WO2024050692A1 - Procédé et appareil de communication sans fil - Google Patents

Procédé et appareil de communication sans fil Download PDF

Info

Publication number
WO2024050692A1
WO2024050692A1 PCT/CN2022/117293 CN2022117293W WO2024050692A1 WO 2024050692 A1 WO2024050692 A1 WO 2024050692A1 CN 2022117293 W CN2022117293 W CN 2022117293W WO 2024050692 A1 WO2024050692 A1 WO 2024050692A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
akma
aanf
parameter
network element
Prior art date
Application number
PCT/CN2022/117293
Other languages
English (en)
Chinese (zh)
Inventor
熊丽晖
甘露
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to PCT/CN2022/117293 priority Critical patent/WO2024050692A1/fr
Publication of WO2024050692A1 publication Critical patent/WO2024050692A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks

Definitions

  • the present application relates to the field of communication technology, and more specifically, to a wireless communication method and device.
  • the AKMA service provided for the user equipment can be the UE's visited domain network or the UE home domain network. In this case, there is currently no corresponding solution for how to meet AKMA's service needs.
  • This application provides a wireless communication method and device. Several aspects involved in the embodiments of this application are introduced below.
  • a wireless communication method including: a first network element sending a first message to an NRF, the first message carrying a first parameter, and the first parameter being used to indicate one of the following or Various: network identification of the network where the AF is located; network identification of the network where the UE is located; and AKMA roaming instructions.
  • a wireless communication method including: NRF receiving a first message sent by a first network element, the first message carrying a first parameter, and the first parameter being used to indicate one of the following: Or more: the network identifier of the network where the AF is located; the network identifier of the network where the UE is located; and AKMA roaming instructions.
  • a wireless communication method including: a first network element performing legal interception-related operations, where the related operations include one of the following operations: providing decryption of application traffic to a visited domain network of the UE. required security parameters; turning off the encryption function; and denying access to the UE.
  • a wireless communication method including: a first network element sending a first message to a second network element, the first message including a first parameter and a second parameter, and the first parameter is related to the UE AKMA context association, the second parameter is used to indicate the network identity of the home domain network of the UE.
  • a wireless communication method including: a second network element receiving a first message sent by a first network element, the first message including a first parameter and a second parameter, and the first parameter and The AKMA context of the UE is associated, and the second parameter is used to indicate the network identity of the home domain network of the UE.
  • a wireless communication device where the device is a first network element, and the device includes: a sending unit configured to send a first message to the NRF, where the first message carries a first parameter, so The first parameter is used to indicate one or more of the following: the network identifier of the network where the AF is located; the network identifier of the network where the UE is located; and the AKMA roaming indication.
  • a wireless communication device where the device is an NRF.
  • the device includes: a receiving unit configured to receive a first message sent by a first network element, where the first message carries a first parameter, The first parameter is used to indicate one or more of the following: the network identifier of the network where the AF is located; the network identifier of the network where the UE is located; and the AKMA roaming indication.
  • a wireless communication device is provided.
  • the device is a first network element.
  • the device includes: an execution unit configured to perform relevant operations of legal interception.
  • the relevant operations include one of the following operations: : Provide the UE's visited domain network with security parameters required to decrypt application traffic; turn off the encryption function; and deny access to the UE.
  • a wireless communication device where the device is a first network element, and the device includes: a sending unit configured to send a first message to a second network element, where the first message includes a first parameter and a second parameter, the first parameter is associated with the AKMA context of the UE, and the second parameter is used to indicate the network identity of the home domain network of the UE.
  • a wireless communication device where the device is a second network element, and the device includes: a receiving unit configured to receive a first message sent by the first network element, where the first message includes a A parameter and a second parameter, the first parameter is associated with the AKMA context of the UE, and the second parameter is used to indicate the network identity of the home domain network of the UE.
  • a wireless communication device including a transceiver, a memory and a processor, the memory is used to store a program, and the processor is used to call the program in the memory to execute the steps of the first aspect to The method described in any one of the fifth aspects.
  • a twelfth aspect provides a device, including a processor, for calling a program from a memory to execute the method described in any one of the first to fifth aspects.
  • a chip including a processor for calling a program from a memory, so that a device installed with the chip executes the method described in any one of the first to fifth aspects.
  • a fourteenth aspect provides a computer-readable storage medium having a program stored thereon, the program causing a computer to execute the method described in any one of the first to fifth aspects.
  • a computer program product including a program that causes a computer to execute the method described in any one of the first to fifth aspects.
  • a sixteenth aspect provides a computer program, the computer program causing a computer to perform the method described in any one of the first to fifth aspects.
  • the NRF can be informed of the AKMA service of the network where the UE is located, the network where the AF is located, or the visited domain network. situation, thus helping the NRF to help the first network element discover and select the corresponding AAnF, thus helping to meet the needs of AKMA services.
  • Figure 1 is a wireless communication system applicable to embodiments of the present application.
  • Figure 2 is a schematic flow chart for registering AKMA context to AAnF.
  • Figure 3 is a schematic flow chart of a UE accessing AF.
  • Figure 4 is an architecture diagram of a UE accessing HPLMN in a home routed manner.
  • Figure 5 is an architecture diagram of a UE using local breakout to access HPLMN.
  • Figure 6 is a communication architecture diagram without AKMA enhancement.
