于在非公共网络NPN场景中对所述终端的服务网络标识进行验证,所述第一验证请求基于所述第二验证请求确定;A sending module, configured to send a first verification request to the terminal. The first verification request is used to verify the service network identity of the terminal in a non-public network NPN scenario. The first verification request is based on the second Verification request confirmed;
接收模块,用于接收第一验证响应,所述第一验证请求指示所述服务网络标识的验证结果;A receiving module, configured to receive a first verification response, where the first verification request indicates the verification result of the service network identity;
发送模块,用于向第二网元发送所述第一验证响应。A sending module, configured to send the first verification response to the second network element.
根据本申请的一个方面,提供了一种终端,终端包括:处理器;与处理器相连的收发器;用于存储处理器的可执行指令的存储器;其中,处理器被配置为加载并执行可执行指令以实现如上述方面的验证方法。According to one aspect of the present application, a terminal is provided. The terminal includes: a processor; a transceiver connected to the processor; a memory for storing executable instructions of the processor; wherein the processor is configured to load and execute the executable instructions. Execute instructions to implement verification methods as described above.
根据本申请的一个方面,提供了一种第一网元,第一网元包括:处理器;与处理器相连的收发器;用于存储处理器的可执行指令的存储器;其中,处理器被配置为加载并执行可执行指令以实现如上述方面的验证方法。According to one aspect of the present application, a first network element is provided. The first network element includes: a processor; a transceiver connected to the processor; a memory for storing executable instructions of the processor; wherein the processor is Configured to load and execute executable instructions to implement verification methods as described above.
根据本申请的一个方面,提供了一种第二网元,第二网元包括:处理器;与处理器相连的收发器;用于存储处理器的可执行指令的存储器;其中,处理器被配置为加载并执行可执行指令以实现如上述方面的验证方法。According to one aspect of the present application, a second network element is provided. The second network element includes: a processor; a transceiver connected to the processor; a memory for storing executable instructions of the processor; wherein the processor is Configured to load and execute executable instructions to implement verification methods as described above.
根据本申请的一个方面,提供了一种计算机可读存储介质,可读存储介质中存储有可执行程序代码,可执行程序代码由处理器加载并执行以实现如上述方面的验证方法。According to one aspect of the present application, a computer-readable storage medium is provided. The readable storage medium stores executable program code. The executable program code is loaded and executed by a processor to implement the verification method in the above aspect.
根据本申请的一个方面,提供了一种芯片,芯片包括可编程逻辑电路和/或程序指令,当芯片在终端或第一网元或第二网元上运行时,用于实现如上述方面的验证方法。According to one aspect of the present application, a chip is provided. The chip includes programmable logic circuits and/or program instructions. When the chip is run on a terminal or a first network element or a second network element, it is used to implement the above aspects. Authentication method.
根据本申请的一个方面,提供了一种计算机程序产品,当计算机程序产品被终端或第一网元或第二网元的处理器执行时,其用于实现上述方面的验证方法。According to one aspect of the present application, a computer program product is provided. When the computer program product is executed by a terminal or a processor of a first network element or a second network element, it is used to implement the verification method of the above aspect.
本申请实施例提供的方案中,提供了一种可以对终端接入的服务网络标识进行验证的方法,通过验证可以确认终端自身接入的服务网络标识与核心网设备存储的服务网络标识是否相同,保证了终端接入的服务网络的准确性,进而保证核心网设备为终端提供网络服务的可靠性。The solution provided by the embodiment of this application provides a method for verifying the service network identifier accessed by the terminal. Through verification, it can be confirmed whether the service network identifier accessed by the terminal itself is the same as the service network identifier stored in the core network device. , ensuring the accuracy of the service network that the terminal accesses, and thereby ensuring the reliability of the core network equipment providing network services to the terminal.
附图说明Description of drawings
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present application. For those of ordinary skill in the art, other drawings can also be obtained based on these drawings without exerting creative efforts.
图1示出了本申请一个示例性实施例提供的通信系统的框图;Figure 1 shows a block diagram of a communication system provided by an exemplary embodiment of the present application;
图2示出了本申请一个示例性实施例提供的身份验证方法的流程图;Figure 2 shows a flow chart of an identity verification method provided by an exemplary embodiment of the present application;
图3示出了本申请一个示例性实施例提供的验证方法的流程图;Figure 3 shows a flow chart of a verification method provided by an exemplary embodiment of the present application;
图4示出了本申请一个示例性实施例提供的另一种验证方法的流程图;Figure 4 shows a flow chart of another verification method provided by an exemplary embodiment of the present application;
图5示出了本申请一个示例性实施例提供的又一种验证方法的流程图;Figure 5 shows a flow chart of yet another verification method provided by an exemplary embodiment of the present application;
图6示出了本申请一个示例性实施例提供的又一种验证方法的流程图;Figure 6 shows a flow chart of yet another verification method provided by an exemplary embodiment of the present application;
图7示出了本申请一个示例性实施例提供的一种验证装置的框图;Figure 7 shows a block diagram of a verification device provided by an exemplary embodiment of the present application;
图8示出了本申请一个示例性实施例提供的另一种验证装置的框图;Figure 8 shows a block diagram of another verification device provided by an exemplary embodiment of the present application;
图9示出了本申请一个示例性实施例提供的又一种验证装置的框图;Figure 9 shows a block diagram of yet another verification device provided by an exemplary embodiment of the present application;
图10示出了本申请一个示例性实施例提供的又一种验证装置的框图;Figure 10 shows a block diagram of yet another verification device provided by an exemplary embodiment of the present application;
图11示出了本申请一个示例性实施例提供的又一种验证装置的框图;Figure 11 shows a block diagram of yet another verification device provided by an exemplary embodiment of the present application;
图12示出了本申请一个示例性实施例提供的通信设备的结构示意图。Figure 12 shows a schematic structural diagram of a communication device provided by an exemplary embodiment of the present application.
具体实施方式Detailed ways
为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请 实施方式作进一步地详细描述。In order to make the purpose, technical solutions and advantages of the present application clearer, the embodiments of the present application will be further described in detail below in conjunction with the accompanying drawings.
这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本申请相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本申请的一些方面相一致的装置和方法的例子。Exemplary embodiments will be described in detail herein, examples of which are illustrated in the accompanying drawings. When the following description refers to the drawings, the same numbers in different drawings refer to the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with this application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the appended claims.
在本申请使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本申请。在本申请和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也是旨在包括多数形式,除非上下文清楚地表示其它含义。还应当理解,本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。The terminology used in this application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a," "the" and "the" are intended to include the plural forms as well, unless the context clearly dictates otherwise. It will also be understood that the term "and/or" as used herein refers to and includes any and all possible combinations of one or more of the associated listed items.
应当理解,尽管在本申请可能采用术语第一、第二、第三等来描述各种信息,但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如,在不脱离本申请范围的情况下,第一信息也可以被称为第二信息,类似地,第二信息也可以被称为第一信息。取决于语境,例如,在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或“响应于确定”。It should be understood that although the terms first, second, third, etc. may be used in this application to describe various information, the information should not be limited to these terms. These terms are only used to distinguish information of the same type from each other. For example, without departing from the scope of the present application, the first information may also be called second information, and similarly, the second information may also be called first information. Depending on the context, for example, the word "if" as used herein may be interpreted as "when" or "when" or "in response to determining."
需要说明的是,本申请所涉及的信息(包括但不限于用户设备信息、用户个人信息等)、数据(包括但不限于用于分析的数据、存储的数据、展示的数据等)以及信号,均为经用户授权或者经过各方充分授权的,且相关数据的收集、使用和处理需要遵守相关国家和地区的相关法律法规和标准。It should be noted that the information (including but not limited to user equipment information, user personal information, etc.), data (including but not limited to data used for analysis, stored data, displayed data, etc.) and signals involved in this application, All are authorized by the user or fully authorized by all parties, and the collection, use and processing of relevant data need to comply with relevant laws, regulations and standards of relevant countries and regions.
下面,对本申请的应用场景进行说明:Below, the application scenarios of this application are explained:
图1示出了本申请一个示例性实施例提供的通信系统的框图,该通信系统可以包括:终端10、核心网设备20和验证服务器30。Figure 1 shows a block diagram of a communication system provided by an exemplary embodiment of the present application. The communication system may include: a terminal 10, a core network device 20 and a verification server 30.
终端10的数量通常为多个,并且分布在一个或多个小区中。该终端10由核心网设备20管理。终端10可以包括各种具有无线通信功能的手持设备、车载设备、可穿戴设备、计算设备或连接到无线调制解调器的其它处理设备,以及各种形式的用户设备(User Equipment,UE)、移动台(Mobile Station,MS)等等。为方便描述,本申请实施例中,上面提到的设备统称为终端。The number of terminals 10 is usually multiple and distributed in one or more cells. The terminal 10 is managed by the core network equipment 20 . The terminal 10 may include various handheld devices, vehicle-mounted devices, wearable devices, computing devices or other processing devices connected to wireless modems with wireless communication functions, as well as various forms of user equipment (User Equipment, UE), mobile stations ( Mobile Station, MS) and so on. For convenience of description, in the embodiments of this application, the above-mentioned devices are collectively referred to as terminals.
核心网设备20是部署在核心网中的设备,核心网设备20的功能主要是提供用户连接、对用户的管理以及对业务完成承载,作为承载网络提供到外部网络的接口。并且该核心网设备20可以与验证服务器30进行通信,以便于通过 验证服务器30验证终端10的身份信息。例如,5G NR系统中的核心网设备20可以包括AMF(Access and Mobility Management Function,接入和移动性管理功能)网元、AUSF(Authentication Service Function,鉴权服务功能)、UDM(Unified Data Management,统一数据管理)、UPF(User Plane Function,用户平面功能)、SMF(Session Management Function,网元和会话管理功能)网元等。The core network device 20 is a device deployed in the core network. The core network device 20 mainly functions to provide user connections, manage users, and carry services, and serves as an interface for the bearer network to provide to external networks. And the core network device 20 can communicate with the authentication server 30, so as to verify the identity information of the terminal 10 through the authentication server 30. For example, the core network equipment 20 in the 5G NR system may include AMF (Access and Mobility Management Function) network elements, AUSF (Authentication Service Function), UDM (Unified Data Management, Unified data management), UPF (User Plane Function, user plane function), SMF (Session Management Function, network element and session management function) network element, etc.
验证服务器30用于对任一用户的身份进行验证,或者对任一用户进行授权,或者执行其他步骤。终端10向核心网设备20发送验证信息以使核心网设备20,核心网设备20会根据该验证信息通过验证服务器30对终端10的身份进行验证。The verification server 30 is used to verify the identity of any user, authorize any user, or perform other steps. The terminal 10 sends verification information to the core network device 20 so that the core network device 20 verifies the identity of the terminal 10 through the verification server 30 based on the verification information.
在一些实施例中,该验证服务器为AAA(AuthenticationAuthorizationAccounting,验证授权记账)服务器,或者为其他类型的服务器,本申请不作限定。In some embodiments, the authentication server is an AAA (Authentication Authorization Accounting) server, or other types of servers, which are not limited in this application.
另外,对于终端、核心网设备和验证服务器来说,终端会启动注册流程,并且核心网设备和验证服务器会对终端的身份进行验证。In addition, for terminals, core network equipment and authentication servers, the terminal will start the registration process, and the core network equipment and authentication server will verify the identity of the terminal.
在一些实施例中,该核心网设备包括第一网元、第二网元、第三网元和第四网元。In some embodiments, the core network device includes a first network element, a second network element, a third network element and a fourth network element.
可选地,该第一网元为AMF网元或SEAF(Security Anchor Function,安全锚定功能)网元。第二网元为AUSF网元。第三网元为UDM网元。第四网元为NSSAAF(一种核心网网元)网元。验证服务器为AAA服务器。Optionally, the first network element is an AMF network element or a SEAF (Security Anchor Function) network element. The second network element is the AUSF network element. The third network element is a UDM network element. The fourth network element is an NSSAAF (a core network element) network element. The authentication server is an AAA server.
下面,以第一网元为AMF网元、第二网元为AUSF网元、第三网元为UDM网元、第四网元为NSSAAF网元、验证服务器为AAA服务器为例进行说明。图2示出了本申请一个示例性实施例提供的身份验证方法的流程图,参见图2,该方法包括:In the following, the first network element is an AMF network element, the second network element is an AUSF network element, the third network element is a UDM network element, the fourth network element is an NSSAAF network element, and the authentication server is an AAA server. Figure 2 shows a flow chart of an identity verification method provided by an exemplary embodiment of the present application. Referring to Figure 2, the method includes:
步骤201:终端向AMF网元发送包括SUCI(Subscription Concealed Identifier,签约隐藏标识符)和服务网络标识的身份验证信息。Step 201: The terminal sends identity verification information including SUCI (Subscription Concealed Identifier) and service network identifier to the AMF network element.
步骤202:AMF网元接收终端发送的身份验证信息,向AUSF网元发送包括SUCI和服务网络标识的主认证信息。Step 202: The AMF network element receives the identity verification information sent by the terminal, and sends the main authentication information including SUCI and service network identification to the AUSF network element.
步骤203:AUSF网元接收主认证信息,向UDM网元发送包括SUCI和服务网络标识的标识获取信息。Step 203: The AUSF network element receives the primary authentication information and sends the identity acquisition information including SUCI and service network identity to the UDM network element.
步骤204:UDM网元接收标识获取信息,根据该标识获取信息将SUCI解析为SUPI。Step 204: The UDM network element receives the identity acquisition information and parses SUCI into SUPI based on the identity acquisition information.
步骤205:UDM网元向AUSF网元返回SUPI(Subscription Permanent Identifier,签约永久标识符)和AAA服务器标识。Step 205: The UDM network element returns SUPI (Subscription Permanent Identifier) and AAA server identification to the AUSF network element.
步骤206:AUSF网元接收SUPI和AAA服务器标识,向NSSAAF网元发送SUPI。Step 206: The AUSF network element receives the SUPI and AAA server identifier, and sends SUPI to the NSSAAF network element.
步骤207:NSSAAF网元根据SUPI进行协议转换,向AAA服务器发送SUPI。Step 207: The NSSAAF network element performs protocol conversion based on SUPI and sends SUPI to the AAA server.
步骤208:AAA服务器与终端相互进行身份认证。Step 208: The AAA server and the terminal perform identity authentication on each other.
在本申请实施例中,AAA服务器与终端之间进行身份认证的过程中,会生成MSK,也就是AAA服务器和终端均可以确定身份认证成功所生成的MSK。In the embodiment of this application, during the identity authentication process between the AAA server and the terminal, an MSK will be generated, that is, both the AAA server and the terminal can determine the MSK generated when the identity authentication is successful.
步骤209:AAA服务器向NSSAAF网元发送身份认证成功信息、SUPI和MSK。Step 209: The AAA server sends identity authentication success information, SUPI and MSK to the NSSAAF network element.
步骤210:NSSAAF网元向AUSF网元发送身份认证成功信息、SUPI和MSK。Step 210: The NSSAAF network element sends identity authentication success information, SUPI and MSK to the AUSF network element.
在本申请实施例中,AUSF网元接收到身份认证成功信息、SUPI和MSK后,即可执行终端的服务网络标识验证过程。In the embodiment of this application, after the AUSF network element receives the identity authentication success information, SUPI and MSK, it can perform the terminal's service network identity verification process.
本申请实施例提供的方法,由终端启动注册流程,以便于核心网设备和验证服务器执行对终端的身份进行验证的过程,保证验证服务器和终端之间互相进行身份验证,进而完成身份注册。并且,AUSF网元还会触发终端的服务网络标识验证流程,保证终端接入的服务网络的准确性,进而保证核心网设备为终端提供网络服务的可靠性。In the method provided by the embodiment of this application, the terminal starts the registration process, so that the core network equipment and the verification server can perform the process of verifying the identity of the terminal, ensuring that the verification server and the terminal perform mutual identity verification, and then complete the identity registration. In addition, the AUSF network element will also trigger the terminal's service network identification verification process to ensure the accuracy of the service network the terminal accesses, thereby ensuring the reliability of the core network equipment in providing network services to the terminal.
图3示出了本申请一个示例性实施例提供的验证方法的流程图,示例性的可以应用于如图1所示的终端、第一网元和第二网元中,该方法包括以下内容中的至少部分内容:Figure 3 shows a flow chart of a verification method provided by an exemplary embodiment of the present application. The exemplary method can be applied to the terminal, the first network element and the second network element as shown in Figure 1. The method includes the following content At least some of:
步骤301:第二网元向第一网元发送第二验证请求。Step 301: The second network element sends a second verification request to the first network element.
其中,该第二验证请求用于在NPN场景中对终端的服务网络标识进行验证。The second verification request is used to verify the service network identity of the terminal in the NPN scenario.
在一些实施例中,该NPN场景为SNPN(Stand-alone Non-Public Network,独立的非公共网络)场景,也就是说该第二验证请求用于在SNPN场景中对终端的服务网络标识进行验证。其中,该服务网络标识为SNPN场景中服务网络的服务网络标识。In some embodiments, the NPN scenario is an SNPN (Stand-alone Non-Public Network, independent non-public network) scenario, that is to say, the second verification request is used to verify the service network identity of the terminal in the SNPN scenario. . The service network identifier is the service network identifier of the service network in the SNPN scenario.
在本申请实施例中,终端在服务网络中进行注册,而对于第二网元来说,该第二网元需要对该终端所接入的服务网络的服务网络名称进行验证,因此第 二网元向第一网元发送第二验证请求,以便于通过该第二验证请求验证终端的服务网络标识。In this embodiment of the present application, the terminal is registered in the service network, and for the second network element, the second network element needs to verify the service network name of the service network to which the terminal is connected. Therefore, the second network element The network element sends a second verification request to the first network element, so as to verify the service network identity of the terminal through the second verification request.
其中,该服务网络标识指示服务网络名称。例如,服务网络标识1指示服务网络名称1,服务网络标识2指示服务网络名称2,服务网络标识3指示服务网络名称3。Wherein, the service network identifier indicates the service network name. For example, service network identifier 1 indicates service network name 1, service network identifier 2 indicates service network name 2, and service network identifier 3 indicates service network name 3.
在一些实施例中,该第二验证请求包括以下至少一项:In some embodiments, the second verification request includes at least one of the following:
(1)验证标识符,验证标识符指示第二验证请求用于验证服务网络标识。(1) Verification identifier, the verification identifier indicates that the second verification request is used to verify the service network identity.
在本申请实施例中,第二网元向第一网元发送包括验证标识符的第二验证请求,通过该验证标识符指示该第二验证请求是用于验证服务网络标识的,则第一网元根据该第二验证请求中包括的验证标识符,即可确定该第二验证请求的作用。In this embodiment of the present application, the second network element sends a second verification request including a verification identifier to the first network element. The verification identifier indicates that the second verification request is used to verify the service network identity, then the first network element The network element can determine the role of the second verification request based on the verification identifier included in the second verification request.
(2)身份验证标识符,身份验证标识符指示终端的身份验证成功。(2) Authentication identifier, which indicates successful authentication of the terminal.
在本申请实施例中,第二网元不仅会对验证标识符进行验证,而且还会对终端的身份进行验证,第二网元对终端的身份进行验证后,即可在第二验证请求中携带身份验证标识符,通过该身份验证标识符指示终端的身份验证成功。In the embodiment of this application, the second network element not only verifies the verification identifier, but also verifies the identity of the terminal. After the second network element verifies the identity of the terminal, it can verify the identity of the terminal in the second verification request. Carrying the authentication identifier by which the authentication of the terminal is successful.
在一些实施例中,第二网元先对终端的身份进行验证,在终端的身份验证成功之后,第二网元即可向第一网元发送第二验证请求,通过该第二验证请求指示终端的身份验证成功,而且还指示验证服务网络标识。In some embodiments, the second network element first verifies the identity of the terminal. After the identity verification of the terminal is successful, the second network element can send a second verification request to the first network element, and the second verification request indicates The endpoint's authentication is successful and the authentication service network identity is also indicated.
(3)服务网络验证码。(3) Service network verification code.
其中,该服务网络验证码是指对服务网络标识进行验证时所需的验证码。终端可以根据自身计算得到的验证码与服务网络验证码进行对比,以确定第二网元所存储的服务网络标识是否与终端自身存储的服务网络标识相同,进而确定第二网元的服务网络标识是否被篡改。The service network verification code refers to the verification code required to verify the service network identity. The terminal can compare the verification code calculated by itself with the service network verification code to determine whether the service network identification stored by the second network element is the same as the service network identification stored by the terminal itself, and then determine the service network identification of the second network element. Whether it has been tampered with.
该服务网络验证码由第二网元计算得到,进而通过第二验证请求发送给第一网元,以便于第一网元发送给终端。The service network verification code is calculated by the second network element, and then sent to the first network element through the second verification request, so that the first network element can send it to the terminal.
(4)验证随机数。(4) Verify the random number.