  • Figure 7 is a schematic flow chart of an AF requesting a key from an AAnF in the home domain network.
  • Figure 8 is an architectural diagram of a UE communicating with an AF located in HPLMN.
  • Figure 9 is a communication architecture diagram using the UPF in VPLMN as a legal listening point.
  • Figure 10 is an architectural diagram of a UE communicating with an AF located in a VPLMN.
  • Figure 11 is a communication architecture diagram using the AF in VPLMN as a legal listening point.
  • Figure 12 is a schematic flow chart for registering AKMA context to vAAnF through AUSF.
  • Figure 13 is a schematic flow chart for registering AKMA context to vAAnF through hAAnF.
  • Figure 14 is another schematic flow chart for registering the AKMA context to vAAnF through hAAnF.
  • Figure 15 is another schematic flow chart for registering the AKMA context to vAAnF through hAAnF.
  • Figure 16 is a schematic flow chart of a wireless communication method provided by an embodiment of the present application.
  • Figure 17 is a schematic flow chart of another wireless communication method provided by an embodiment of the present application.
  • Figure 18 is a schematic flow chart of yet another wireless communication method provided by an embodiment of the present application.
  • Figure 19 is a schematic flow chart for AUSF to register AKMA context to hAAnF and vAAnF according to the embodiment of the present application.
  • Figure 20 is a schematic flowchart of a roaming UE accessing the AF in the VPLMN or the AF in the HPLMN provided by an embodiment of the present application.
  • Figure 21 is a schematic flowchart of hAAnF registering AKMA context to vAAnF according to an embodiment of the present application.
  • Figure 22 is a schematic flowchart of hAAnF registering the AKMA context to vAAnF under the trigger of AF provided by the embodiment of the present application.
  • Figure 23 is a schematic block diagram of a wireless communication device provided by an embodiment of the present application.
  • Figure 24 is a schematic block diagram of another wireless communication device provided by an embodiment of the present application.
  • Figure 25 is a schematic block diagram of another wireless communication device provided by an embodiment of the present application.
  • Figure 26 is a schematic block diagram of another wireless communication device provided by an embodiment of the present application.
  • Figure 27 is a schematic block diagram of another wireless communication device provided by an embodiment of the present application.
  • Figure 28 is a schematic structural diagram of another wireless communication device provided by an embodiment of the present application.
  • FIG. 1 is a wireless communication system 100 applied in the embodiment of the present application.
  • the wireless communication system 100 may include a network device 110 and a terminal device 120.
  • the network device 110 may be a device that communicates with the terminal device 120 .
  • the network device 110 may provide communication coverage for a specific geographical area and may communicate with terminal devices 120 located within the coverage area.
  • Figure 1 exemplarily shows one network device and two terminals.
  • the wireless communication system 100 may include multiple network devices and the coverage of each network device may include other numbers of terminal devices. This application The embodiment does not limit this.
  • the wireless communication system 100 may also include other network entities such as a network controller and a mobility management entity, which are not limited in this embodiment of the present application.
  • network entities such as a network controller and a mobility management entity, which are not limited in this embodiment of the present application.
  • the terminal equipment in the embodiment of this application may also be called user equipment (UE), access terminal, user unit, user station, mobile station, mobile station (MS), mobile terminal (MT) ), remote station, remote terminal, mobile device, user terminal, terminal, wireless communications equipment, user agent or user device.
  • the terminal device in the embodiment of the present application may be a device that provides voice and/or data connectivity to users, and may be used to connect people, things, and machines, such as handheld devices and vehicle-mounted devices with wireless connection functions.
  • the terminal device in the embodiment of the present application can be a mobile phone (mobile phone), a tablet computer (Pad), a notebook computer, a handheld computer, a mobile internet device (mobile internet device, MID), a wearable device, a virtual reality (virtual reality, VR) equipment, augmented reality (AR) equipment, wireless terminals in industrial control, wireless terminals in self-driving, wireless terminals in remote medical surgery, smart Wireless terminals in smart grid, wireless terminals in transportation safety, wireless terminals in smart city, wireless terminals in smart home, etc.
  • the UE may be used to act as a base station.
  • a UE may act as a scheduling entity that provides sidelink signals between UEs in V2X or D2D, etc.
  • cell phones and cars use sidelink signals to communicate with each other.
  • Cell phones and smart home devices communicate between each other without having to relay communication signals through base stations.
  • the network device in the embodiment of the present application may be a device used to communicate with a terminal device.
  • the network device may also be called an access network device or a wireless access network device.
  • the network device may be a base station.
  • the network device in the embodiment of this application may refer to a radio access network (radio access network, RAN) node (or device) that connects the terminal device to the wireless network.
  • radio access network radio access network, RAN node (or device) that connects the terminal device to the wireless network.
  • the base station can broadly cover various names as follows, or be replaced with the following names, such as: Node B (NodeB), evolved base station (evolved NodeB, eNB), next generation base station (next generation NodeB, gNB), relay station, Access point, transmission point (transmitting and receiving point, TRP), transmitting point (TP), main station MeNB, secondary station SeNB, multi-standard wireless (MSR) node, home base station, network controller, access node , wireless node, access point (AP), transmission node, transceiver node, base band unit (BBU), radio remote unit (Remote Radio Unit, RRU), active antenna unit (active antenna unit) , AAU), radio head (remote radio head, RRH), central unit (central unit, CU), distributed unit (distributed unit, DU), positioning node, etc.
  • NodeB Node B
  • eNB evolved base station
  • next generation NodeB next generation NodeB, gNB
  • relay station Access point
  • the base station may be a macro base station, a micro base station, a relay node, a donor node or the like, or a combination thereof.
  • a base station may also refer to a communication module, modem or chip used in the aforementioned equipment or devices.
  • the base station can also be a mobile switching center and a device that undertakes base station functions in device-to-device D2D, vehicle-to-everything (V2X), machine-to-machine (M2M) communications, and in 6G networks.
  • Base stations can support networks with the same or different access technologies. The embodiments of this application do not limit the specific technology and specific equipment form used by the network equipment.
  • Base stations can be fixed or mobile.
  • a helicopter or drone may be configured to act as a mobile base station, and one or more cells may move based on the mobile base station's location.
  • a helicopter or drone may be configured to serve as a device that communicates with another base station.
  • the network device in the embodiment of this application may refer to a CU or a DU, or the network device includes a CU and a DU.
  • gNB can also include AAU.
  • Network equipment and terminal equipment can be deployed on land, indoors or outdoors, handheld or vehicle-mounted; they can also be deployed on water; they can also be deployed on aircraft, balloons and satellites in the sky. In the embodiments of this application, the scenarios in which network devices and terminal devices are located are not limited.
  • the communication device involved in this application may be a network device or a terminal device.
  • the first communication device is a network device
  • the second communication device is a terminal device.
  • the first communication device is a terminal device
  • the second communication device is a network device.
  • the first communication device and the second communication device are both network devices, or both are terminal devices.
  • the K AF key can be used to communicate between the UE and the AF, and the K AF can be used to securely protect the communication.
  • the K AF key generation process involves multiple functional network elements, such as access and mobility management function (AMF), authentication server function (AUSF), unified data management (unified data management (UDM), AKMA anchor function (AAnF), application function (AF), etc. These functional network elements are introduced below.
  • AMF is mainly used for mobility management and access management, etc., and can be used to implement other functions besides session management in the mobility management entity (MME) function, such as legal interception and access authorization/authentication. and other functions.
  • MME mobility management entity
  • AUSF is used for authentication services, generating keys, realizing two-way authentication of UE, and supports a unified authentication framework.
  • AUSF is mainly used for mutual authentication between the UE and the network, and to generate a security key for use in subsequent processes.
  • UDM can be used to handle UE identification, access authentication, registration, and mobility management.
  • AF is used for data routing at the application layer, access to network open functions, and interaction with the policy framework for policy control.
  • AAnF is used to generate the AKMA anchor key K AKMA , and the application key K AF .
  • AAnF and UE can generate K AF in the same way.
  • AAnF can send the generated K AF to AF.
  • the AF and the UE can communicate based on the same key K AF to ensure communication security.
  • the generation process of K AF can be divided into two stages.
  • the first stage is to register the AKMA context to AAnF, as shown in Figure 2; the second stage is for the UE to access the AF, as shown in Figure 3. These two stages are introduced below.
  • step S201 the UE and AUSF execute the main authentication process.
  • Primary authentication can be understood as the process in which the UE authenticates the AMF and/or AUSF, and the AUSF authenticates the UE when the UE registers with the core network. This process is also called two-way authentication.
  • AUSF sends a UE authentication request (Nudm_UEAuthentication_Get Request) to UDM.
  • the UE authentication request may include the identification information of the UE.
  • the identification information of the UE may be one or more of subscription permanent identifier (SUPI) or subscription concealed identifier (SUCI), general public subscription identifier (GPSI) .
  • SUPI subscription permanent identifier
  • SUCI subscription concealed identifier
  • GPSI general public subscription identifier
  • UDM sends a UE authentication response (Nudm_UEAuthentication_Get Response) to AUSF.
  • the UE authentication response may include an AKA authentication vector (authentication vector, AV).
  • the UE authentication response may also include an AKMA indication (AKMA Ind) and/or a routing indicator (RID).
  • the UDM may also indicate to the AUSF whether AKMA keys need to be generated for the UE.
  • step S204 after completing the main authentication, the UE and AUSF obtain the common key K AUSF . If the AUSF receives UDM indication information, and the indication information indicates that the AUSF needs to generate an AKMA key for the UE, the AUSF stores K AUSF , and after the primary authentication is successful, generates the AKMA anchor keys K AKMA and K AKMA based on K AUSF .
  • AKMA key identity A-KID. It can be understood that KAKMA and A-KID have a corresponding relationship, and A-KID can uniquely identify its corresponding KAKMA .
  • the UE can also use the same calculation method as AUSF to generate K AKMA and A-KID.
  • KAKMA is a UE granular key, that is, each UE has its own unique KAKMA .
  • step S205 after AUSF generates K AKMA and A-KID, it can send an AKMA anchor key registration request (such as Naanf_AKMA_AnchorKey_Register Request) to AAnF.
  • the AKMA anchor key registration request includes the latest key material.
  • the latest key material may include, for example, the identification information of the UE (such as SUPI), A-KID and KAKMA .
  • AAnF stores the latest key material.
  • step S206 AAnF sends an AKMA anchor key registration response (Naanf_AKMA_AnchorKey_Register Response) to AUSF.