其中,该验证随机数是指对服务网络标识进行验证时所需的随机数。该验证随机数由第二网元生成,进而由第二网元发送给第一网元,由第一网元发送给终端,以便于终端验证服务网络标识。The verification random number refers to the random number required to verify the service network identity. The verification random number is generated by the second network element, and then sent by the second network element to the first network element, and then sent by the first network element to the terminal, so that the terminal can verify the service network identity.
(5)时间戳。(5)Time stamp.
该时间戳用于对时间进行标记,也可以理解为第二网元在第二验证请求中 添加了时间戳,以指示该第二验证请求的发送时间。The timestamp is used to mark time. It can also be understood that the second network element adds a timestamp to the second verification request to indicate the sending time of the second verification request.
(6)终端标识。(6) Terminal identification.
该终端标识指示终端。在本申请实施例中,第二网元在第二验证请求中携带终端标识,则第一网元接收到该终端标识后,即可确定需要向该终端标识指示的终端发送验证请求。The terminal identification indicates the terminal. In this embodiment of the present application, the second network element carries the terminal identification in the second verification request. Then, after receiving the terminal identification, the first network element can determine that it needs to send a verification request to the terminal indicated by the terminal identification.
在一些实施例中,该终端标识为SUPI、SUCI或者其他标识,本申请实施例对此不作限定。In some embodiments, the terminal identifier is SUPI, SUCI or other identifiers, which is not limited in the embodiments of the present application.
(7)服务网络标识。(7) Service network identification.
该服务网络标识指示服务网络,也可以理解为第二网元当前的服务网络对应的服务网络标识。The service network identifier indicates the service network, and can also be understood as the service network identifier corresponding to the current service network of the second network element.
在一些实施例中,第二验证请求中包括服务网络验证码,则第二网元基于终端身份验证成功所产生的MSK(Master Session Key,主共享密钥)、验证随机数和服务网络标识中的至少一项,确定服务网络验证码。In some embodiments, the second verification request includes the service network verification code, and the second network element generates the MSK (Master Session Key, master shared key) based on the successful terminal identity verification, the verification random number and the service network identification. At least one of the fields determines the service network verification code.
可选地,第二网元可以基于MSK和服务网络标识确定服务网络验证码。Optionally, the second network element may determine the service network verification code based on the MSK and the service network identifier.
或者,第二网元可以基于MSK、验证随机数和服务网络标识确定服务网络验证码。Alternatively, the second network element may determine the service network verification code based on the MSK, the verification random number and the service network identifier.
步骤302:第一网元接收第二网元发送的第二验证请求。Step 302: The first network element receives the second verification request sent by the second network element.
在本申请实施例中,第二网元向第一网元发送第二验证请求,则第一网元可以接收第二网元发送的第二验证请求。In this embodiment of the present application, the second network element sends a second verification request to the first network element, and the first network element can receive the second verification request sent by the second network element.
步骤303:第一网元向终端发送第一验证请求,第一验证请求用于在非公共网络NPN场景中对终端的服务网络标识进行验证,第一验证请求基于第二验证请求确定。Step 303: The first network element sends a first verification request to the terminal. The first verification request is used to verify the service network identity of the terminal in a non-public network NPN scenario. The first verification request is determined based on the second verification request.
在一些实施例中,第一网元根据第二验证请求确定终端,向终端发送该第一验证请求。In some embodiments, the first network element determines the terminal according to the second verification request, and sends the first verification request to the terminal.
可选地,该第二验证请求中包括终端标识,该终端标识指示终端,则第一网元接收到该第二验证请求后,根据第二验证请求中包括的终端标识确定指示的终端,进而向确定的终端发送第一验证请求。Optionally, the second verification request includes a terminal identification, and the terminal identification indicates the terminal. After receiving the second verification request, the first network element determines the indicated terminal according to the terminal identification included in the second verification request, and then Send a first verification request to the determined terminal.
步骤304:终端接收第一网元发送的第一验证请求,第一验证请求用于在NPN场景中对终端的服务网络标识进行验证。Step 304: The terminal receives the first verification request sent by the first network element. The first verification request is used to verify the service network identity of the terminal in the NPN scenario.
在本申请实施例中,第一网元接收到第二网元发送的第二验证请求后,可以根据该第二验证请求确定第一验证请求,再向终端发送第一验证请求,以便 于终端根据该第一验证请求确定需要验证终端的服务网络标识。In this embodiment of the present application, after receiving the second verification request sent by the second network element, the first network element can determine the first verification request based on the second verification request, and then send the first verification request to the terminal, so that the terminal The service network identification of the terminal that needs to be verified is determined according to the first verification request.
在一些实施例中,第一验证请求包括以下至少一项:In some embodiments, the first verification request includes at least one of the following:
(1)验证标识符,验证标识符指示第一验证请求用于验证服务网络标识。(1) Verification identifier, the verification identifier indicates that the first verification request is used to verify the service network identity.
(2)身份验证标识符,身份验证标识符指示终端的身份验证成功;(2) Authentication identifier, which indicates successful authentication of the terminal;
(3)服务网络验证码。(3) Service network verification code.
(4)验证随机数。(4) Verify the random number.
(5)时间戳。(5)Time stamp.
(6)服务网络标识。(6) Service network identification.
需要说明的是,本申请实施例中第一验证请求包括的信息与第二验证请求包括的信息类似,在此不再赘述。It should be noted that in the embodiment of the present application, the information included in the first verification request is similar to the information included in the second verification request, and will not be described again here.
步骤305:终端响应于第一验证请求,向第一网元发送第一验证响应,第一验证响应指示服务网络标识的验证结果。Step 305: In response to the first verification request, the terminal sends a first verification response to the first network element, where the first verification response indicates the verification result of the service network identity.
在本申请实施例中,终端接收第一验证请求后,即可根据该第一验证请求中包括的信息进行验证,以便于确定验证结果,进而向第一网元发送第一验证响应,指示终端对服务网络标识的验证结果。In this embodiment of the present application, after receiving the first verification request, the terminal can perform verification based on the information included in the first verification request to determine the verification result, and then send a first verification response to the first network element, instructing the terminal The result of the verification of the service network identity.
步骤306:第一网元接收第一验证响应,第一验证请求指示服务网络标识的验证结果。Step 306: The first network element receives the first verification response, and the first verification request indicates the verification result of the service network identity.
步骤307:第一网元向第二网元发送第一验证响应。Step 307: The first network element sends the first verification response to the second network element.
步骤308:第二网元接收第一网元发送的第一验证响应,第一验证响应指示服务网络标识的验证结果。Step 308: The second network element receives the first verification response sent by the first network element, where the first verification response indicates the verification result of the serving network identity.
在本申请实施例中,第一网元接收到该第一验证响应后,可以将该第一验证响应转发给第二网元,第二网元接收到该第一验证响应后,即可确定该第一验证响应指示的服务网络标识的验证结果。In this embodiment of the present application, after the first network element receives the first verification response, it can forward the first verification response to the second network element. After the second network element receives the first verification response, it can determine The first verification response indicates the verification result of the service network identity.
在一些实施例中,第一网元为AMF网元,或者为SEAF网元。也就是说,本申请中的第一网元可以采用AMF网元代替。或者,本申请中的第一网元可以采用SEAF网元代替。In some embodiments, the first network element is an AMF network element or a SEAF network element. That is to say, the first network element in this application can be replaced by an AMF network element. Alternatively, the first network element in this application can be replaced by a SEAF network element.
在一些实施例中,第二网元为AUSF网元,也就是说,本申请中的第二网元可以采用AUSF网元代替。In some embodiments, the second network element is an AUSF network element. That is to say, the second network element in this application can be replaced by an AUSF network element.
需要说明的是,本申请实施例中的终端所执行的步骤可以单独形成一个实施例,第一网元所执行的步骤可以单独形成一个实施例,第二网元所执行的步骤可以单独形成一个实施例。It should be noted that the steps performed by the terminal in the embodiment of the present application may separately form an embodiment, the steps performed by the first network element may separately form an embodiment, and the steps performed by the second network element may separately form an embodiment. Example.
本申请实施例提供的方案中,提供了一种可以对终端接入的服务网络标识进行验证的方法,通过验证可以确认终端自身接入的服务网络标识与核心网设备存储的服务网络标识是否相同,保证了终端接入的服务网络的准确性,进而保证核心网设备为终端提供网络服务的可靠性。The solution provided by the embodiment of this application provides a method for verifying the service network identifier accessed by the terminal. Through verification, it can be confirmed whether the service network identifier accessed by the terminal itself is the same as the service network identifier stored in the core network device. , ensuring the accuracy of the service network that the terminal accesses, and thereby ensuring the reliability of the core network equipment providing network services to the terminal.
图3所示实施例对终端的服务网络标识进行验证进行说明。具体的,对终端如何验证服务网络标识进行说明。The embodiment shown in Figure 3 explains the verification of the service network identification of the terminal. Specifically, how the terminal verifies the service network identity is explained.
在一些实施例中,该第一验证响应指示终端的服务网络标识验证成功,而终端在确定满足一定条件的情况下发送该第一验证响应。In some embodiments, the first verification response indicates that the service network identity of the terminal is successfully verified, and the terminal sends the first verification response if it is determined that certain conditions are met.
在本申请实施例中,在NPN场景中第一验证请求的服务网络标识未被篡改,且终端的服务网络标识与第一验证请求包括的服务网络标识相同的情况下,响应于第一验证请求,向第一网元发送第一验证响应。In the embodiment of the present application, in the NPN scenario, when the service network identity of the first verification request has not been tampered with, and the service network identity of the terminal is the same as the service network identity included in the first verification request, in response to the first verification request , sending the first verification response to the first network element.
其中,终端与第二网元之间进行交互时,需要经由第一网元转发信息,但是经由第一网元时,终端上报的服务网络名标识可能会被第一网元篡改,导致第二网元接收到的服务网络标识与终端自身的服务网络标识不同,因此终端接收到第一验证请求后,需要根据该第一验证请求确定该第一验证请求中的服务网络标识是否被篡改,并且确定终端的服务网络标识与第一验证请求包括的服务网络标识是否相同,确定发送的第一验证响应。Among them, when the terminal interacts with the second network element, the information needs to be forwarded through the first network element. However, when passing through the first network element, the service network name identifier reported by the terminal may be tampered with by the first network element, causing the second network element to be tampered with. The service network identity received by the network element is different from the service network identity of the terminal itself. Therefore, after receiving the first verification request, the terminal needs to determine whether the service network identity in the first verification request has been tampered with based on the first verification request, and Determine whether the service network identifier of the terminal is the same as the service network identifier included in the first verification request, and determine the first verification response to be sent.
若终端确定NPN场景中该第一验证请求的服务网络标识未被篡改,则会继续对比终端自身的服务网络标识和第一验证请求包括的服务网络标识,若确定相同,则终端响应于该第一验证请求,向第一网元发送第一验证响应,通过该第一验证响应指示终端验证服务网络标识成功。If the terminal determines that the service network identifier of the first verification request has not been tampered with in the NPN scenario, it will continue to compare the terminal's own service network identifier with the service network identifier included in the first verification request. If it is determined to be the same, the terminal will respond to the first verification request. A verification request, sending a first verification response to the first network element, indicating that the terminal successfully verified the service network identity through the first verification response.
在一些实施例中,第一验证响应包括以下至少一项:In some embodiments, the first verification response includes at least one of the following:
(1)验证标识符,验证标识符指示第一验证请求用于验证服务网络标识。(1) Verification identifier, the verification identifier indicates that the first verification request is used to verify the service network identity.
(2)终端验证码。(2)Terminal verification code.
其中,该终端验证码是指由第二网元进行验证的验证码。并且,该终端验证码是终端对第二网元发送的服务网络标识验证成功后发送的,该终端验证码也就可以指示终端验证服务网络标识成功。The terminal verification code refers to the verification code verified by the second network element. Moreover, the terminal verification code is sent after the terminal successfully verifies the service network identity sent by the second network element. The terminal verification code can also indicate that the terminal successfully verifies the service network identity.
(3)时间戳。(3)Time stamp.
(4)终端标识。(4) Terminal identification.
在一些实施例中,终端根据第一验证请求确定第一信息验证码,在第一信 息验证码与第一验证请求匹配的情况下,确定NPN场景中的第一验证请求的服务网络标识未被篡改。In some embodiments, the terminal determines the first information verification code according to the first verification request, and when the first information verification code matches the first verification request, determines that the service network identifier of the first verification request in the NPN scenario has not been tamper.
在本申请实施例中,终端接收到该第一验证请求后,即可根据该第一验证请求包括的信息确定第一信息验证码,通过该第一信息验证码即可与第一验证请求进行匹配,若该第一信息验证码与第一验证请求匹配,则确定NPN场景中的第一验证请求的服务网络标识未被篡改。In this embodiment of the present application, after receiving the first verification request, the terminal can determine the first information verification code based on the information included in the first verification request. The first information verification code can be used with the first verification request. If the first information verification code matches the first verification request, it is determined that the service network identifier of the first verification request in the NPN scenario has not been tampered with.
可选地,第一验证请求包括服务网络验证码和服务网络标识,基于终端身份验证成功所产生的MSK、验证随机数和服务网络标识中的至少一项,确定第一信息验证码,在第一信息验证码与服务网络验证码相同的情况下,确定NPN场景中的第一验证请求未被篡改。Optionally, the first verification request includes a service network verification code and a service network identification, and the first information verification code is determined based on at least one of the MSK generated by successful terminal identity verification, a verification random number, and the service network identification. When the information verification code is the same as the service network verification code, it is determined that the first verification request in the NPN scenario has not been tampered with.
在本申请实施例中,终端进行身份认证后会获取MSK,并且第一验证请求中还包括服务网络验证码,则终端可以根据MSK、验证随机数和服务网络标识中的至少一项,确定第一信息验证码,再将第一信息验证码与服务网络验证码进行对比,即可确定NPN场景中的服务网络标识是否被篡改。具体的,若第一信息验证码与服务网络验证码相同,则说明NPN场景中的服务网络标识未被篡改,若第一信息验证码与服务网络验证码不同,则说明NPN场景中的服务网络标识被篡改。In the embodiment of this application, the terminal will obtain the MSK after performing identity authentication, and the first verification request also includes the service network verification code, then the terminal can determine the third verification code based on at least one of the MSK, verification random number and service network identification. First information verification code, and then comparing the first information verification code with the service network verification code, it can be determined whether the service network identification in the NPN scenario has been tampered with. Specifically, if the first information verification code is the same as the service network verification code, it means that the service network identity in the NPN scenario has not been tampered with. If the first information verification code is different from the service network verification code, it means that the service network in the NPN scenario has not been tampered with. The logo has been tampered with.
需要说明的是,本申请实施例是以终端返回用于指示服务网络标识验证成功的第一验证响应为例进行说明。在另一些实施例中,终端还会返回用于指示服务网络标识验证失败的第一验证响应。It should be noted that the embodiment of the present application is explained by taking the terminal returning a first verification response indicating that the service network identity verification is successful as an example. In some other embodiments, the terminal also returns a first verification response indicating that the service network identity verification fails.
在本申请实施例中,第一验证响应指示终端的服务网络标识验证失败,在NPN场景中第一验证请求的服务网络标识未被篡改,且终端的服务网络标识与第一验证请求包括的服务网络标识不同的情况下,向第一网元发送第一验证响应。In the embodiment of the present application, the first verification response indicates that the terminal's service network identity verification failed. In the NPN scenario, the service network identity of the first verification request has not been tampered with, and the terminal's service network identity is consistent with the service included in the first verification request. If the network identifiers are different, the first verification response is sent to the first network element.
在本申请实施例中,终端对第一验证请求中的服务网络标识进行验证以确认服务网络标识是否被篡改,若终端确定服务网络标识未被篡改,但是终端的服务网络标识与第一验证请求中的服务网络标识不同的情况下,终端会认为无法使用终端的服务网络标识进行通信,则终端发送第一验证响应。In the embodiment of this application, the terminal verifies the service network identification in the first verification request to confirm whether the service network identification has been tampered with. If the terminal determines that the service network identification has not been tampered with, but the service network identification of the terminal is different from the first verification request. If the service network identifiers in are different, the terminal will consider that communication cannot be performed using the terminal's service network identifier, and the terminal will send a first verification response.
在一些实施例中,该第一验证响应包括终端验证码,该终端验证码是指由第二网元进行验证的验证码。并且,该终端验证码是终端对第二网元发送的服务网络标识验证失败后发送的,该终端验证码也就可以指示终端验证服务网络 标识失败。In some embodiments, the first verification response includes a terminal verification code, where the terminal verification code refers to a verification code verified by the second network element. Moreover, the terminal verification code is sent after the terminal fails to verify the service network identity sent by the second network element. The terminal verification code can also indicate that the terminal fails to verify the service network identity.
需要说明的是,本申请实施例是以终端返回用于指示服务网络标识验证成功的第一验证响应为例进行说明。在另一实施例中,终端还会接收第一网元发送的第二验证响应,第二验证响应指示第二网元确认终端发送的第一验证响应。It should be noted that the embodiment of the present application is explained by taking the terminal returning a first verification response indicating that the service network identity verification is successful as an example. In another embodiment, the terminal also receives a second verification response sent by the first network element, and the second verification response instructs the second network element to confirm the first verification response sent by the terminal.
在本申请实施例中,第一网元会向终端发送第二验证响应,以通过该第二验证响应告知第二网元确认终端发送的第一验证响应。In this embodiment of the present application, the first network element will send a second verification response to the terminal, so as to inform the second network element to confirm the first verification response sent by the terminal through the second verification response.
具体的,以图4所示实施例对终端、第一网元和第二网元之间的交互进行说明。图4示出了本申请一个示例性实施例提供的另一种验证方法的流程图,示例性的可以应用于如图1所示的终端、第一网元和第二网元中,该方法包括以下内容中的至少部分内容:Specifically, the interaction between the terminal, the first network element, and the second network element is described using the embodiment shown in FIG. 4 . Figure 4 shows a flow chart of another verification method provided by an exemplary embodiment of the present application. The method can be applied to the terminal, the first network element and the second network element as shown in Figure 1. This method Include at least some of the following:
步骤401:第二网元响应于第一验证响应,向第一网元发送第五验证响应,该第五验证响应指示第二网元确认终端发送的第一验证响应。Step 401: In response to the first verification response, the second network element sends a fifth verification response to the first network element. The fifth verification response instructs the second network element to confirm the first verification response sent by the terminal.
在本申请实施例中,第二网元接收第一网元发送的第一验证响应后,还会对该第一验证响应进行确认,若第二网元确认该第一验证响应,则发送第五验证响应。In this embodiment of the present application, after receiving the first verification response sent by the first network element, the second network element will also confirm the first verification response. If the second network element confirms the first verification response, it will send the second verification response. Five verification responses.
在一些实施例中,第二网元基于终端身份验证成功所产生的MSK和第二网元预测的服务网络标识的验证结果中的至少一项确定第二信息验证码,第二网元预测的服务网络标识的验证结果包括服务网络标识验证成功和服务网络标识验证失败中的至少一项;基于第二信息验证码与第一验证响应的匹配结果,确定是否确认终端发送的第一验证响应。In some embodiments, the second network element determines the second information verification code based on at least one of the MSK generated by successful terminal identity verification and the verification result of the service network identity predicted by the second network element. The verification result of the service network identity includes at least one of successful verification of the service network identity and failure of verification of the service network identity; based on the matching result of the second information verification code and the first verification response, it is determined whether to confirm the first verification response sent by the terminal.