  • AKMA anchor key registration response Naanf_AKMA_AnchorKey_Register Response
  • the UE may send an application session establishment request to the AF.
  • the application session establishment request may include the A-KID.
  • AF sends an AKMA application key acquisition request (Naanf_AKMA_ApplicationKey_Get Request) to AAnF.
  • the AKMA application key acquisition request may include the A-KID and the AF identity (AF identity, AF-ID).
  • the A-KID is the A-KID in the application session establishment request.
  • the AKMA application key acquisition request may also include a request for the UE's identity (UE identity, UE-ID).
  • UE-ID includes one or more of SUPI, SUCI, and GPSI.
  • step S303 after receiving the AKMA application key acquisition request, AAnF can determine the corresponding KAKMA based on the A-KID, and generate the key K AF based on the KAKMA .
  • AAnF sends an AKMA application key acquisition response to AF.
  • the application key acquisition response may include K AF , the validity period of K AF (K AF expTime), UE-ID, etc.
  • the AKMA application key acquisition response may include the UE-ID. If the AKMA application key acquisition request in step S302 does not include a request for UE-ID, the AKMA application key acquisition response may not include the UE-ID.
  • the AF can obtain the key K AF for communicating with the UE.
  • step S305 the AF sends an application session establishment response to the UE.
  • the UE can also generate K AF in the same way as AAnF, that is, the way in which the UE generates K AF based on K AKMA is the same as the way in which AAnF generates K AF based on K AKMA .
  • the UE and AF can communicate using the same key K AF .
  • TLS premaster secret transport layer security protocol
  • TLS session key TLS session key
  • Scenario 1 The UE is located in the local public land mobile network (HPLMN) and accesses the AF located in the HPLMN.
  • Scenario 2 The UE is located in the HPLMN and accesses the AF located in the visited public land mobile network (VPLMN).
  • HPLMN local public land mobile network
  • VPLMN visited public land mobile network
  • the HPLMN can be called the home domain network of the UE, and the VPLMN can be called the visited domain network of the UE.
  • AKMA such as whether the UE's visited domain network needs to provide AKMA services
  • AKMA such as whether the UE's visited domain network needs to provide AKMA services
  • How to register the AKMA context into the VPLMN and how the AF requests the key from the AAnF.
  • VPLMN implements legal interception, etc.
  • the relevant solutions are introduced below.
  • FIG. 4 shows the architecture diagram of a UE accessing the AF in a home routed manner.
  • Figure 5 shows an architectural diagram of a UE accessing the AF using local breakout. Since the AF is located in the HPLMN and the UE communicates with the AF through the user plane, scenario three does not require AKMA enhancement. AF can use the AKMA service provided by HPLMN.
  • AF can connect to the network exposure function (NEF) in HPLMN through the network, and HPLMN provides AKMA services to AF.
  • NEF network exposure function
  • HPLMN provides AKMA services to AF.
  • VPLMN does not need AKMA enhancement work, which can avoid the problem of deploying AKMA among operators as much as possible.
  • the AAnF in each PLMN only serves the subscribers in the current PLMN and does not serve the subscribers of non-PLMN who roam to this PLMN.
  • Method 2 AF requests the key from AAnF (i.e. hAAnF) in the home domain network
  • step S710 AUSF generates A-KID and KAKMA based on K AUSF .
  • the UE can also generate A-KID and KAKMA based on K AUSF .
  • the way in which the UE and AUSF obtain K AUSF is similar to that shown in Figure 2 and will not be described again here.
  • AUSF sends an AKMA anchor key registration request (Naanf_AKMA_AnchorKey_Register Request) to hAAnF.
  • the AKMA anchor key registration request may include SUPI, A-KID, KAKMA and registration service network (Serving Network, SN) ID. .
  • the AKMA context can be updated using this registration SN ID.
  • AKMA context may include SUPI, A-KID, K AKMA and registration SN ID.
  • the registration SN ID can be understood as the home domain network identification of the UE.
  • AUSF can obtain the SN name (SN-name) from the AMF's Nausf_UEAuthentication_Authenticate request.
  • step S730 hAAnF sends an AKMA anchor key registration response to AUSF.
  • step S740 the UE requests an application session establishment request with A-KID from the AF.
  • step S750 AF discovers the local AAnF and sends the AKMA application key acquisition request (Naanf_AKMA_ApplicationKey_Get Request) with A-KID and AF_ID to the AAnF.
  • AKMA application key acquisition request Naanf_AKMA_ApplicationKey_Get Request
  • the AF may send an AKMA application key acquisition request to hAAnF.
  • the AF can request AAnF via NEF. If the AF is located in HPLMN, the AF can send a request directly to hAAnF.
  • hAAnF may send an AKMA application key acquisition response (Naanf_AKMA_ApplicationKey_Get Response) response to the AF, and the AKMA application key acquisition response may include the registration SN ID.
  • AKMA application key acquisition response Naanf_AKMA_ApplicationKey_Get Response
  • AF can perform different decisions based on different registered SN IDs.
  • the AF can perform the following operations based on the difference between the registered SN ID and the PLMN where the AF is located (or connected):
  • AF can discover the AAnF in VPLMN#1 (i.e. AAnF#1) by registering the SN ID and provide the encryption key to VPLMN#1.
  • AAnF#1 should store the encryption keys associated with the UE. Lawful interception (LI) can use these keys if needed.
  • LI Lawful interception
  • Encryption should not be enabled and the UE session can continue with integrity protection only.
  • the UE roams to the VPLMN.
  • the VPLMN may need to legally monitor the UE.
  • Method three provides some solutions for legal monitoring of VPLMN.
  • FIG 8 shows the communication architecture diagram for scenario three.
  • the UE can communicate with the AF located in the HPLMN.
  • the UE can communicate with the AF through the user plane function (UPF) in VPLMN.
  • UPF user plane function
  • VPLMN can only detect data transmitted through UPF between AF and UE, in order to meet the legal monitoring requirements of VPLMN, the legal monitoring point should be the UPF (also called vUPF) in VPLMN.
  • UPF user plane function
  • Figure 10 shows the communication architecture diagram for scenario four.
  • the UE can communicate with the AF located in the VPLMN.
  • the AF can be used as a legal listening point.
  • both the UE and AF are located in the VPLMN.
  • the related technology proposes that it can be enhanced through AKMA, and the VPLMN provides AKMA services for the UE.
  • AKMA-related keys are generated in HPLMN. How VPLMN obtains AKMA-related keys is worthy of study.
  • Related technologies also provide some implementation methods, which can be summarized into two types. One is to register the AKMA context to vAAnF through AUSF, and the other is to register the AKMA context to vAAnF through hAAnF. These implementation methods are introduced below.
  • steps S1210 to S1230 are similar to steps S202 to S204 in FIG. 2 , and will not be described again here for the sake of simplicity.
  • AUSF identifies whether the UE is in roaming state based on the SN-name previously received during the initial authentication process. If the UE is in HPLMN, perform step S1240 and step S1250. Step S1240 and step S1250 are respectively consistent with step S205 and step S206 in FIG. 2 .
  • the AUSF can select the AAnF in the VPLMN and register the AKMA key to the vAAnF.
  • AUSF sends an AKMA anchor key registration request (Naanf_AKMA_AnchorKey_Register Request) to vAAnF.
  • the AKMA anchor key registration request may include SUPI, A-KID and KAKMA .
  • vAAnF sends an AKMA anchor key registration response (Naanf_AKMA_AnchorKey_Register Response) to AUSF.
  • AKMA anchor key registration response Naanf_AKMA_AnchorKey_Register Response
  • AUSF can register the AKMA key to vAAnF.
  • This method is that after AF requests hAAnF, hAAnF registers the AKMA context to vAAnF.
  • step S1310 after the initial authentication and K AKMA establishment are completed, the UE sends an application session establishment request (Application Session Establishment Request) to the AF.
  • the application session establishment request may include the A-KID.
  • step S1320 AF sends an AKMA application key acquisition request (Naanf_AKMA_ApplicationKey_Get Request) to hAAnF.
  • the AKMA application key acquisition request includes A-KID and AF_ID.
  • hAAnF may generate K AF based on KAKMA .
  • hAAnF sends an AKMA application key configuration request (Naanf_AKMA_ApplicationKey_Provisioning Request) to vAAnF.
  • the AKMA application key configuration request may include A-KID, AF_ID, SUPI, K AF and the validity period of K AF .
  • step S1350 vAAnF sends an AKMA application key configuration response (Naanf_AKMA_ApplicationKey_Provisioning Response) to hAAnF.
  • AKMA application key configuration response Naanf_AKMA_ApplicationKey_Provisioning Response
  • step S1360 hAAnF sends an AKMA application key acquisition response (Naanf_AKMA_ApplicationKey_Get Response) to AF.
  • the AKMA application key acquisition response includes K AF and the validity period of K AF .
  • step S1370 the AF sends an Application Session Establishment Response (Application Session Establishment Response) to the UE.
  • Application Session Establishment Response Application Session Establishment Response
  • hAAnF provides information related to K AF to vAAnF after generating the AKMA context.
  • This method is that after vAAnF requests hAAnF, hAAnF registers the AKMA context to vAAnF.
  • This method is that after AF sends a request to vAAnF, vAAnF requests hAAnF to obtain the AKMA key.
  • the process is introduced below.
  • step S1410a the UE performs initial authentication.
  • step S1410b the UDM determines support for AKMA in the VPLMN according to configuration or subscription data.
  • UDM provides an AKMA indication (AKMA Ind) to the AUSF.
  • the AKMA indication is used to indicate whether an AKMA key needs to be generated for the UE.
  • UDM can also provide AKMA roaming indication (AKMA roaming Ind) for AUSF, specifying whether the generated AKMA key can be provided to VPLMN. Whether it can be provided to VPLMN depends on the operator agreement and/or whether AKMA is supported in the VPLMN.
  • AUSF In step S1420, AUSF generates K AKMA and A-KID.
  • the UE can also generate K AKMA and A-KID.
  • AUSF can select an AAnF to serve the UE and register the AKMA key (such as SUPI, K AKMA and A-KID) in hAAnF.
  • AUSF provides hAAnF with AKMA roaming instructions.
  • AUSF may determine the AKMA roaming indication according to the indication from UDM and/or the local policy in step S1410b.
  • AUSF can also provide access network information to hAAnF.
  • step S1430 the UE communicates with the AF through the unified architecture (Ua)* interface according to the application requirements.