在本申请实施例中,第二网元会预先确定第二信息验证码,并且确定第二信息验证码是考虑服务网络标识验证成功和失败两种情况,则第二网元会根据MSK、第二网元预测的服务网络标识的验证结果确定两个第二信息验证码。第二网元再根据确定的两个信息验证码,确定第一验证响应与哪个第二信息验证码匹配,再确定是否确认终端发送的第一验证响应。In this embodiment of the present application, the second network element will determine the second information verification code in advance, and determine the second information verification code by considering the success or failure of the service network identity verification. Then the second network element will determine the second information verification code based on the MSK and the third information verification code. The verification result of the service network identifier predicted by the second network element determines two second information verification codes. The second network element then determines which second information verification code the first verification response matches based on the two determined information verification codes, and then determines whether to confirm the first verification response sent by the terminal.
例如,第二网元根据MSK和第二网元预测的服务网络标识的验证结果为失败确定一个服务网络标识验证失败对应的第二信息验证码,根据MSK和第二网元预测的服务网络标识的验证结果为成功确定一个服务网络标识验证成功对应的第二信息验证码。For example, the second network element determines a second information verification code corresponding to the service network identity verification failure based on the MSK and the service network identity predicted by the second network element. The verification result is to successfully determine a second information verification code corresponding to the successful verification of a service network identity.
可选地,第一验证响应包括终端验证码,基于终端身份验证成功所产生的MSK、验证随机数和第二网元预测的服务网络标识的验证结果中的至少一项, 确定第二信息验证码;在第二网元预测的服务网络标识的验证结果为失败对应的第二信息验证码,且该第二信息验证码与终端验证码相同的情况下,确定第一验证响应失败;而在第二网元预测的服务网络标识的验证结果为成功对应的第二信息验证码,且该第二信息验证码与终端验证码相同的情况下,确定第一验证响应成功。Optionally, the first verification response includes a terminal verification code, and the second information verification is determined based on at least one of the MSK generated by successful terminal identity verification, the verification random number, and the verification result of the service network identification predicted by the second network element. code; when the verification result of the service network identity predicted by the second network element is the second information verification code corresponding to the failure, and the second information verification code is the same as the terminal verification code, it is determined that the first verification response failed; and when If the verification result of the service network identity predicted by the second network element is the second information verification code corresponding to success, and the second information verification code is the same as the terminal verification code, it is determined that the first verification response is successful.
需要说明的是,本申请实施例是以第二信息验证码与终端验证码相同的情况为例进行说明,而在另一实施例中,若第二信息验证码与终端验证码不同,则终止该流程,不再执行后续操作。It should be noted that the embodiment of the present application takes the case where the second information verification code and the terminal verification code are the same as an example for explanation. In another embodiment, if the second information verification code and the terminal verification code are different, the process is terminated. In this process, no further operations will be performed.
需要说明的是,若第一验证响应指示终端的服务网络标识验证成功,则第二网元发送第五验证响应后,则向第三网元发送更新信息,更新信息指示第三网元存储终端使用的服务网络标识,接收更新响应,更新响应指示第三网元确认更新信息。It should be noted that if the first verification response indicates that the terminal's service network identity verification is successful, then after the second network element sends the fifth verification response, it sends update information to the third network element, and the update information indicates that the third network element stores the terminal. The service network identifier is used to receive an update response, and the update response instructs the third network element to confirm the update information.
在一些实施例中,更新信息包括以下至少一项:In some embodiments, the update information includes at least one of the following:
终端标识;terminal identification;
服务网络标识;service network identifier;
标识验证标识符,标识验证标识符指示服务网络标识验证成功。Identity verification identifier. The identity verification identifier indicates that the service network identity verification was successful.
可选地,第三网元为统一数据管理UDM网元。Optionally, the third network element is a unified data management UDM network element.
若第一验证响应指示终端的服务网络标识验证失败,则第二网元发送第五验证响应后,不再更新服务网络标识,也不会根据服务网络标识推演密钥。If the first verification response indicates that the terminal's service network identity verification fails, the second network element will not update the service network identity after sending the fifth verification response, nor will it derive the key based on the service network identity.
步骤402:第一网元接收第二网元发送的第五验证响应。Step 402: The first network element receives the fifth verification response sent by the second network element.
步骤403:第一网元响应于第五验证响应,向终端发送第二验证响应,第二验证响应指示第二网元确认终端发送的第一验证响应。Step 403: In response to the fifth verification response, the first network element sends a second verification response to the terminal. The second verification response instructs the second network element to confirm the first verification response sent by the terminal.
在本申请实施例中,第一网元接收到第二网元发送的第五验证响应后,会向终端通知该第二网元发送的第五验证响应,则第一网元根据该第五验证响应确定第二验证响应,向终端发送第二验证响应即可。In this embodiment of the present application, after receiving the fifth verification response sent by the second network element, the first network element will notify the terminal of the fifth verification response sent by the second network element, and the first network element will then notify the terminal according to the fifth verification response. The verification response determines the second verification response, and the second verification response is sent to the terminal.
在一些实施例中,第一网元根据第五验证响应确定终端,向终端发送第二验证响应。In some embodiments, the first network element determines the terminal according to the fifth verification response, and sends the second verification response to the terminal.
可选地,第五验证响应包括以下至少一项:Optionally, the fifth verification response includes at least one of the following:
(1)验证标识符,验证标识符指示第一验证请求用于验证服务网络标识。(1) Verification identifier, the verification identifier indicates that the first verification request is used to verify the service network identity.
(2)标识验证标识符,标识验证标识符指示第二网元确认终端发送的第一验证响应。(2) Identity verification identifier, which instructs the second network element to confirm the first verification response sent by the terminal.
(3)服务网络标识。(3) Service network identification.
(4)终端标识。(4) Terminal identification.
在一些实施例中,第五验证响应包括终端标识,第一网元确定终端标识指示的终端,向终端发送第二验证响应。In some embodiments, the fifth verification response includes the terminal identification, and the first network element determines the terminal indicated by the terminal identification and sends the second verification response to the terminal.
在本申请实施例中,终端标识指示终端,则第一网元接收到该第五验证响应后,根据该第五验证响应即可确定终端标识指示的终端,向终端发送第二验证响应。In this embodiment of the present application, the terminal identifier indicates the terminal. After receiving the fifth verification response, the first network element can determine the terminal indicated by the terminal identifier based on the fifth verification response and send the second verification response to the terminal.
步骤404:终端接收第一网元发送的第二验证响应,第二验证响应指示第二网元确认终端发送的第一验证响应。Step 404: The terminal receives the second verification response sent by the first network element, and the second verification response instructs the second network element to confirm the first verification response sent by the terminal.
在本申请实施例中,终端接收第一网元发送的第二验证响应,则确定第二网元确认终端发送的第一验证响应。In this embodiment of the present application, when the terminal receives the second verification response sent by the first network element, it determines that the second network element confirms the first verification response sent by the terminal.
需要说明的是,本申请实施例中若终端确定服务网络标识验证成功,则终端根据当前终端身份验证成功所产生的MSK及第一验证请求中的服务网络标识确定第二网元对应的密钥。It should be noted that in the embodiment of this application, if the terminal determines that the service network identity verification is successful, the terminal determines the key corresponding to the second network element based on the MSK generated by the current terminal identity verification success and the service network identity in the first verification request. .
其中,终端确定的第二网元对应的密钥用于终端进行数据传输。The key corresponding to the second network element determined by the terminal is used for data transmission by the terminal.
在本申请实施例中,终端确定服务网络标识验证成功后,则终端可以根据MSK及第一验证请求中的服务网络标识确定第二网元对应的密钥,则根据该密钥可以对传输的数据进行加密和解密,以便于终端进行数据传输,保证传输的可靠性。In the embodiment of this application, after the terminal determines that the service network identity verification is successful, the terminal can determine the key corresponding to the second network element based on the MSK and the service network identity in the first verification request, and then the transmitted data can be processed based on the key. The data is encrypted and decrypted to facilitate data transmission by the terminal and ensure the reliability of the transmission.
本申请实施例提供的方案中,第二网元会对终端发送的第一验证响应进行确认,以便于终端确定第二网元也对服务网络标识进行了确认,保证了终端接入的服务网络的准确性,进而保证核心网设备为终端提供网络服务的可靠性。In the solution provided by the embodiment of this application, the second network element will confirm the first verification response sent by the terminal, so that the terminal can determine that the second network element has also confirmed the service network identifier, ensuring that the service network the terminal accesses accuracy, thereby ensuring the reliability of core network equipment providing network services to terminals.
上述实施例对终端第一验证响应指示终端的服务网络标识验证成功为例进行说明。而在另一实施例中,该第一验证响应为告警信息,也就是说终端对当前使用的服务网络标识进行了更新,下面,对终端确定第一验证响应为告警信息的情况进行说明。The above embodiment describes an example in which the terminal's first verification response indicates that the terminal's service network identity verification is successful. In another embodiment, the first verification response is alarm information, which means that the terminal updates the currently used service network identifier. The following describes the situation in which the terminal determines that the first verification response is alarm information.
在一些实施例中,该第一验证响应为告警信息,而终端在确定满足一定条件的情况下发送该第一验证响应。In some embodiments, the first verification response is alarm information, and the terminal sends the first verification response when it is determined that certain conditions are met.
在本申请实施例中,在NPN场景中第一验证请求的服务网络标识未被篡改,且终端的服务网络标识与第一验证请求包括的服务网络标识不同的情况下,生 成告警信息,响应于第一验证请求,向第一网元发送告警信息,并将第一验证请求中的服务网络标识作为终端使用的服务网络标识。In the embodiment of the present application, when the service network identifier of the first verification request has not been tampered with in the NPN scenario, and the service network identifier of the terminal is different from the service network identifier included in the first verification request, alarm information is generated in response to The first verification request sends alarm information to the first network element, and uses the service network identifier in the first verification request as the service network identifier used by the terminal.
在本申请实施例中,在NPN场景中第一验证请求的服务网络标识未被篡改,且终端的服务网络标识与第一验证请求包括的服务网络标识不相同的情况下,响应于第一验证请求,向第一网元发送告警信息。并且,终端将第一验证请求中的服务网络标识作为终端使用的服务网络标识,因此终端使用的服务网络标识和第二网元所确认的服务网络标识相同。In the embodiment of the present application, in the NPN scenario, when the service network identity of the first verification request has not been tampered with, and the service network identity of the terminal is different from the service network identity included in the first verification request, in response to the first verification Request to send alarm information to the first network element. Furthermore, the terminal uses the service network identifier in the first verification request as the service network identifier used by the terminal. Therefore, the service network identifier used by the terminal is the same as the service network identifier confirmed by the second network element.
其中,终端与第二网元之间进行交互时,需要经由第一网元转发信息,但是经由第一网元时,终端上报的服务网络名标识可能会被第一网元篡改,导致第二网元接收到的服务网络标识与终端自身的服务网络标识不同,因此终端接收到第一验证请求后,需要根据该第一验证请求确定该第一验证请求中的服务网络标识是否被篡改,并且确定终端的服务网络标识与第一验证请求包括的服务网络标识是否相同,确定发送的告警信息。Among them, when the terminal interacts with the second network element, the information needs to be forwarded through the first network element. However, when passing through the first network element, the service network name identifier reported by the terminal may be tampered with by the first network element, causing the second network element to be tampered with. The service network identity received by the network element is different from the service network identity of the terminal itself. Therefore, after receiving the first verification request, the terminal needs to determine whether the service network identity in the first verification request has been tampered with based on the first verification request, and Determine whether the service network identifier of the terminal is the same as the service network identifier included in the first verification request, and determine the alarm information to be sent.
若终端确定NPN场景中该第一验证请求的服务网络标识未被篡改,则会继续对比终端自身的服务网络标识和第一验证请求包括的服务网络标识,若确定不同,则终端响应于该第一验证请求,向第一网元发送告警信息,通过该第一验证响应指示终端更新了服务网络标识,也就是终端使用第一验证请求中包括的服务网络标识。If the terminal determines that the service network identifier of the first verification request has not been tampered with in the NPN scenario, it will continue to compare the terminal's own service network identifier with the service network identifier included in the first verification request. If it is determined to be different, the terminal will respond to the third verification request. A verification request is sent to the first network element, and the first verification response indicates that the terminal has updated the service network identification, that is, the terminal uses the service network identification included in the first verification request.
在一些实施例中,第一验证响应包括以下至少一项:In some embodiments, the first verification response includes at least one of the following:
(1)验证标识符,验证标识符指示第一验证请求用于验证服务网络标识。(1) Verification identifier, the verification identifier indicates that the first verification request is used to verify the service network identity.
(2)终端验证码。(2)Terminal verification code.
其中,该终端验证码是指由第二网元进行验证的验证码。并且,该终端验证码是终端对第二网元发送的服务网络标识验证成功后发送的,该终端验证码也就可以指示终端验证服务网络标识成功。The terminal verification code refers to the verification code verified by the second network element. Moreover, the terminal verification code is sent after the terminal successfully verifies the service network identity sent by the second network element. The terminal verification code can also indicate that the terminal successfully verifies the service network identity.
(3)时间戳。(3)Time stamp.
(4)终端标识。(4) Terminal identification.
在一些实施例中,终端根据第一验证请求确定第一信息验证码,在第一信息验证码与第一验证请求匹配的情况下,确定NPN场景中的第一验证请求的服务网络标识未被篡改。In some embodiments, the terminal determines the first information verification code according to the first verification request, and when the first information verification code matches the first verification request, determines that the service network identifier of the first verification request in the NPN scenario has not been tamper.
在本申请实施例中,终端接收到该第一验证请求后,即可根据该第一验证请求包括的信息确定第一信息验证码,通过该第一信息验证码即可与第一验证 请求进行匹配,若该第一信息验证码与第一验证请求匹配,则确定NPN场景中的第一验证请求的服务网络标识未被篡改。In this embodiment of the present application, after receiving the first verification request, the terminal can determine the first information verification code based on the information included in the first verification request, and the first information verification code can be used with the first verification request. If the first information verification code matches the first verification request, it is determined that the service network identifier of the first verification request in the NPN scenario has not been tampered with.
可选地,第一验证请求包括服务网络验证码和服务网络标识,基于终端身份验证成功所产生的MSK、验证随机数和服务网络标识中的至少一项,确定第一信息验证码,在第一信息验证码与服务网络验证码相同的情况下,确定NPN场景中的第一验证请求未被篡改。Optionally, the first verification request includes a service network verification code and a service network identification, and the first information verification code is determined based on at least one of the MSK generated by successful terminal identity verification, a verification random number, and the service network identification. When the information verification code is the same as the service network verification code, it is determined that the first verification request in the NPN scenario has not been tampered with.
在本申请实施例中,终端进行身份认证后会获取MSK,并且第一验证请求中还包括服务网络验证码,则终端可以根据MSK、验证随机数和服务网络标识中的至少一项,确定第一信息验证码,再将第一信息验证码与服务网络验证码进行对比,即可确定NPN场景中的服务网络标识是否被篡改。具体的,若第一信息验证码与服务网络验证码相同,则说明NPN场景中的服务网络标识未被篡改,若第一信息验证码与服务网络验证码不同,则说明NPN场景中的服务网络标识被篡改。In the embodiment of this application, the terminal will obtain the MSK after performing identity authentication, and the first verification request also includes the service network verification code, then the terminal can determine the third verification code based on at least one of the MSK, verification random number and service network identification. First information verification code, and then comparing the first information verification code with the service network verification code, it can be determined whether the service network identification in the NPN scenario has been tampered with. Specifically, if the first information verification code is the same as the service network verification code, it means that the service network identity in the NPN scenario has not been tampered with. If the first information verification code is different from the service network verification code, it means that the service network in the NPN scenario has not been tampered with. The logo has been tampered with.
需要说明的是,本申请实施例是以终端返回用于指示更新服务网络标识的告警信息为例进行说明。在另一实施例中,终端还会接收第一网元发送的第三验证响应,第三验证响应指示第二网元确认终端发送的告警信息。It should be noted that the embodiment of the present application takes the terminal returning alarm information indicating updating the service network identifier as an example for explanation. In another embodiment, the terminal will also receive a third verification response sent by the first network element, and the third verification response instructs the second network element to confirm the alarm information sent by the terminal.
在本申请实施例中,第一网元会向终端发送第三验证响应,以通过该第三验证响应告知第二网元确认终端发送的告警信息。In this embodiment of the present application, the first network element will send a third verification response to the terminal, so as to inform the second network element to confirm the alarm information sent by the terminal through the third verification response.
具体的,以图5所示实施例对终端、第一网元和第二网元之间的交互进行说明。图5示出了本申请一个示例性实施例提供的又一种验证方法的流程图,示例性的可以应用于如图1所示的终端、第一网元和第二网元中,该方法包括以下内容中的至少部分内容:Specifically, the interaction between the terminal, the first network element, and the second network element is described using the embodiment shown in FIG. 5 . Figure 5 shows a flow chart of yet another verification method provided by an exemplary embodiment of the present application. The method can be applied to the terminal, the first network element and the second network element as shown in Figure 1. This method Include at least some of the following:
步骤501:第二网元在确定第一验证响应成功的情况下,响应于告警信息,向第一网元发送第六验证响应,第六验证响应指示第二网元确认终端发送的告警信息,告警信息在NPN场景中第一验证请求的服务网络标识未被篡改,且终端的服务网络标识与第一验证请求包括的服务网络标识不同的情况下发送。Step 501: When the second network element determines that the first verification response is successful, in response to the alarm information, it sends a sixth verification response to the first network element. The sixth verification response instructs the second network element to confirm the alarm information sent by the terminal, The alarm information is sent when the service network identifier of the first verification request has not been tampered with in the NPN scenario, and the service network identifier of the terminal is different from the service network identifier included in the first verification request.
在本申请实施例中,第二网元接收第一网元发送的告警信息后,还会对该告警信息进行确认,若第二网元确认该告警信息,则发送第六验证响应。In this embodiment of the present application, after receiving the alarm information sent by the first network element, the second network element will also confirm the alarm information. If the second network element confirms the alarm information, it will send a sixth verification response.
步骤502:第一网元接收第二网元发送的第六验证响应。Step 502: The first network element receives the sixth verification response sent by the second network element.
步骤503:第一网元响应于第六验证响应,向终端发送第三验证响应,第三验证响应指示第二网元确认终端发送的告警信息,告警信息在NPN场景中第一 验证请求的服务网络标识未被篡改,且终端的服务网络标识与第一验证请求包括的服务网络标识不同的情况下发送。Step 503: In response to the sixth verification response, the first network element sends a third verification response to the terminal. The third verification response instructs the second network element to confirm the alarm information sent by the terminal. The alarm information serves the first verification request in the NPN scenario. It is sent when the network identity has not been tampered with and the service network identity of the terminal is different from the service network identity included in the first verification request.
在本申请实施例中,第一网元接收到第二网元发送的第六验证响应后,会向终端通知该第二网元发送的第六验证响应,则第一网元根据该第六验证响应确定第三验证响应,向终端发送第三验证响应即可。In this embodiment of the present application, after receiving the sixth verification response sent by the second network element, the first network element will notify the terminal of the sixth verification response sent by the second network element, and the first network element will then notify the terminal according to the sixth verification response. The verification response determines the third verification response, and the third verification response is sent to the terminal.
在一些实施例中,第一网元根据第六验证响应确定终端,向终端发送第三验证响应。In some embodiments, the first network element determines the terminal according to the sixth verification response, and sends the third verification response to the terminal.
可选地,第六验证响应包括以下至少一项:Optionally, the sixth verification response includes at least one of the following:
(1)验证标识符,验证标识符指示第一验证请求用于验证服务网络标识。(1) Verification identifier, the verification identifier indicates that the first verification request is used to verify the service network identity.
(2)标识验证标识符,标识验证标识符指示第二网元确认终端发送的告警信息。(2) Identity verification identifier, which instructs the second network element to confirm the alarm information sent by the terminal.
(3)服务网络标识。(3) Service network identification.
(4)终端标识。(4) Terminal identification.
在一些实施例中,第六验证响应包括终端标识,第一网元确定终端标识指示的终端,向终端发送第三验证响应。In some embodiments, the sixth verification response includes the terminal identification, and the first network element determines the terminal indicated by the terminal identification, and sends the third verification response to the terminal.
在本申请实施例中,终端标识指示终端,则第一网元接收到该第六验证响应后,根据该第六验证响应即可确定终端标识指示的终端,向终端发送第三验证响应。In this embodiment of the present application, the terminal identifier indicates the terminal. After receiving the sixth verification response, the first network element can determine the terminal indicated by the terminal identifier based on the sixth verification response and send the third verification response to the terminal.
需要说明的是,若第二网元接收到终端发送的告警信息,则第二网元还会向第三网元发送更新信息,更新信息指示第三网元存储终端使用的服务网络标识,接收更新响应,更新响应指示第三网元确认更新信息。It should be noted that if the second network element receives the alarm information sent by the terminal, the second network element will also send update information to the third network element. The update information instructs the third network element to store the service network identifier used by the terminal and receive Update response, the update response instructs the third network element to confirm the update information.
在本申请实施例中,第二网元向第三网元发送更新信息,则第三网元接收到该更新信息后,即可根据该更新信息,将该更新信息包括的信息存储在第三网元中,并且第三网元还会返回更新响应,以告知第二网元已将信息进行存储。In this embodiment of the present application, the second network element sends update information to the third network element. After receiving the update information, the third network element can store the information included in the update information in the third network element according to the update information. in the network element, and the third network element will also return an update response to inform the second network element that the information has been stored.
在一些实施例中,更新信息包括以下至少一项:In some embodiments, the update information includes at least one of the following:
终端标识;terminal identification;
服务网络标识;Service network identifier;
标识验证标识符,标识验证标识符指示服务网络标识验证成功。Identity verification identifier. The identity verification identifier indicates that the service network identity verification was successful.
可选地,第三网元为统一数据管理UDM网元。Optionally, the third network element is a unified data management UDM network element.
若终端未生成告警信息,也未向第二网元发送告警信息,则不再更新服务网络标识,也不会根据服务网络标识推演密钥。If the terminal does not generate alarm information and does not send alarm information to the second network element, the service network identifier will no longer be updated, and the key will not be derived based on the service network identifier.
步骤504:终端接收第一网元发送的第三验证响应。Step 504: The terminal receives the third verification response sent by the first network element.
在本申请实施例中,终端接收第一网元发送的第三验证响应,则确定第二网元确认终端发送的告警信息,进而终端可以通过服务网络标识对应的服务网元进行数据传输。In this embodiment of the present application, when the terminal receives the third verification response sent by the first network element, it determines that the second network element confirms the alarm information sent by the terminal, and then the terminal can transmit data through the service network element corresponding to the service network identifier.
需要说明的是,本申请实施例中若终端确定接收到该第三验证响应,则终端根据当前终端身份验证成功所产生的MSK及第一验证请求中的服务网络标识确定第二网元对应的密钥。It should be noted that in the embodiment of the present application, if the terminal determines to receive the third verification response, the terminal determines the second network element corresponding to the MSK generated by the current terminal identity verification successfully and the service network identifier in the first verification request. key.
其中,终端确定的第二网元对应的密钥用于终端进行数据传输。The key corresponding to the second network element determined by the terminal is used for data transmission by the terminal.
在本申请实施例中,终端确定服务网络标识验证成功后,则终端可以根据MSK及第一验证请求中的服务网络标识确定第二网元对应的密钥,则根据该密钥可以对传输的数据进行加密和解密,以便于终端进行数据传输,保证传输的可靠性。In the embodiment of this application, after the terminal determines that the service network identity verification is successful, the terminal can determine the key corresponding to the second network element based on the MSK and the service network identity in the first verification request, and then the transmitted data can be processed based on the key. The data is encrypted and decrypted to facilitate data transmission by the terminal and ensure the reliability of the transmission.
本申请实施例提供的方案中,终端在确定自身存储的服务网络标识与第二网元发送的服务网络标识不同的情况下,则终端可以将自身使用的服务网络标识更新为第一验证请求中的服务网络标识,保证了终端接入的服务网络的准确性,进而保证核心网设备为终端提供网络服务的可靠性。In the solution provided by the embodiment of this application, when the terminal determines that the service network identifier stored by itself is different from the service network identifier sent by the second network element, the terminal can update the service network identifier used by itself to the one in the first verification request. The service network identification ensures the accuracy of the service network that the terminal accesses, thereby ensuring the reliability of the core network equipment in providing network services to the terminal.
需要说明的是,上述实施例是以终端发送第一验证响应指示服务网络标识验证成功或发送告警信息为例进行说明。而在另一实施例中,终端还会在一定情况下发送错误信息以结束流程。It should be noted that, in the above embodiment, the terminal sends a first verification response to indicate successful verification of the service network identity or sends alarm information as an example. In another embodiment, the terminal will also send error information to end the process under certain circumstances.
在一些实施例中,第一验证响应为错误信息,在终端无法解析第一验证请求的情况下,响应于第一验证请求,向第一网元发送错误信息。In some embodiments, the first verification response is error information. If the terminal cannot parse the first verification request, the terminal sends the error information to the first network element in response to the first verification request.
在本申请实施例中,终端接收第一验证请求,若终端无法解析该第一验证请求,说明终端与核心网之间无法正常进行通信,因此终端发送错误信息,以指示无法继续进行验证,结束服务网络标识的验证流程。In the embodiment of this application, the terminal receives the first verification request. If the terminal cannot parse the first verification request, it means that the terminal and the core network cannot communicate normally, so the terminal sends an error message to indicate that the verification cannot continue, and the end Verification process for service network identities.
在另一些实施例中,第一验证响应为错误信息,在NPN场景中第一验证请求的服务网络标识被篡改的情况下,响应于第一验证请求,向第一网元发送错误信息。In some other embodiments, the first verification response is error information. When the service network identifier of the first verification request is tampered with in the NPN scenario, the error information is sent to the first network element in response to the first verification request.
在本申请实施例中,若终端确定第一验证请求的服务网络标识被篡改,说明终端和核心网设备之间无法正常进行通信,因此终端发送错误信息,以指示无法继续进行验证,结束服务网络标识的验证流程。In the embodiment of this application, if the terminal determines that the service network identifier of the first verification request has been tampered with, it means that the terminal and the core network device cannot communicate normally, so the terminal sends an error message to indicate that the verification cannot continue and ends the service network Identification verification process.
可选地,终端根据第一验证请求确定第一信息验证码,在第一信息验证码与第一验证请求不匹配的情况下,确定NPN场景中的第一验证请求的服务网络标识被篡改。Optionally, the terminal determines the first information verification code according to the first verification request, and determines that the service network identity of the first verification request in the NPN scenario has been tampered with when the first information verification code does not match the first verification request.
可选地,第一验证请求包括服务网络验证码和服务网络标识,根据第一验证请求确定第一信息验证码,包括:Optionally, the first verification request includes a service network verification code and a service network identification. The first information verification code is determined according to the first verification request, including:
基于终端身份验证成功所产生的MSK、验证随机数和服务网络标识中的至少一项,确定第一信息验证码,在第一信息验证码与服务网络验证码不相同的情况下,确定NPN场景中的服务网络标识被篡改。Determine the first information verification code based on at least one of the MSK generated by successful terminal identity verification, verification random number and service network identification. If the first information verification code is different from the service network verification code, determine the NPN scenario. The service network identifier in has been tampered with.
其中,本申请实施例中终端确定服务网络标识是否被篡改的方案与上述实施例类似,在此不再赘述。Among them, the solution for the terminal to determine whether the service network identifier has been tampered with in the embodiment of the present application is similar to the above embodiment, and will not be described again here.
下面,以图6为例对本申请中终端发送错误信息后,终端、第一网元和第二网元之间的交互进行说明。图6示出了本申请一个示例性实施例提供的又一种验证方法的流程图,参见图6,该方法包括:Next, FIG. 6 is used as an example to describe the interaction between the terminal, the first network element, and the second network element after the terminal sends error information in this application. Figure 6 shows a flow chart of yet another verification method provided by an exemplary embodiment of the present application. Referring to Figure 6, the method includes:
步骤601:终端向第一网元发送错误信息。Step 601: The terminal sends error information to the first network element.
步骤602:第一网元接收错误信息,向第二网元发送错误信息。Step 602: The first network element receives the error information and sends the error information to the second network element.
步骤603:第二网元接收错误信息。Step 603: The second network element receives the error information.
步骤604:第二网元响应于错误信息,向第一网元发送第七验证响应,第七验证响应指示第二网元确认终端发送的错误信息,错误信息在终端无法解析第一验证请求的情况下,响应于第一验证请求发送,或者,在NPN场景中第一验证请求的服务网络标识被篡改的情况下,响应于第一验证请求发送。Step 604: In response to the error information, the second network element sends a seventh verification response to the first network element. The seventh verification response instructs the second network element to confirm the error information sent by the terminal. The error information occurs when the terminal cannot parse the first verification request. In this case, it is sent in response to the first verification request, or, in the case where the service network identifier of the first verification request is tampered with in the NPN scenario, it is sent in response to the first verification request.
在本申请实施例中,第二网元确认接收的错误信息后,则会终止推演密钥流程,并且也不会向UDM存储任何信息。In this embodiment of the present application, after the second network element confirms the received error information, it will terminate the key derivation process and will not store any information in the UDM.
步骤605:第一网元接收第二网元发送的第七验证响应。Step 605: The first network element receives the seventh verification response sent by the second network element.
步骤606:第一网元响应于第七验证响应,向终端发送第四验证响应,第四验证响应指示第二网元确认终端发送的错误信息,错误信息在终端无法解析第一验证请求的情况下,响应于第一验证请求发送,或者,在NPN场景中第一验证请求的服务网络标识被篡改的情况下,响应于第一验证请求发送。Step 606: In response to the seventh verification response, the first network element sends a fourth verification response to the terminal. The fourth verification response instructs the second network element to confirm the error information sent by the terminal. The error information occurs when the terminal cannot parse the first verification request. In this case, it is sent in response to the first verification request, or, in the case where the service network identifier of the first verification request is tampered with in the NPN scenario, it is sent in response to the first verification request.
步骤607:第一网元接收第一网元发送的第四验证响应,第四验证响应指示第二网元确认终端发送的错误信息。Step 607: The first network element receives the fourth verification response sent by the first network element, and the fourth verification response instructs the second network element to confirm the error information sent by the terminal.
本申请实施例提供的方案中,若终端确定需要发送错误信息,则说明终端已确定当前状态无法与核心网设备进行通信,因此发送错误信息以结束服务网 络标识的验证流程,保证终端验证服务网络标识的可靠性,进而保证通信的可靠性。In the solution provided by the embodiment of this application, if the terminal determines that it needs to send error information, it means that the terminal has determined that the current status cannot communicate with the core network equipment, so the error information is sent to end the verification process of the service network identity, ensuring that the terminal verifies the service network The reliability of the identification, thereby ensuring the reliability of communication.
需要说明的是,上述实施例可以拆分为新实施例,或与其他实施例互相组合为新实施例,本申请对实施例之间的组合不做限定。It should be noted that the above embodiments can be split into new embodiments, or combined with other embodiments to form new embodiments. This application does not limit the combination of embodiments.
图7示出了本申请一个示例性实施例提供的一种验证装置的框图,参见图7,该装置包括:Figure 7 shows a block diagram of a verification device provided by an exemplary embodiment of the present application. Referring to Figure 7, the device includes:
接收模块701,用于接收第一网元发送的第一验证请求,第一验证请求用于在非公共网络NPN场景中对终端的服务网络标识进行验证;The receiving module 701 is configured to receive a first verification request sent by the first network element, where the first verification request is used to verify the service network identity of the terminal in a non-public network NPN scenario;
发送模块702,用于响应于第一验证请求,向第一网元发送第一验证响应,第一验证响应指示服务网络标识的验证结果。The sending module 702 is configured to send a first verification response to the first network element in response to the first verification request, where the first verification response indicates the verification result of the service network identity.
在一些实施例中,第一验证请求包括以下至少一项:In some embodiments, the first verification request includes at least one of the following:
验证标识符,验证标识符指示第一验证请求用于验证服务网络标识;The verification identifier indicates that the first verification request is used to verify the service network identity;
身份验证标识符,身份验证标识符指示终端的身份验证成功;Authentication identifier, which indicates successful authentication of the terminal;
服务网络验证码;Service network verification code;
验证随机数;Verify random number;
时间戳;timestamp;
服务网络标识。Service network identifier.
在一些实施例中,第一验证响应指示终端的服务网络标识验证成功,发送模块702,用于在NPN场景中第一验证请求的服务网络标识未被篡改,且终端的服务网络标识与第一验证请求包括的服务网络标识相同的情况下,响应于第一验证请求,向第一网元发送第一验证响应。In some embodiments, the first verification response indicates that the service network identity of the terminal has been successfully verified, and the sending module 702 is used to perform the first verification request in the NPN scenario. The service network identity of the first verification request has not been tampered with, and the service network identity of the terminal is the same as the first verification response. If the service network identifiers included in the verification requests are the same, a first verification response is sent to the first network element in response to the first verification request.
在一些实施例中,参见图8,装置还包括:In some embodiments, referring to Figure 8, the device further includes:
确定模块703,用于根据当前终端身份验证成功所产生的MSK及第一验证请求中的服务网络标识确定第二网元对应的密钥。The determination module 703 is configured to determine the key corresponding to the second network element based on the MSK generated by the current terminal identity verification successfully and the service network identifier in the first verification request.
在一些实施例中,第一验证响应为告警信息,发送模块702,还用于在NPN场景中第一验证请求的服务网络标识未被篡改,且终端的服务网络标识与第一验证请求包括的服务网络标识不同的情况下,生成告警信息,响应于第一验证请求,向第一网元发送告警信息,并将第一验证请求中的服务网络标识作为终端使用的服务网络标识。In some embodiments, the first verification response is alarm information. The sending module 702 is also used to ensure that the service network identifier of the first verification request has not been tampered with in the NPN scenario, and the service network identifier of the terminal is consistent with the service network identifier included in the first verification request. When the service network identifiers are different, alarm information is generated, the alarm information is sent to the first network element in response to the first verification request, and the service network identifier in the first verification request is used as the service network identifier used by the terminal.
在一些实施例中,第一验证响应包括以下至少一项:In some embodiments, the first verification response includes at least one of the following:
验证标识符,验证标识符指示第一验证请求用于验证服务网络标识;The verification identifier indicates that the first verification request is used to verify the service network identity;
终端验证码;Terminal verification code;
时间戳;timestamp;
终端标识。Terminal ID.
在一些实施例中,第一验证响应指示终端的服务网络标识验证失败,发送模块702,还用于在NPN场景中第一验证请求的服务网络标识未被篡改,且终端的服务网络标识与第一验证请求包括的服务网络标识不同的情况下,向第一网元发送第一验证响应。In some embodiments, the first verification response indicates that the terminal's service network identification fails to be verified. The sending module 702 is also used to ensure that the service network identification of the first verification request has not been tampered with in the NPN scenario, and the terminal's service network identification is consistent with the third verification response. When the service network identifiers included in the verification requests are different, a first verification response is sent to the first network element.
在一些实施例中,接收模块701,还用于接收第一网元发送的第二验证响应,第二验证响应指示第二网元确认终端发送的第一验证响应。In some embodiments, the receiving module 701 is also configured to receive a second verification response sent by the first network element, where the second verification response instructs the second network element to confirm the first verification response sent by the terminal.
在一些实施例中,参见图8,装置还包括:In some embodiments, referring to Figure 8, the device further includes:
确定模块703,用于根据第一验证请求确定第一信息验证码;Determining module 703, configured to determine the first information verification code according to the first verification request;
确定模块703,用于在第一信息验证码与第一验证请求匹配的情况下,确定NPN场景中的第一验证请求的服务网络标识未被篡改。The determination module 703 is configured to determine that the service network identifier of the first verification request in the NPN scenario has not been tampered with when the first information verification code matches the first verification request.
在一些实施例中,第一验证请求包括服务网络验证码和服务网络标识,确定模块703,还用于基于终端身份验证成功所产生的MSK、验证随机数和服务网络标识中的至少一项,确定第一信息验证码;In some embodiments, the first verification request includes the service network verification code and the service network identification, and the determination module 703 is also used to generate at least one of the MSK, verification random number and service network identification based on successful terminal identity verification, Determine the first information verification code;
确定模块703,还用于在第一信息验证码与服务网络验证码相同的情况下,确定NPN场景中的服务网络标识未被篡改。The determination module 703 is also configured to determine that the service network identifier in the NPN scenario has not been tampered with when the first information verification code and the service network verification code are the same.
在一些实施例中,接收模块701,还用于接收第一网元发送的第三验证响应,第三验证响应指示第二网元确认终端发送的告警信息。In some embodiments, the receiving module 701 is also configured to receive a third verification response sent by the first network element, where the third verification response instructs the second network element to confirm the alarm information sent by the terminal.
在一些实施例中,第一验证响应为错误信息,发送模块702,还用于在终端无法解析第一验证请求的情况下,响应于第一验证请求,向第一网元发送错误信息。In some embodiments, the first verification response is error information, and the sending module 702 is also configured to respond to the first verification request and send error information to the first network element when the terminal cannot parse the first verification request.
在一些实施例中,第一验证响应为错误信息,发送模块702,还用于在NPN场景中第一验证请求的服务网络标识被篡改的情况下,响应于第一验证请求,向第一网元发送错误信息。In some embodiments, the first verification response is error information, and the sending module 702 is also configured to respond to the first verification request when the service network identifier of the first verification request is tampered with in the NPN scenario. Yuan sends error message.
在一些实施例中,参见图8,装置还包括:In some embodiments, referring to Figure 8, the device further includes:
确定模块703,用于根据第一验证请求确定第一信息验证码;Determining module 703, configured to determine the first information verification code according to the first verification request;
确定模块703,还用于在第一信息验证码与第一验证请求不匹配的情况下, 确定NPN场景中的第一验证请求的服务网络标识被篡改。The determination module 703 is also configured to determine that the service network identifier of the first verification request in the NPN scenario has been tampered with when the first information verification code does not match the first verification request.
在一些实施例中,第一验证请求包括服务网络验证码和服务网络标识,确定模块703,还用于基于终端身份验证成功所产生的MSK、验证随机数和服务网络标识中的至少一项,确定第一信息验证码;In some embodiments, the first verification request includes the service network verification code and the service network identification, and the determination module 703 is also used to generate at least one of the MSK, verification random number and service network identification based on successful terminal identity verification, Determine the first information verification code;
确定模块703,还用于在第一信息验证码与服务网络验证码不相同的情况下,确定NPN场景中的第一验证请求被篡改。The determination module 703 is also configured to determine that the first verification request in the NPN scenario has been tampered with when the first information verification code and the service network verification code are different.
在一些实施例中,接收模块701,还用于接收第一网元发送的第四验证响应,第四验证响应指示第二网元确认终端发送的错误信息。In some embodiments, the receiving module 701 is also configured to receive a fourth verification response sent by the first network element. The fourth verification response instructs the second network element to confirm the error information sent by the terminal.
在一些实施例中,第一网元为AMF网元,或者为SEAF网元。In some embodiments, the first network element is an AMF network element or a SEAF network element.
需要说明的是,上述实施例提供的装置,在实现其功能时,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将设备的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。另外,上述实施例提供的装置与方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that when implementing the functions of the device provided by the above embodiments, only the division of the above functional modules is used as an example. In practical applications, the above functions can be allocated to different functional modules according to needs, that is, The internal structure of the device is divided into different functional modules to complete all or part of the functions described above. In addition, the apparatus and method embodiments provided in the above embodiments belong to the same concept, and the specific implementation process can be found in the method embodiments, which will not be described again here.