  • the UE may choose to provide access network information (such as serving PLMN ID) to the AF together with the A-KID.
  • the AF may send a request to vAAnF (directly or through NEF) to provide K AF based on local configuration and/or access network information present in the UE request.
  • the request may include AF-Identity (eg, fully qualified domain name (FQDN)) and A-KID.
  • step S1450 vAAnF discovers hAAnF by querying the network registration function (NRF) based on the information contained in A-KID (Routing ID, home domain network information).
  • NRF network registration function
  • vAAnF requires hAAnF to provide AKMA key material.
  • the request can be sent utilizing new or existing services exposed by hAAnF.
  • the request may include the following information: whether the request is for K AKMA or K AF ; the A-KID provided by the AF to the UE; if the request is for K AF , the AF-Identity (such as FQDN) is provided by the AF; if the request is for K AKMA , optionally callback the uniform resource locator (URL), specifying the notification endpoint that should be sent when a new K AKMA is generated.
  • URL uniform resource locator
  • step S1470 hAAnF sends an AKMA key response to vAAnF.
  • the AKMA key response includes AKMA key related information.
  • hAAnF can either provide K AKMA key material to vAAnF based on the received request or local policy or AKMA roaming indication provided by UDM, or generate K AF key material based on K AKMA and AF-Identity (such as FQDN) and provide it to vAAnF Provide K AF and K AF expiry date.
  • hAAnF may send the updated key information to vAAnF after updating the AKMA key related information.
  • vAAnF sends a K AF response to the AF. If vAAnF receives K AF and the validity period of K AF , vAAnF provides K AF and the validity period of K AF to AF. If vAAnF receives KAKMA , vAAnF can generate K AF key material based on KAKMA and AF-Identity (such as FQDN) and provide K AF and the validity period of K AF to AF .
  • KAKMA KAKMA
  • vAAnF can generate K AF key material based on KAKMA and AF-Identity (such as FQDN) and provide K AF and the validity period of K AF to AF .
  • This method is to directly register the AKMA context to vAAnF after hAAnF receives the AKMA context sent by AUSF.
  • step S1510a the UE registers with the network and performs initial authentication specified in TS 33.501.
  • step S1510b during authentication, the UDM provides an AKMA indication (AKMA Ind) to the AUSF, which is used to specify whether an AKMA key needs to be generated for the UE.
  • UDM can also provide AKMA roaming instructions for AUSF to specify whether the generated AKMA key can be propagated to VPLMN. Whether it can be propagated to the VPLMN depends on the operator agreement and/or whether AKMA is supported in the VPLMN.
  • AUSF In step S1520, AUSF generates K AKMA and A-KID. Correspondingly, the UE also generates K AKMA and A-KID. AUSF selects hAAnF to provide services for UE, and registers SUPI, K AKMA and A-KID in hAAnF. In addition, AUSF can also provide AKMA roaming instructions for hAAnF.
  • the AKMA roaming indication may be the AKMA roaming indication sent by the UDM to the AUSF in step S1510b, or the AKMA roaming indication may be determined by the AUSF according to the local policy.
  • AUSF can also provide access network information to hAAnF.
  • the visited network can be understood as the network where the UE is located, or the network where the UE is currently located, or the UE's serving network, or the UE's visited domain network.
  • step S1530 hAAnF sends a vAAnF discovery request (vAAnF selection) to NRF, requesting to obtain the address of vAAnF.
  • the vAAnF discovery request may include the accessed network information in step S1520.
  • hAAnF can send an AKMA context push message (AKMA context push) to vAAnF.
  • AKMA context push message may include SUPI, A-KID and KAKMA .
  • hAAnF can send an AKMA context push message to vAAnF to push SUPI, A-KID and K AKMA .
  • vAAnF can respond to this message and provide redirection information to hAAnF.
  • step S1550a the UE communicates with the AF through the Ua* interface.
  • the UE sends an application session establishment request to the AF, and the application session establishment request may include the A-KID.
  • step S1550b the AF sends a key request message (K AF Request) to hAAnF.
  • AF can directly send a key request message to hAAnF, or AF can send a key request message to hAAnF through NEF.
  • the request message may include AF-Identity (eg FQDN) and A-KID.
  • hAAnF may use the redirection information received in step S1540 to redirect the AF's request to vAAnF.
  • the redirection mechanism here can use existing redirection mechanisms (such as hypertext transfer protocol (http) redirection mechanism).
  • vAAnF generates K AF and provides K AF and the validity period of K AF to AF.
  • vAAnF providing K AF and the validity period of K AF to AF may mean that vAAnF directly provides K AF and the validity period of K AF to AF , or vAAnF provides K AF and the validity period of K AF to AF through hAAnF.
  • the AF After receiving the K AF , the AF can establish an application session with the UE.
  • the network that provides AKMA services to the UE can be HPLMN or VPLMN.
  • the network that provides AKMA services to the UE can be HPLMN or VPLMN.
  • AF can request an application key from hAAnF in HPLMN or vAAnF in VPLMN.
  • hAAnF in HPLMN
  • vAAnF in VPLMN
  • the AF uses the existing method to request the address of the AAnF from the NRF, that is, the AF sends the A-KID to the NRF, since the A-KID only includes the information of the UE's home domain network, the NRF can only address hAAnF through the A-KID. vAAnF cannot be addressed, causing service interruption.