图9示出了本申请一个示例性实施例提供的一种又一种验证装置的框图,参见图9,该装置包括:Figure 9 shows a block diagram of another verification device provided by an exemplary embodiment of the present application. Referring to Figure 9, the device includes:
接收模块901,用于接收第二网元发送的第二验证请求;The receiving module 901 is used to receive the second verification request sent by the second network element;
发送模块902,用于向终端发送第一验证请求,第一验证请求用于在非公共网络NPN场景中对终端的服务网络标识进行验证,第一验证请求基于第二验证请求确定;The sending module 902 is configured to send a first verification request to the terminal. The first verification request is used to verify the service network identity of the terminal in a non-public network NPN scenario. The first verification request is determined based on the second verification request;
接收模块901,用于接收第一验证响应,第一验证请求指示服务网络标识的验证结果;The receiving module 901 is configured to receive a first verification response, and the first verification request indicates the verification result of the service network identity;
发送模块902,用于向第二网元发送第一验证响应。The sending module 902 is configured to send the first verification response to the second network element.
在一些实施例中,发送模块902,用于:In some embodiments, the sending module 902 is used to:
根据第二验证请求确定终端;Determine the terminal according to the second verification request;
向终端发送第一验证请求。Send a first verification request to the terminal.
在一些实施例中,第二验证请求包括以下至少一项:In some embodiments, the second verification request includes at least one of the following:
验证标识符,验证标识符指示第一验证请求用于验证服务网络标识;The verification identifier indicates that the first verification request is used to verify the service network identity;
身份验证标识符,身份验证标识符指示终端的身份验证成功;Authentication identifier, which indicates successful authentication of the terminal;
服务网络验证码;Service network verification code;
验证随机数;Verify random number;
时间戳;timestamp;
终端标识。Terminal ID.
在一些实施例中,第二验证请求包括终端标识,发送模块,用于确定终端标识指示的终端。In some embodiments, the second verification request includes a terminal identification, and the sending module is configured to determine the terminal indicated by the terminal identification.
在一些实施例中,装置还包括:In some embodiments, the device further includes:
接收模块901,用于接收第二网元发送的第五验证响应;The receiving module 901 is configured to receive the fifth verification response sent by the second network element;
发送模块902,还用于响应于第五验证响应,向终端发送第二验证响应,第二验证响应指示第二网元确认终端发送的第一验证响应。The sending module 902 is also configured to send a second verification response to the terminal in response to the fifth verification response, where the second verification response instructs the second network element to confirm the first verification response sent by the terminal.
在一些实施例中,发送模块902,还用于:In some embodiments, the sending module 902 is also used to:
根据第五验证响应确定终端;Determine the terminal according to the fifth verification response;
向终端发送第二验证响应。Send a second verification response to the terminal.
在一些实施例中,第五验证响应包括以下至少一项:In some embodiments, the fifth verification response includes at least one of the following:
验证标识符,验证标识符指示第一验证请求用于验证服务网络标识;The verification identifier indicates that the first verification request is used to verify the service network identity;
标识验证标识符,标识验证标识符指示第二网元确认终端发送的第一验证响应;Identifies the verification identifier, which instructs the second network element to confirm the first verification response sent by the terminal;
服务网络标识;service network identifier;
终端标识。Terminal ID.
在一些实施例中,第五验证响应包括终端标识,发送模块,还用于:In some embodiments, the fifth verification response includes the terminal identification, the sending module, and is also used for:
确定终端标识指示的终端。Determine the terminal indicated by the terminal ID.
在一些实施例中,接收模块901,还用于接收第二网元发送的第六验证响应;In some embodiments, the receiving module 901 is also configured to receive the sixth verification response sent by the second network element;
发送模块902,还用于响应于第六验证响应,向终端发送第三验证响应,第三验证响应指示第二网元确认终端发送的告警信息,告警信息在NPN场景中第一验证请求的服务网络标识未被篡改,且终端的服务网络标识与第一验证请求包括的服务网络标识不同的情况下发送。The sending module 902 is also configured to send a third verification response to the terminal in response to the sixth verification response. The third verification response instructs the second network element to confirm the alarm information sent by the terminal. The alarm information serves the first verification request in the NPN scenario. It is sent when the network identity has not been tampered with and the service network identity of the terminal is different from the service network identity included in the first verification request.
在一些实施例中,发送模块902,还用于:In some embodiments, the sending module 902 is also used to:
根据第六验证响应确定终端;Determine the terminal according to the sixth verification response;
向终端发送第三验证响应。Send a third verification response to the terminal.
在一些实施例中,第六验证响应包括以下至少一项:In some embodiments, the sixth verification response includes at least one of the following:
验证标识符,验证标识符指示第一验证请求用于验证服务网络标识;The verification identifier indicates that the first verification request is used to verify the service network identity;
标识验证标识符,标识验证标识符指示第二网元确认终端发送的告警信息;The identification verification identifier instructs the second network element to confirm the alarm information sent by the terminal;
服务网络标识;service network identifier;
终端标识。Terminal ID.
在一些实施例中,第六验证响应包括终端标识,发送模块,还用于确定终端标识指示的终端。In some embodiments, the sixth verification response includes the terminal identification, and the sending module is also used to determine the terminal indicated by the terminal identification.
在一些实施例中,接收模块901,还用于接收第二网元发送的第七验证响应;In some embodiments, the receiving module 901 is also configured to receive the seventh verification response sent by the second network element;
发送模块902,还用于响应于第七验证响应,向终端发送第四验证响应,第四验证响应指示第二网元确认终端发送的错误信息,错误信息在终端无法解析第一验证请求的情况下,响应于第一验证请求发送,或者,在NPN场景中第一验证请求的服务网络标识被篡改的情况下,响应于第一验证请求发送。The sending module 902 is also configured to send a fourth verification response to the terminal in response to the seventh verification response. The fourth verification response instructs the second network element to confirm the error information sent by the terminal. The error information occurs when the terminal cannot parse the first verification request. In this case, it is sent in response to the first verification request, or, in the case where the service network identifier of the first verification request is tampered with in the NPN scenario, it is sent in response to the first verification request.
在一些实施例中,发送模块902还用于:In some embodiments, the sending module 902 is also used to:
根据第七验证响应确定终端;Determine the terminal according to the seventh verification response;
向终端发送第四验证响应。Send a fourth verification response to the terminal.
在一些实施例中,第七验证响应包括以下至少一项:In some embodiments, the seventh verification response includes at least one of the following:
验证标识符,验证标识符指示第一验证请求用于验证服务网络标识;The verification identifier indicates that the first verification request is used to verify the service network identity;
标识验证标识符,标识验证标识符指示第二网元确认终端发送的错误信息;The identification verification identifier instructs the second network element to confirm the error information sent by the terminal;
终端标识。Terminal ID.
在一些实施例中,第七验证响应包括终端标识,发送模块902,还用于确定终端标识指示的终端。In some embodiments, the seventh verification response includes the terminal identification, and the sending module 902 is also used to determine the terminal indicated by the terminal identification.
在一些实施例中,第一网元为AMF网元,或者为SEAF网元。In some embodiments, the first network element is an AMF network element or a SEAF network element.
在一些实施例中,第二网元为AUSF网元。In some embodiments, the second network element is an AUSF network element.
需要说明的是,上述实施例提供的装置,在实现其功能时,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将设备的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。另外,上述实施例提供的装置与方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that when implementing the functions of the device provided by the above embodiments, only the division of the above functional modules is used as an example. In practical applications, the above functions can be allocated to different functional modules according to needs, that is, The internal structure of the device is divided into different functional modules to complete all or part of the functions described above. In addition, the apparatus and method embodiments provided in the above embodiments belong to the same concept, and the specific implementation process can be found in the method embodiments, which will not be described again here.
图10示出了本申请一个示例性实施例提供的又一种验证装置的框图,参见图10,该装置包括:Figure 10 shows a block diagram of yet another verification device provided by an exemplary embodiment of the present application. Referring to Figure 10, the device includes:
发送模块1001,用于向第一网元发送第二验证请求;Sending module 1001, configured to send a second verification request to the first network element;
接收模块1002,用于接收第一网元发送的第一验证响应,第一验证响应指示服务网络标识的验证结果。The receiving module 1002 is configured to receive a first verification response sent by the first network element, where the first verification response indicates the verification result of the service network identity.
在一些实施例中,第二验证请求包括以下至少一项:In some embodiments, the second verification request includes at least one of the following:
验证标识符,验证标识符指示第二验证请求用于验证服务网络标识;A verification identifier indicating that the second verification request is used to verify the service network identity;
身份验证标识符,身份验证标识符指示终端的身份验证成功;Authentication identifier, which indicates successful authentication of the terminal;
服务网络验证码;Service network verification code;
验证随机数;Verify random number;
时间戳;timestamp;
终端标识。Terminal ID.
在一些实施例中,第二验证请求包括服务网络验证码,参见图10,装置还包括:In some embodiments, the second verification request includes the service network verification code. Referring to Figure 10, the device further includes:
确定模块1003,用于基于终端身份验证成功所产生的MSK、验证随机数和服务网络标识中的至少一项,确定服务网络验证码。The determination module 1003 is configured to determine the service network verification code based on at least one of the MSK generated by successful terminal identity verification, a verification random number, and a service network identification.
在一些实施例中,第一验证响应包括以下至少一项:In some embodiments, the first verification response includes at least one of the following:
验证标识符,验证标识符指示第一验证请求用于验证服务网络标识;The verification identifier indicates that the first verification request is used to verify the service network identity;
终端验证码;Terminal verification code;
时间戳;timestamp;
终端标识。Terminal ID.
在一些实施例中,参见图11,装置还包括:In some embodiments, referring to Figure 11, the device further includes:
确定模块1003,用于基于终端身份验证成功所产生的MSK和第二网元预测的服务网络标识的验证结果中的至少一项确定第二信息验证码,验证结果包括服务网络标识验证成功和服务网络标识验证失败中的至少一项;Determining module 1003, configured to determine a second information verification code based on at least one of the MSK generated by successful terminal identity verification and the verification result of the service network identity predicted by the second network element. The verification result includes a successful verification of the service network identity and a service At least one of the network identity verification failures;
确定模块1003,还用于基于第二信息验证码与第一验证响应的匹配结果,确定是否确认终端发送的第一验证响应。The determination module 1003 is also configured to determine whether to confirm the first verification response sent by the terminal based on the matching result of the second information verification code and the first verification response.
在一些实施例中,第一验证响应包括终端验证码,确定模块1003,还用于基于终端身份验证成功所产生的MSK、验证随机数和第二网元预测的服务网络标识的验证结果中的至少一项,确定第二信息验证码;In some embodiments, the first verification response includes the terminal verification code, and the determination module 1003 is also used in the verification result based on the MSK generated by successful terminal identity verification, the verification random number, and the service network identification predicted by the second network element. At least one item determines the second information verification code;
确定模块1003,还用于在第二网元预测的服务网络标识的验证结果为失败对应的第二信息验证码,且第二信息验证码与终端验证码相同的情况下,确定第一验证响应失败;The determination module 1003 is also configured to determine the first verification response when the verification result of the service network identity predicted by the second network element is the second information verification code corresponding to the failure, and the second information verification code is the same as the terminal verification code. fail;
或者,在第二网元预测的服务网络标识的验证结果为成功对应的第二信息验证码,且第二信息验证码与终端验证码相同的情况下,确定第一验证响应成功。Alternatively, when the verification result of the service network identity predicted by the second network element is the second information verification code corresponding to success, and the second information verification code is the same as the terminal verification code, it is determined that the first verification response is successful.
在一些实施例中,第一验证响应指示服务网络标识验证成功或指示服务网络标识验证失败,,发送模块1001,还用于在确定第一验证响应成功的情况下,响应于第一验证响应,向第一网元发送第五验证响应,第五验证响应指示第二网元确认终端发送的第一验证响应。In some embodiments, the first verification response indicates that the service network identity verification is successful or indicates that the service network identity verification fails, and the sending module 1001 is further configured to respond to the first verification response when it is determined that the first verification response is successful, A fifth verification response is sent to the first network element, and the fifth verification response instructs the second network element to confirm the first verification response sent by the terminal.
在一些实施例中,第五验证响应包括以下至少一项:In some embodiments, the fifth verification response includes at least one of the following:
验证标识符,验证标识符指示第一验证请求用于验证服务网络标识;The verification identifier indicates that the first verification request is used to verify the service network identity;
标识验证标识符,标识验证标识符指示第二网元确认终端发送的第一验证响应;Identifies the verification identifier, which instructs the second network element to confirm the first verification response sent by the terminal;
服务网络标识;service network identifier;
终端标识。Terminal ID.
在一些实施例中,第一验证响应为告警信息,发送模块1001,用于在确定第一验证响应成功的情况下,响应于告警信息,向第一网元发送第六验证响应,第六验证响应指示第二网元确认终端发送的告警信息,告警信息在NPN场景中第一验证请求的服务网络标识未被篡改,且终端的服务网络标识与第一验证请求包括的服务网络标识不同的情况下发送。In some embodiments, the first verification response is alarm information, and the sending module 1001 is configured to, when it is determined that the first verification response is successful, send a sixth verification response to the first network element in response to the alarm information. The sixth verification The response instructs the second network element to confirm the alarm information sent by the terminal. The alarm information has not been tampered with in the NPN scenario, and the service network identification of the terminal is different from the service network identification included in the first verification request. Send next.
在一些实施例中,第六验证响应包括以下至少一项:In some embodiments, the sixth verification response includes at least one of the following:
验证标识符,验证标识符指示第一验证请求用于验证服务网络标识;The verification identifier indicates that the first verification request is used to verify the service network identity;
标识验证标识符,标识验证标识符指示第二网元确认终端发送的告警信息;The identification verification identifier instructs the second network element to confirm the alarm information sent by the terminal;
服务网络标识;service network identifier;
终端标识。Terminal ID.
在一些实施例中,发送模块1001,还用于向第三网元发送更新信息,更新信息指示第三网元存储终端使用的服务网络标识;In some embodiments, the sending module 1001 is also configured to send update information to the third network element, where the update information instructs the third network element to store the service network identifier used by the terminal;
接收模块1002,还用于接收更新响应,更新响应指示第三网元确认更新信息。The receiving module 1002 is also configured to receive an update response, where the update response instructs the third network element to confirm the update information.
在一些实施例中,更新信息包括以下至少一项:In some embodiments, the update information includes at least one of the following:
终端标识;terminal identification;
服务网络标识;service network identifier;
标识验证标识符,标识验证标识符指示服务网络标识验证成功。Identity verification identifier. The identity verification identifier indicates that the service network identity verification was successful.
在一些实施例中,第三网元为统一数据管理UDM网元。In some embodiments, the third network element is a unified data management UDM network element.
在一些实施例中,第一验证响应为错误信息,发送模块1001,还用于响应于错误信息,向第一网元发送第七验证响应,第七验证响应指示第二网元确认 终端发送的错误信息,错误信息在终端无法解析第一验证请求的情况下,响应于第一验证请求发送,或者,在NPN场景中第一验证请求的服务网络标识被篡改的情况下,响应于第一验证请求发送。In some embodiments, the first verification response is error information. The sending module 1001 is also configured to send a seventh verification response to the first network element in response to the error information. The seventh verification response instructs the second network element to confirm the error message sent by the terminal. The error message is sent in response to the first verification request when the terminal is unable to parse the first verification request, or in response to the first verification when the service network identifier of the first verification request is tampered with in the NPN scenario. Request sent.
在一些实施例中,第一网元为AMF网元,或者为SEAF网元。In some embodiments, the first network element is an AMF network element or a SEAF network element.
在一些实施例中,第二网元为AUSF网元。In some embodiments, the second network element is an AUSF network element.
需要说明的是,上述实施例提供的装置,在实现其功能时,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将设备的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。另外,上述实施例提供的装置与方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that when implementing the functions of the device provided by the above embodiments, only the division of the above functional modules is used as an example. In practical applications, the above functions can be allocated to different functional modules according to needs, that is, The internal structure of the device is divided into different functional modules to complete all or part of the functions described above. In addition, the apparatus and method embodiments provided in the above embodiments belong to the same concept, and the specific implementation process can be found in the method embodiments, which will not be described again here.
图12示出了本申请一个示例性实施例提供的通信设备的结构示意图,该通信设备包括:处理器1201、接收器1202、发射器1203、存储器1204和总线1205。Figure 12 shows a schematic structural diagram of a communication device provided by an exemplary embodiment of the present application. The communication device includes: a processor 1201, a receiver 1202, a transmitter 1203, a memory 1204 and a bus 1205.
处理器1201包括一个或者一个以上处理核心,处理器1201通过运行软件程序以及模块,从而执行各种功能应用以及信息处理。The processor 1201 includes one or more processing cores. The processor 1201 executes various functional applications and information processing by running software programs and modules.
接收器1202和发射器1203可以实现为一个通信组件,该通信组件可以是一块通信芯片。The receiver 1202 and the transmitter 1203 can be implemented as a communication component, and the communication component can be a communication chip.
存储器1204通过总线1205与处理器1201相连。 Memory 1204 is connected to processor 1201 through bus 1205.
存储器1204可用于存储至少一个程序代码,处理器1201用于执行该至少一个程序代码,以实现上述方法实施例中的各个步骤。The memory 1204 can be used to store at least one program code, and the processor 1201 is used to execute the at least one program code to implement each step in the above method embodiment.
此外,通信设备可以为终端、第一网元或第二网元。存储器1204可以由任何类型的易失性或非易失性存储设备或者它们的组合实现,易失性或非易失性存储设备包括但不限于:磁盘或光盘,电可擦除可编程只读存储器(EEPROM),可擦除可编程只读存储器(EPROM),静态随时存取存储器(SRAM),只读存储器(ROM),磁存储器,快闪存储器,可编程只读存储器(PROM)。In addition, the communication device may be a terminal, a first network element or a second network element. Memory 1204 may be implemented by any type of volatile or non-volatile storage device, or combination thereof, including but not limited to: magnetic or optical disks, electrically erasable programmable read-only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Static Read-Only Memory (SRAM), Read-Only Memory (ROM), Magnetic Memory, Flash Memory, Programmable Read-Only Memory (PROM).
在示例性实施例中,还提供了一种计算机可读存储介质,所述可读存储介质中存储有可执行程序代码,所述可执行程序代码由处理器加载并执行以实现上述各个方法实施例提供的由通信设备执行的验证方法。In an exemplary embodiment, a computer-readable storage medium is also provided, with executable program code stored in the readable storage medium, and the executable program code is loaded and executed by the processor to implement each of the above methods. The example provides an authentication method performed by a communication device.
在示例性实施例中,提供了一种芯片,所述芯片包括可编程逻辑电路和/或程序指令,当所述芯片在终端、第一网元或第二网元上运行时,用于实现如各个方法实施例提供的验证方法。In an exemplary embodiment, a chip is provided. The chip includes programmable logic circuits and/or program instructions. When the chip is run on a terminal, a first network element or a second network element, it is used to implement Verification methods as provided by various method embodiments.
在示例性实施例中,提供了计算机程序产品,当所述计算机程序产品被终端、第一网元或第二网元的处理器执行时,其用于实现上述各个方法实施例提供的验证方法。In an exemplary embodiment, a computer program product is provided. When the computer program product is executed by a processor of a terminal, a first network element, or a second network element, it is used to implement the verification method provided by each of the above method embodiments. .
本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。Those of ordinary skill in the art can understand that all or part of the steps to implement the above embodiments can be completed by hardware, or can be completed by instructing relevant hardware through a program. The program can be stored in a computer-readable storage medium. The above-mentioned The storage media mentioned can be read-only memory, magnetic disks or optical disks, etc.
以上所述仅为本申请的可选实施例,并不用以限制本申请,凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above are only optional embodiments of the present application and are not intended to limit the present application. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the present application shall be included in the protection of the present application. within the range.