  • AKMA enhancement solution For another example, after the AKMA enhancement solution is introduced, network elements in HPLMN (such as AUSF or hAAnF) need to register the AKAM context to vAAnF. However, there is currently no clear solution for how network elements in HPLMN discover and select vAAnF.
  • HPLMN such as AUSF or hAAnF
  • embodiments of the present application provide a wireless communication method that helps VPLMN provide AKMA services for UEs.
  • Network elements in HPLMN discover and select vAAnFs, and AFs discover and select corresponding AAnFs to avoid service interruption problems.
  • the solution of the embodiment of the present application will be introduced in detail below with reference to Figure 16 .
  • the first network element may be an AF.
  • the AF may be located in the UE's visited domain network, or the AF may be located in the UE's home domain network.
  • the UE communicating with the AF may be in a roaming state, that is, the UE may be located in a VPLMN, or the UE may be located in an HPLMN.
  • the first network element may be a network element in HPLMN.
  • the first network element may be AUSF, hAAnF, etc.
  • step S1610 the first network element sends the first message to the NRF.
  • the first message may carry a first parameter, and the first parameter may be used to indicate one or more of the following information: a network identifier of the network where the AF is located, a network identifier of the network where the UE is located, and an AKMA roaming indication.
  • the AKMA roaming indication may be used to indicate one or more of the following information: whether the UE can use the AKMA service in the VPLMN, or whether the VPLMN supports the AKMA service.
  • the first network element may be an AF
  • the first parameter may be used to indicate one or more of the following information: a network identifier of the network where the AF is located and a network identifier of the network where the UE is located.
  • the first parameter may be used to indicate the network identifier of the network where the AF is located.
  • the first parameter may be used to indicate the network identity of the network where the UE is located.
  • the first parameter may be used to indicate the network identifier of the network where the AF is located and the network identifier of the network where the UE is located.
  • the first network element is the AF
  • the first parameter can be used to indicate one or more of the following information: the network identifier of the network where the AF is located, the network identifier of the network where the UE is located, and the AKMA roaming indication.
  • the first network element may be AUSF or hAAnF, and the first parameter may be used to indicate one or more of the following information: the network identifier of the UE's visited domain network, and the AKMA roaming indication.
  • the first parameter may be used to indicate the network identification of the visited domain network of the UE.
  • the first parameter may be used to indicate the AKMA roaming indication, or the first parameter may include the AKMA roaming indication.
  • the first parameter may be used to indicate the network identifier of the visited domain network of the UE and the AKMA roaming indication.
  • the first parameter may be used to indicate the AKMA roaming indication.
  • the first parameter may include a network identification.
  • the first parameter may include the network identifier of the network where the AF is located and/or the network identifier of the network where the UE is located.
  • the first parameter may also indicate the network identity through other indirect methods.
  • the network identifier of the network where AF is located can be AF_LOCATION_IND.
  • the network identifier of the network where the UE is located can be the VPLMN ID and/or SN Id (ie Serving Network Identifer).
  • the network where the AF is located may be the UE's home domain network or the UE's visited domain network. If the network where the AF is located is the home domain network of the UE, the first parameter may be used to indicate the network identifier of the home domain network of the UE. If the network where the AF is located is the visited domain network of the UE, the first parameter may be used to indicate the network identifier of the visited domain network of the UE.
  • the network where the UE is located may be the home domain network of the UE or the visited domain network of the UE. If the network where the UE is located is the home domain network of the UE, the first parameter may be used to indicate the network identifier of the home domain network of the UE. If the network where the UE is located is the visited domain network of the UE, the first parameter may be used to indicate the network identifier of the visited domain network of the UE.
  • the embodiment of this application does not specifically limit the way in which the AF obtains the network identifier of the network where the UE is located.
  • the network identifier of the network where the UE is located may be sent by the UE to the AF.
  • the network where the UE is located can be carried in the application session establishment request message. That is to say, the UE may send an application session establishment request message to the AF, and the application session establishment request message may include the network identifier of the network where the UE is located.
  • the AF may determine the network identity of the network where the UE is located based on the user plane connection with the UE.
  • the networks where the UE and the AF are located may be the same or different, which is not specifically limited in the embodiments of this application.
  • the UE is located in the VPLMN and the AF is located in the HPLMN.
  • the UE is located in the VPLMN and the AF is located in the VPLMN.
  • the UE is located in the HPLMN and the AF is located in the HPLMN.
  • the UE is located in the HPLMN and the AF is located in the VPLMN.
  • the NRF may return the address of the corresponding AAnF (or AAnF instance) to the first network element.
  • the address of AAnF may include, for example, the Internet protocol (IP) address and/or FQDN of AAnF.
  • the following takes the first network element as AF as an example to describe the solution of the embodiment of the present application.
  • the NRF may return the address of the AAnF in the network where the AF is located to the AF. For example, if the network where the AF is located is the home domain network of the UE, the NRF may send a response message to the first message to the AF, where the response message carries the address of the AAnF in the home domain network of the UE. For another example, if the network where the AF is located is the visited domain network of the UE, the NRF may send a response message to the first message to the AF, and the response message may include the address of the AAnF in the visited domain network of the UE.