Claims (58)

  1. 一种验证方法,其特征在于,所述方法由终端执行,所述方法包括:A verification method, characterized in that the method is executed by a terminal, and the method includes:
    接收第一网元发送的第一验证请求,所述第一验证请求用于在非公共网络NPN场景中对所述终端的服务网络标识进行验证;Receive a first verification request sent by the first network element, where the first verification request is used to verify the service network identity of the terminal in a non-public network NPN scenario;
    响应于所述第一验证请求,向所述第一网元发送第一验证响应,所述第一验证响应指示所述服务网络标识的验证结果。In response to the first verification request, a first verification response is sent to the first network element, where the first verification response indicates a verification result of the serving network identity.
  2. 根据权利要求1所述的方法,其特征在于,所述第一验证请求包括以下至少一项:The method of claim 1, wherein the first verification request includes at least one of the following:
    验证标识符,所述验证标识符指示所述第一验证请求用于验证所述服务网络标识;a verification identifier, the verification identifier indicating that the first verification request is used to verify the service network identity;
    身份验证标识符,所述身份验证标识符指示所述终端的身份验证成功;An identity verification identifier indicating successful identity verification of the terminal;
    服务网络验证码;Service network verification code;
    验证随机数;Verify random number;
    时间戳;timestamp;
    服务网络标识。Service network ID.
  3. 根据权利要求1或2所述的方法,其特征在于,所述第一验证响应指示所述终端的所述服务网络标识验证成功,所述响应于所述第一验证请求,向所述第一网元发送第一验证响应,包括:The method according to claim 1 or 2, characterized in that the first verification response indicates that the service network identity of the terminal is successfully verified, and in response to the first verification request, the first verification request is sent to the first verification request. The network element sends the first verification response, including:
    在所述NPN场景中所述第一验证请求的服务网络标识未被篡改,且所述终端的服务网络标识与所述第一验证请求包括的服务网络标识相同的情况下,响应于所述第一验证请求,向所述第一网元发送所述第一验证响应。In the NPN scenario, if the service network identity of the first verification request has not been tampered with, and the service network identity of the terminal is the same as the service network identity included in the first verification request, in response to the A verification request, sending the first verification response to the first network element.
  4. 根据权利要求3所述的方法,其特征在于,所述方法还包括:The method of claim 3, further comprising:
    根据当前所述终端身份验证成功所产生的MSK及所述第一验证请求中的服务网络标识确定第二网元对应的密钥。The key corresponding to the second network element is determined based on the MSK generated by the current successful terminal identity verification and the service network identifier in the first verification request.
  5. 根据权利要求1或2所述的方法,其特征在于,所述第一验证响应为告警 信息,所述响应于所述第一验证请求,向所述第一网元发送第一验证响应,包括:The method according to claim 1 or 2, characterized in that the first verification response is alarm information, and in response to the first verification request, sending a first verification response to the first network element includes: :
    在所述NPN场景中所述第一验证请求的服务网络标识未被篡改,且所述终端的服务网络标识与所述第一验证请求包括的服务网络标识不同的情况下,生成所述告警信息,响应于所述第一验证请求,向所述第一网元发送所述告警信息,并将所述第一验证请求中的服务网络标识作为所述终端使用的服务网络标识。The alarm information is generated when the service network identifier of the first verification request has not been tampered with in the NPN scenario, and the service network identifier of the terminal is different from the service network identifier included in the first verification request. , in response to the first verification request, sending the alarm information to the first network element, and using the service network identification in the first verification request as the service network identification used by the terminal.
  6. 根据权利要求3或5所述的方法,其特征在于,所述第一验证响应包括以下至少一项:The method according to claim 3 or 5, characterized in that the first verification response includes at least one of the following:
    验证标识符,所述验证标识符指示所述第一验证请求用于验证所述服务网络标识;a verification identifier, the verification identifier indicating that the first verification request is used to verify the service network identity;
    终端验证码;Terminal verification code;
    时间戳;timestamp;
    终端标识。Terminal ID.
  7. 根据权利要求1或2所述的方法,其特征在于,所述第一验证响应指示所述终端的所述服务网络标识验证失败,所述响应于所述第一验证请求,向所述第一网元发送第一验证响应,包括:The method according to claim 1 or 2, characterized in that the first verification response indicates that the service network identity verification of the terminal fails, and in response to the first verification request, the first verification request is sent to the first verification request. The network element sends the first verification response, including:
    在所述NPN场景中所述第一验证请求的服务网络标识未被篡改,且所述终端的服务网络标识与第一验证请求包括的服务网络标识不同的情况下,向所述第一网元发送所述第一验证响应。In the NPN scenario, when the service network identifier of the first verification request has not been tampered with, and the service network identifier of the terminal is different from the service network identifier included in the first verification request, the first network element Send the first verification response.
  8. 根据权利要求3或7所述的方法,其特征在于,所述方法还包括:The method according to claim 3 or 7, characterized in that, the method further includes:
    接收所述第一网元发送的第二验证响应,所述第二验证响应指示第二网元确认所述终端发送的所述第一验证响应。A second verification response sent by the first network element is received, and the second verification response instructs the second network element to confirm the first verification response sent by the terminal.
  9. 根据权利要求3至8任一所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 3 to 8, characterized in that the method further includes:
    根据所述第一验证请求确定第一信息验证码;Determine a first information verification code according to the first verification request;
    在所述第一信息验证码与所述第一验证请求匹配的情况下,确定所述NPN 场景中的所述第一验证请求的服务网络标识未被篡改。If the first information verification code matches the first verification request, it is determined that the service network identifier of the first verification request in the NPN scenario has not been tampered with.
  10. 根据权利要求9所述的方法,其特征在于,所述第一验证请求包括服务网络验证码和服务网络标识,所述根据第一验证请求确定第一信息验证码,包括:The method according to claim 9, wherein the first verification request includes a service network verification code and a service network identification, and determining the first information verification code according to the first verification request includes:
    基于所述终端身份验证成功所产生的主共享密钥MSK、验证随机数和服务网络标识中的至少一项,确定所述第一信息验证码;Determine the first information verification code based on at least one of the master shared key MSK generated by successful terminal identity verification, a verification random number, and a service network identification;
    所述在所述第一信息验证码与所述第一验证请求匹配的情况下,确定所述NPN场景中的所述第一验证请求的服务网络标识未被篡改,包括:Determining that the service network identifier of the first verification request in the NPN scenario has not been tampered with when the first information verification code matches the first verification request includes:
    在所述第一信息验证码与所述服务网络验证码相同的情况下,确定所述NPN场景中的服务网络标识未被篡改。If the first information verification code is the same as the service network verification code, it is determined that the service network identifier in the NPN scenario has not been tampered with.
  11. 根据权利要求7所述的方法,其特征在于,所述将所述第一验证请求中的服务网络标识作为所述终端使用的服务网络标识之后,所述方法还包括:The method according to claim 7, characterized in that after using the service network identifier in the first verification request as the service network identifier used by the terminal, the method further includes:
    接收所述第一网元发送的第三验证响应,所述第三验证响应指示第二网元确认所述终端发送的所述告警信息。Receive a third verification response sent by the first network element, where the third verification response instructs the second network element to confirm the alarm information sent by the terminal.
  12. 根据权利要求1或2所述的方法,其特征在于,所述第一验证响应为错误信息,所述响应于所述第一验证请求,向所述第一网元发送所述第一验证响应,包括:The method according to claim 1 or 2, characterized in that the first verification response is error information, and the first verification response is sent to the first network element in response to the first verification request. ,include:
    在所述终端无法解析所述第一验证请求的情况下,响应于所述第一验证请求,向所述第一网元发送所述错误信息。If the terminal is unable to parse the first verification request, in response to the first verification request, the error information is sent to the first network element.
  13. 根据权利要求1或2所述的方法,其特征在于,所述第一验证响应为错误信息,所述响应于所述第一验证请求,向所述第一网元发送所述第一验证响应,包括:The method according to claim 1 or 2, characterized in that the first verification response is error information, and the first verification response is sent to the first network element in response to the first verification request. ,include:
    在所述NPN场景中所述第一验证请求的服务网络标识被篡改的情况下,响应于所述第一验证请求,向所述第一网元发送所述错误信息。In the case where the service network identifier of the first verification request is tampered with in the NPN scenario, the error information is sent to the first network element in response to the first verification request.
  14. 根据权利要求13所述的方法,其特征在于,所述方法还包括:The method of claim 13, further comprising:
    根据所述第一验证请求确定第一信息验证码;Determine a first information verification code according to the first verification request;
    在所述第一信息验证码与所述第一验证请求不匹配的情况下,确定所述NPN场景中的所述第一验证请求的服务网络标识被篡改。If the first information verification code does not match the first verification request, it is determined that the service network identifier of the first verification request in the NPN scenario has been tampered with.
  15. 根据权利要求14所述的方法,其特征在于,所述第一验证请求包括服务网络验证码和服务网络标识,所述根据第一验证请求确定第一信息验证码,包括:The method of claim 14, wherein the first verification request includes a service network verification code and a service network identification, and determining the first information verification code according to the first verification request includes:
    基于所述终端身份验证成功所产生的主共享密钥MSK、验证随机数和服务网络标识中的至少一项,确定所述第一信息验证码;Determine the first information verification code based on at least one of the master shared key MSK generated by successful terminal identity verification, a verification random number, and a service network identification;
    所述在所述第一信息验证码与所述第一验证请求不匹配的情况下,确定所述NPN场景中的所述第一验证请求的服务网络标识被篡改,包括:Determining that the service network identifier of the first verification request in the NPN scenario has been tampered with when the first information verification code does not match the first verification request includes:
    在所述第一信息验证码与所述服务网络验证码不相同的情况下,确定所述NPN场景中的第一验证请求被篡改。If the first information verification code is different from the service network verification code, it is determined that the first verification request in the NPN scenario has been tampered with.
  16. 根据权利要求12至15任一所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 12 to 15, characterized in that the method further includes:
    接收所述第一网元发送的第四验证响应,所述第四验证响应指示第二网元确认所述终端发送的所述错误信息。Receive a fourth verification response sent by the first network element, where the fourth verification response instructs the second network element to confirm the error information sent by the terminal.
  17. 根据权利要求1至16任一所述的方法,其特征在于,所述第一网元为接入和移动性管理功能AMF网元,或者为安全锚定功能SEAF网元。The method according to any one of claims 1 to 16, characterized in that the first network element is an access and mobility management function AMF network element, or a security anchoring function SEAF network element.
  18. 一种验证方法,其特征在于,所述方法由第一网元执行,所述方法包括:A verification method, characterized in that the method is executed by the first network element, and the method includes:
    接收第二网元发送的第二验证请求;Receive the second verification request sent by the second network element;
    向终端发送第一验证请求,所述第一验证请求用于在非公共网络NPN场景中对所述终端的服务网络标识进行验证,所述第一验证请求基于所述第二验证请求确定;Send a first verification request to the terminal, the first verification request being used to verify the service network identity of the terminal in a non-public network NPN scenario, the first verification request being determined based on the second verification request;
    接收第一验证响应,所述第一验证请求指示所述服务网络标识的验证结果;Receive a first verification response, the first verification request indicating the verification result of the service network identity;
    向第二网元发送所述第一验证响应。Send the first verification response to the second network element.
  19. 根据权利要求18所述的方法,其特征在于,所述向终端发送第一验证请 求,包括:The method according to claim 18, characterized in that sending a first verification request to the terminal includes:
    根据所述第二验证请求确定所述终端;Determine the terminal according to the second verification request;
    向所述终端发送所述第一验证请求。Send the first verification request to the terminal.
  20. 根据权利要求19所述的方法,其特征在于,所述第二验证请求包括以下至少一项:The method of claim 19, wherein the second verification request includes at least one of the following:
    验证标识符,所述验证标识符指示所述第一验证请求用于验证所述服务网络标识;a verification identifier, the verification identifier indicating that the first verification request is used to verify the service network identity;
    身份验证标识符,所述身份验证标识符指示所述终端的身份验证成功;An identity verification identifier indicating successful identity verification of the terminal;
    服务网络验证码;Service network verification code;
    验证随机数;Verify random number;
    时间戳;timestamp;
    终端标识。Terminal ID.
  21. 根据权利要求20所述的方法,其特征在于,所述第二验证请求包括所述终端标识,所述根据所述第二验证请求确定所述终端,包括:The method according to claim 20, wherein the second verification request includes the terminal identification, and determining the terminal according to the second verification request includes:
    确定所述终端标识指示的所述终端。Determine the terminal indicated by the terminal identifier.
  22. 根据权利要求18所述的方法,其特征在于,所述方法还包括:The method of claim 18, further comprising:
    接收所述第二网元发送的第五验证响应;Receive the fifth verification response sent by the second network element;
    响应于所述第五验证响应,向所述终端发送第二验证响应,所述第二验证响应指示第二网元确认所述终端发送的所述第一验证响应。In response to the fifth verification response, a second verification response is sent to the terminal, and the second verification response instructs the second network element to confirm the first verification response sent by the terminal.
  23. 根据权利要求22所述的方法,其特征在于,所述响应于所述第五验证响应,向所述终端发送第二验证响应,包括:The method according to claim 22, characterized in that, in response to the fifth verification response, sending a second verification response to the terminal includes:
    根据所述第五验证响应确定所述终端;Determine the terminal according to the fifth verification response;
    向所述终端发送所述第二验证响应。Send the second verification response to the terminal.
  24. 根据权利要求23所述的方法,其特征在于,所述第五验证响应包括以下至少一项:The method of claim 23, wherein the fifth verification response includes at least one of the following:
    验证标识符,所述验证标识符指示所述第一验证请求用于验证所述服务网络标识;a verification identifier, the verification identifier indicating that the first verification request is used to verify the service network identity;
    标识验证标识符,所述标识验证标识符指示所述第二网元确认所述终端发送的所述第一验证响应;An identification verification identifier that instructs the second network element to confirm the first verification response sent by the terminal;
    服务网络标识;service network identifier;
    终端标识。Terminal ID.
  25. 根据权利要求24所述的方法,其特征在于,所述第五验证响应包括所述终端标识,所述根据所述第五验证响应确定所述终端,包括:The method according to claim 24, wherein the fifth verification response includes the terminal identification, and determining the terminal according to the fifth verification response includes:
    确定所述终端标识指示的所述终端。Determine the terminal indicated by the terminal identifier.
  26. 根据权利要求18所述的方法,其特征在于,所述方法还包括:The method of claim 18, further comprising:
    接收所述第二网元发送的第六验证响应;Receive the sixth verification response sent by the second network element;
    响应于所述第六验证响应,向所述终端发送第三验证响应,所述第三验证响应指示第二网元确认所述终端发送的告警信息,所述告警信息在所述NPN场景中所述第一验证请求的服务网络标识未被篡改,且所述终端的服务网络标识与所述第一验证请求包括的服务网络标识不同的情况下发送。In response to the sixth verification response, a third verification response is sent to the terminal, the third verification response instructs the second network element to confirm the alarm information sent by the terminal, and the alarm information is in the NPN scenario. The service network identifier of the first verification request is sent when the service network identifier of the first verification request has not been tampered with and the service network identifier of the terminal is different from the service network identifier included in the first verification request.
  27. 根据权利要求26所述的方法,其特征在于,所述响应于所述第六验证响应,向所述终端发送第三验证响应,包括:The method according to claim 26, characterized in that, in response to the sixth verification response, sending a third verification response to the terminal includes:
    根据所述第六验证响应确定所述终端;Determine the terminal according to the sixth verification response;
    向所述终端发送所述第三验证响应。Send the third verification response to the terminal.
  28. 根据权利要求27所述的方法,其特征在于,所述第六验证响应包括以下至少一项:The method of claim 27, wherein the sixth verification response includes at least one of the following:
    验证标识符,所述验证标识符指示所述第一验证请求用于验证所述服务网络标识;a verification identifier, the verification identifier indicating that the first verification request is used to verify the service network identity;
    标识验证标识符,所述标识验证标识符指示所述第二网元确认所述终端发送的所述告警信息;An identification verification identifier, the identification verification identifier instructs the second network element to confirm the alarm information sent by the terminal;
    服务网络标识;service network identifier;
    终端标识。Terminal ID.
  29. 根据权利要求28所述的方法,其特征在于,所述第六验证响应包括所述终端标识,所述根据所述第六验证响应确定所述终端,包括:The method according to claim 28, wherein the sixth verification response includes the terminal identification, and determining the terminal according to the sixth verification response includes:
    确定所述终端标识指示的所述终端。Determine the terminal indicated by the terminal identifier.
  30. 根据权利要求18所述的方法,其特征在于,所述方法还包括:The method of claim 18, further comprising:
    接收所述第二网元发送的第七验证响应;Receive the seventh verification response sent by the second network element;
    响应于所述第七验证响应,向所述终端发送第四验证响应,所述第四验证响应指示第二网元确认所述终端发送的所述错误信息,所述错误信息在所述终端无法解析所述第一验证请求的情况下,响应于所述第一验证请求发送,或者,在所述NPN场景中所述第一验证请求的服务网络标识被篡改的情况下,响应于所述第一验证请求发送。In response to the seventh verification response, a fourth verification response is sent to the terminal, the fourth verification response instructs the second network element to confirm the error information sent by the terminal, and the error information cannot be detected by the terminal. When the first verification request is parsed, it is sent in response to the first verification request, or, in the case where the service network identifier of the first verification request is tampered with in the NPN scenario, it is sent in response to the first verification request. A verification request is sent.
  31. 根据权利要求30所述的方法,其特征在于,所述响应于所述第七验证响应,向所述终端发送第四验证响应,包括:The method according to claim 30, characterized in that, in response to the seventh verification response, sending a fourth verification response to the terminal includes:
    根据所述第七验证响应确定所述终端;Determine the terminal according to the seventh verification response;
    向所述终端发送所述第四验证响应。Send the fourth verification response to the terminal.
  32. 根据权利要求31所述的方法,其特征在于,所述第七验证响应包括以下至少一项:The method of claim 31, wherein the seventh verification response includes at least one of the following:
    验证标识符,所述验证标识符指示所述第一验证请求用于验证所述服务网络标识;a verification identifier, the verification identifier indicating that the first verification request is used to verify the service network identity;
    标识验证标识符,所述标识验证标识符指示所述第二网元确认所述终端发送的所述错误信息;An identification verification identifier, the identification verification identifier instructs the second network element to confirm the error information sent by the terminal;
    终端标识。Terminal ID.
  33. 根据权利要求32所述的方法,其特征在于,所述第七验证响应包括所述终端标识,所述根据所述第七验证响应确定所述终端,包括:The method according to claim 32, wherein the seventh verification response includes the terminal identification, and determining the terminal according to the seventh verification response includes:
    确定所述终端标识指示的所述终端。Determine the terminal indicated by the terminal identifier.
  34. 根据权利要求18至33任一所述的方法,其特征在于,所述第一网元为AMF网元,或者为SEAF网元。The method according to any one of claims 18 to 33, characterized in that the first network element is an AMF network element or a SEAF network element.
  35. 根据权利要求18至34任一所述的方法,其特征在于,所述第二网元为鉴权服务功能AUSF网元。The method according to any one of claims 18 to 34, characterized in that the second network element is an authentication service function AUSF network element.
  36. 一种验证方法,其特征在于,所述方法由第二网元执行,所述方法包括:A verification method, characterized in that the method is executed by a second network element, and the method includes:
    向第一网元发送第二验证请求;Send a second verification request to the first network element;
    接收所述第一网元发送的第一验证响应,所述第一验证响应指示所述服务网络标识的验证结果。Receive a first verification response sent by the first network element, where the first verification response indicates a verification result of the service network identity.
  37. 根据权利要求36所述的方法,其特征在于,所述第二验证请求包括以下至少一项:The method of claim 36, wherein the second verification request includes at least one of the following:
    验证标识符,所述验证标识符指示所述第二验证请求用于验证所述服务网络标识;a verification identifier, the verification identifier indicating that the second verification request is used to verify the service network identity;
    身份验证标识符,所述身份验证标识符指示所述终端的身份验证成功;An identity verification identifier indicating successful identity verification of the terminal;
    服务网络验证码;Service network verification code;
    验证随机数;Verify random number;
    时间戳;timestamp;
    终端标识。Terminal ID.
  38. 根据权利要求36或37所述的方法,其特征在于,所述第二验证请求包括所述服务网络验证码,所述方法还包括:The method according to claim 36 or 37, characterized in that the second verification request includes the service network verification code, and the method further includes:
    基于所述终端身份验证成功所产生的主共享密钥MSK、验证随机数和服务网络标识中的至少一项,确定所述服务网络验证码。The service network verification code is determined based on at least one of the master shared key MSK generated by successful terminal identity verification, a verification random number, and a service network identification.
  39. 根据权利要求36或37所述的方法,其特征在于,所述第一验证响应包括以下至少一项:The method according to claim 36 or 37, characterized in that the first verification response includes at least one of the following:
    验证标识符,所述验证标识符指示所述第一验证请求用于验证所述服务网 络标识;A verification identifier indicating that the first verification request is used to verify the service network identity;
    终端验证码;Terminal verification code;
    时间戳;timestamp;
    终端标识。Terminal ID.
  40. 根据权利要求36或37所述的方法,其特征在于,所述方法还包括:The method according to claim 36 or 37, characterized in that, the method further includes:
    基于所述终端身份验证成功所产生的主共享密钥MSK和所述第二网元预测的服务网络标识的验证结果中的至少一项确定第二信息验证码,所述验证结果包括所述服务网络标识验证成功和所述服务网络标识验证失败中的至少一项;A second information verification code is determined based on at least one of the master shared key MSK generated by successful terminal identity verification and the verification result of the service network identity predicted by the second network element, and the verification result includes the service At least one of successful network identity verification and failure in verification of the service network identity;
    基于所述第二信息验证码与所述第一验证响应的匹配结果,确定是否确认所述终端发送的所述第一验证响应。Based on the matching result of the second information verification code and the first verification response, it is determined whether to confirm the first verification response sent by the terminal.
  41. 根据权利要求40所述的方法,其特征在于,所述第一验证响应包括终端验证码,所述基于所述终端身份验证成功所产生的主共享密钥MSK和所述第二网元预测的服务网络标识的验证结果中的至少一项确定第二信息验证码,包括:The method of claim 40, wherein the first verification response includes a terminal verification code, the master shared key MSK generated based on successful terminal identity verification and the second network element predicted At least one of the verification results of the service network identification determines the second information verification code, including:
    基于所述终端身份验证成功所产生的主共享密钥MSK、验证随机数和所述第二网元预测的服务网络标识的验证结果中的至少一项,确定所述第二信息验证码;Determine the second information verification code based on at least one of the master shared key MSK generated by successful terminal identity verification, a verification random number, and a verification result of the service network identification predicted by the second network element;
    所述基于所述第二信息验证码与所述第一验证响应的匹配结果,确定是否确认所述终端发送的所述第一验证响应,包括:Determining whether to confirm the first verification response sent by the terminal based on the matching result of the second information verification code and the first verification response includes:
    在所述第二网元预测的服务网络标识的验证结果为失败对应的第二信息验证码,且所述第二信息验证码与所述终端验证码相同的情况下,确定所述第一验证响应中的服务网络标识的验证结果为失败;When the verification result of the service network identity predicted by the second network element is the second information verification code corresponding to the failure, and the second information verification code is the same as the terminal verification code, determine the first verification The verification result of the service network identifier in the response is failed;
    或者,在所述第二网元预测的服务网络验证结果为成功对应的第二信息验证码,且所述第二信息验证码与所述终端验证码相同的情况下,确定所述第一验证响应中的服务网络标识的验证结果为成功。Alternatively, when the service network verification result predicted by the second network element is a second information verification code corresponding to success, and the second information verification code is the same as the terminal verification code, determine the first verification The service network ID in the response was verified successfully.
  42. 根据权利要求36至41任一所述的方法,其特征在于,所述第一验证响应指示所述服务网络标识验证成功或指示所述服务网络标识验证失败,所述方法还包括:The method according to any one of claims 36 to 41, wherein the first verification response indicates that the service network identity verification is successful or indicates that the service network identity verification fails, and the method further includes:
    响应于所述第一验证响应,向所述第一网元发送第五验证响应,所述第五验证响应指示所述第二网元确认所述终端发送的所述第一验证响应。In response to the first verification response, a fifth verification response is sent to the first network element, and the fifth verification response instructs the second network element to confirm the first verification response sent by the terminal.
  43. 根据权利要求42所述的方法,其特征在于,所述第五验证响应包括以下至少一项:The method of claim 42, wherein the fifth verification response includes at least one of the following:
    验证标识符,所述验证标识符指示所述第一验证请求用于验证所述服务网络标识;a verification identifier, the verification identifier indicating that the first verification request is used to verify the service network identity;
    标识验证标识符,所述标识验证标识符指示所述第二网元确认所述终端发送的所述第一验证响应;An identification verification identifier that instructs the second network element to confirm the first verification response sent by the terminal;
    服务网络标识;service network identifier;
    终端标识。Terminal ID.
  44. 根据权利要求36至41任一所述的方法,其特征在于,所述第一验证响应为告警信息,所述方法还包括:The method according to any one of claims 36 to 41, wherein the first verification response is alarm information, and the method further includes:
    在确定所述第一验证响应成功的情况下,响应于所述告警信息,向所述第一网元发送第六验证响应,所述第六验证响应指示所述第二网元确认所述终端发送的所述告警信息,所述告警信息在所述NPN场景中所述第一验证请求的服务网络标识未被篡改,且所述终端的服务网络标识与所述第一验证请求包括的服务网络标识不同的情况下发送。If it is determined that the first verification response is successful, in response to the alarm information, send a sixth verification response to the first network element, the sixth verification response instructs the second network element to confirm the terminal The alarm information sent, the alarm information has not been tampered with in the service network identification of the first verification request in the NPN scenario, and the service network identification of the terminal is consistent with the service network included in the first verification request. Sent with different identifiers.
  45. 根据权利要求44所述的方法,其特征在于,所述第六验证响应包括以下至少一项:The method of claim 44, wherein the sixth verification response includes at least one of the following:
    验证标识符,所述验证标识符指示所述第一验证请求用于验证所述服务网络标识;a verification identifier, the verification identifier indicating that the first verification request is used to verify the service network identity;
    标识验证标识符,所述标识验证标识符指示所述第二网元确认所述终端发送的所述告警信息;An identification verification identifier, the identification verification identifier instructs the second network element to confirm the alarm information sent by the terminal;
    服务网络标识;service network identifier;
    终端标识。Terminal ID.
  46. 根据权利要求36至45任一所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 36 to 45, characterized in that the method further includes:
    向第三网元发送更新信息,所述更新信息指示所述第三网元存储所述终端使用的服务网络标识;Send update information to a third network element, where the update information instructs the third network element to store the service network identifier used by the terminal;
    接收更新响应,所述更新响应指示所述第三网元确认所述更新信息。An update response is received, where the update response instructs the third network element to confirm the update information.
  47. 根据权利要求46所述的方法,其特征在于,所述更新信息包括以下至少一项:The method according to claim 46, characterized in that the update information includes at least one of the following:
    终端标识;terminal identification;
    服务网络标识;service network identifier;
    标识验证标识符,所述标识验证标识符指示所述服务网络标识验证成功。An identity verification identifier indicating that the service network identity verification is successful.
  48. 根据权利要求46或47所述的方法,其特征在于,所述第三网元为统一数据管理UDM网元。The method according to claim 46 or 47, characterized in that the third network element is a unified data management UDM network element.
  49. 根据权利要求36或37所述的方法,其特征在于,所述第一验证响应为错误信息,所述方法还包括:The method according to claim 36 or 37, characterized in that the first verification response is error information, and the method further includes:
    响应于所述错误信息,向所述第一网元发送第七验证响应,第七验证响应指示第二网元确认所述终端发送的所述错误信息,所述错误信息在所述终端无法解析所述第一验证请求的情况下,响应于所述第一验证请求发送,或者,在所述NPN场景中所述第一验证请求的服务网络标识被篡改的情况下,响应于所述第一验证请求发送。In response to the error information, sending a seventh verification response to the first network element, the seventh verification response instructs the second network element to confirm the error information sent by the terminal, and the error information cannot be parsed by the terminal. In the case of the first verification request, it is sent in response to the first verification request, or, in the case of the service network identifier of the first verification request being tampered with in the NPN scenario, in response to the first verification request Verification request sent.
  50. 根据权利要求36至49任一所述的方法,其特征在于,所述第一网元为AMF网元,或者为SEAF网元。The method according to any one of claims 36 to 49, characterized in that the first network element is an AMF network element or a SEAF network element.
  51. 根据权利要求36至50任一所述的方法,其特征在于,所述第二网元为AUSF网元。The method according to any one of claims 36 to 50, characterized in that the second network element is an AUSF network element.
  52. 一种验证装置,其特征在于,所述装置包括:A verification device, characterized in that the device includes:
    接收模块,用于接收第一网元发送的第一验证请求,所述第一验证请求用于在非公共网络NPN场景中对所述终端的服务网络标识进行验证;A receiving module configured to receive a first verification request sent by the first network element, where the first verification request is used to verify the service network identity of the terminal in a non-public network NPN scenario;
    发送模块,用于响应于所述第一验证请求,向所述第一网元发送第一验证响应,所述第一验证响应指示所述服务网络标识的验证结果。A sending module, configured to send a first verification response to the first network element in response to the first verification request, where the first verification response indicates the verification result of the service network identity.
  53. 一种验证装置,其特征在于,所述装置包括:A verification device, characterized in that the device includes:
    接收模块,用于接收第二网元发送的第二验证请求;A receiving module, configured to receive the second verification request sent by the second network element;
    发送模块,用于向终端发送第一验证请求,所述第一验证请求用于在非公共网络NPN场景中对所述终端的服务网络标识进行验证,所述第一验证请求基于所述第二验证请求确定;A sending module, configured to send a first verification request to the terminal. The first verification request is used to verify the service network identity of the terminal in a non-public network NPN scenario. The first verification request is based on the second Verification request confirmed;
    所述接收模块,用于接收第一验证响应,所述第一验证请求指示所述服务网络标识的验证结果;The receiving module is configured to receive a first verification response, where the first verification request indicates the verification result of the service network identity;
    所述发送模块,用于向第二网元发送所述第一验证响应。The sending module is configured to send the first verification response to the second network element.
  54. 一种验证装置,其特征在于,所述装置包括:A verification device, characterized in that the device includes:
    发送模块,用于向第一网元发送第二验证请求;A sending module, configured to send a second verification request to the first network element;
    接收模块,用于接收所述第一网元发送的第一验证响应,所述第一验证响应指示所述服务网络标识的验证结果。A receiving module, configured to receive a first verification response sent by the first network element, where the first verification response indicates the verification result of the service network identity.
  55. 一种终端,其特征在于,所述终端包括:A terminal, characterized in that the terminal includes:
    处理器;processor;
    与所述处理器相连的收发器;a transceiver coupled to said processor;
    其中,所述处理器被配置为加载并执行可执行指令以实现如权利要求1至17任一所述的验证方法。Wherein, the processor is configured to load and execute executable instructions to implement the verification method according to any one of claims 1 to 17.
  56. 一种第一网元,其特征在于,所述第一网元包括:A first network element, characterized in that the first network element includes:
    处理器;processor;
    与所述处理器相连的收发器;a transceiver coupled to said processor;
    其中,所述处理器被配置为加载并执行可执行指令以实现如权利要求18至35任一所述的验证方法。Wherein, the processor is configured to load and execute executable instructions to implement the verification method according to any one of claims 18 to 35.
  57. 一种第二网元,其特征在于,所述第二网元包括:A second network element, characterized in that the second network element includes:
    处理器;processor;
    与所述处理器相连的收发器;a transceiver coupled to said processor;
    其中,所述处理器被配置为加载并执行可执行指令以实现如权利要求36至51任一所述的验证方法。Wherein, the processor is configured to load and execute executable instructions to implement the verification method according to any one of claims 36 to 51.
  58. 一种计算机可读存储介质,其特征在于,所述可读存储介质中存储有可执行程序代码,所述可执行程序代码由处理器加载并执行以实现如权利要求1至51任一所述的验证方法。A computer-readable storage medium, characterized in that executable program code is stored in the readable storage medium, and the executable program code is loaded and executed by a processor to implement any one of claims 1 to 51 verification method.
PCT/CN2022/101696 2022-06-27 2022-06-27 Verification method and apparatus, device, and storage medium WO2024000134A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2022/101696 WO2024000134A1 (en) 2022-06-27 2022-06-27 Verification method and apparatus, device, and storage medium
CN202280002213.0A CN117643087A (en) 2022-06-27 2022-06-27 Verification method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/101696 WO2024000134A1 (en) 2022-06-27 2022-06-27 Verification method and apparatus, device, and storage medium

Publications (2)

Publication Number Publication Date
WO2024000134A1 true WO2024000134A1 (en) 2024-01-04
WO2024000134A9 WO2024000134A9 (en) 2024-02-22

Family

ID=89383685

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/101696 WO2024000134A1 (en) 2022-06-27 2022-06-27 Verification method and apparatus, device, and storage medium

Country Status (2)

Country Link
CN (1) CN117643087A (en)
WO (1) WO2024000134A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111669276A (en) * 2019-03-07 2020-09-15 华为技术有限公司 Network verification method, device and system
CN113709736A (en) * 2020-05-09 2021-11-26 华为技术有限公司 Network authentication method, device and system
WO2022092238A1 (en) * 2020-10-29 2022-05-05 Nec Corporation Method of communication apparatus, method of ue, communication apparatus, and ue

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111669276A (en) * 2019-03-07 2020-09-15 华为技术有限公司 Network verification method, device and system
CN113709736A (en) * 2020-05-09 2021-11-26 华为技术有限公司 Network authentication method, device and system
WO2022092238A1 (en) * 2020-10-29 2022-05-05 Nec Corporation Method of communication apparatus, method of ue, communication apparatus, and ue

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
QUALCOMM INCORPORATED, NOKIA, NOKIA SHANGHAI BELL: "Security for non-public networks", 3GPP TSG SA WG3 MEETING #95, R3-191901, no. Sapporo (Japan); 20190624 - 20190628, 17 June 2019 (2019-06-17), XP051752849 *

Also Published As

Publication number Publication date
WO2024000134A9 (en) 2024-02-22
CN117643087A (en) 2024-03-01

Similar Documents

Publication Publication Date Title
CN110800331B (en) Network verification method, related equipment and system
US7395050B2 (en) Method and system for authenticating user of data transfer device
KR100985869B1 (en) A method for verifying a first identity and a second identity of an entity
US20090217038A1 (en) Methods and Apparatus for Locating a Device Registration Server in a Wireless Network
US20100064344A1 (en) Method and device for updating a key
US20220295269A1 (en) Network access authentication method and device
WO2022170994A1 (en) Pc5 root key processing method and apparatus, and ausf and remote terminal
CN110392998B (en) Data packet checking method and equipment
WO2012024851A1 (en) Processing method and system for over-the-air bootstrap
WO2021218978A1 (en) Key management method, device and system
US20230188997A1 (en) Secure communication method and apparatus
CN113498057A (en) Communication system, method and device
CN111132305A (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
CN113543121A (en) Protection method for updating terminal parameter and communication device
CN114339622A (en) Communication method, device and storage medium of ProSe communication group
WO2024000134A1 (en) Verification method and apparatus, device, and storage medium
CN109429225A (en) Message sink, sending method and device, terminal, network functional entity
CN112637841A (en) International mobile equipment identification checking method and system for electric power wireless private network
CN106162645B (en) A kind of the quick of Mobile solution reconnects method for authenticating and system
CN110839231B (en) Method and equipment for acquiring terminal identification
KR20230118151A (en) Target information acquisition method, transmission method, device, equipment and storage medium
CN114024693A (en) Authentication method, authentication device, session management function entity, server and terminal
CN116567858B (en) Cross-platform BLE equipment automatic connection method
WO2022237741A1 (en) Communication method and apparatus
US20240086518A1 (en) Packet transmission method and apparatus

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 202280002213.0

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22948257

Country of ref document: EP

Kind code of ref document: A1