  • the NRF may return the address of the AAnF in the network where the UE is located to the AF. For example, if the network where the UE is located is the home domain network, the NRF may send a response message to the first message to the AF, where the response message carries the address of the AAnF in the home domain network. For another example, if the network where the UE is located is the visited domain network of the UE, the NRF may send a response message to the first message to the AF, and the response message may include the address of the AAnF in the visited domain network of the UE.
  • the NRF may send a response message to the first message to the AF, and the response message may include a link in the home domain network.
  • the address of AAnF may be used to determine whether the AF is located in the UE's visited domain network, but the UE's visited domain network does not support the AKMA service.
  • the first parameter may also be used to indicate the home domain network identity of the UE. That is to say, the first parameter may be used to indicate the network identity of the network where the AF is located, the visited domain network identity of the UE, and the home domain network identity of the UE.
  • the home domain network identity of the UE may be indicated by A-KID.
  • the first parameter may include A-KID.
  • the NRF may determine whether the AF is located in the home domain network based on the network identifier of the UE's home domain network and the network identifier of the network where the AF is located. If the network identifier of the UE's home domain network is consistent with the network identifier of the network where the AF is located, it means that the AF is located in the home domain network. If the network identifier of the UE's home domain network is inconsistent with the network identifier of the network where the AF is located, it means that the AF is located in the UE's visited domain network.
  • the NRF may return the address of the AAnF in the home domain network to the AF. If the AF is located in the UE's visited domain network, the NRF may return the address of the AAnF in the UE's visited domain network to the AF.
  • the AAnF in the home domain network will also be called hAAnF in the following, and the AAnF in the UE's visited domain network will be called vAAnF.
  • the AF can send a key acquisition request to hAAnF to obtain the AKMA related key.
  • hAAnF can send the AKMA related key to AF.
  • the AKMA related key may include one or more of the following: K AF and the validity period of K AF .
  • the AF can send a key acquisition request to vAAnF to obtain the AKMA related key.
  • vAAnF can send the AKMA related key to the AF.
  • the AKMA related key may include one or more of the following: K AF and the validity period of K AF .
  • the following takes the first network element as AUSF or hAAnF as an example to introduce the solution of the embodiment of the present application.
  • the NRF may send the address of the vAAnF to the first network element.
  • the NRF may determine whether the VPLMN supports the AKMA service according to the AKMA roaming indication. If the AKMA roaming indication indicates that the VPLMN supports the AKMA service, the NRF can send the vAAnF address to the first network element, that is, the response message carries the vAAnF address.
  • the first network element can register the AKMA context into vAAnF.
  • the AKMA context may include one or more of the following information: UE identity, A-KID, KAKMA .
  • the AKMA context may include one or more of the following information: the identity of the UE, the A-KID, the AKMA key, the identity of the AF, K AF , and the validity period of the K AF .
  • the identity of the UE may include SUPI and/or GPSI.
  • the visited domain network needs to legally monitor the UE for information security.
  • embodiments of the present application provide a wireless communication method that satisfies the legal interception requirements of the visited domain network by formulating relevant operation policies for the first network element to perform legal interception.
  • the solution of the embodiment of the present application will be described in detail below with reference to FIG. 17 .
  • the first network element may be a network element located in the visited domain network of the UE.
  • the first network element may be UPF, AF, session management function (SMF), AAnF, etc. in the visited domain network of the UE. Since the first network element is located in the visited domain network of the UE, the first network element can perform operations related to lawful interception.
  • the first network element may be AF. Since the AF is a network element that communicates with the UE, and the AF includes security parameters for encrypting and/or decrypting application traffic, the AF can also perform operations related to lawful interception.
  • the first network element may be an execution point for lawful interception.
  • the execution point of legal interception can be determined based on the network where the AF that the UE accesses is located. For example, if the UE accesses the AF in the visited domain network, the AF can be used as the execution point for legal interception, that is, the first network element is the AF. If the UE accesses the AF in the home network, the UPF in the visited network can be used as the execution point for legal interception, that is, the first network element is the UPF in the visited network (hereinafter sometimes also referred to as vUPF).
  • vUPF the UPF in the visited network
  • the execution point of lawful interception can be determined based on the network where the AF is located and whether the AF is located within the operator. For example, if the UE accesses the AF in the visited domain network and the AF is located inside the operator's network, the AF can be used as the execution point for legal interception, that is, the first network element is the AF. If the UE accesses the AF in the home domain network, or the AF is located outside the operator's network, the UPF in the visited domain network can be used as the execution point for legal interception, that is, the first network element is the UPF in the visited domain network.
  • step S1710 the first network element performs legal interception-related operations.
  • the related operations may include one or more of the following: providing the UE's visited domain network with security parameters required to decrypt application traffic; turning off the encryption function; and denying access to the UE.
  • related operations include providing the UE's visited domain network with security parameters required to decrypt the application traffic.
  • the security parameters may include one or more of the following: K AF , TLS session key, security parameters of Ua* protocol, etc.
  • the security parameters of the Ua* protocol may include, for example, one or more of the following: additional cryptographic keys, selected protocols/cipher-suites/cryptographic, cryptographic Parameters for key derivation (e.g., nonces), other cryptographic state information (e.g., counters).
  • the AF may directly provide security parameters to the UE's visited domain network. If the first network element is the AF in the UE's home domain network, the AF may provide security parameters to the UPF in the UE's visited domain network. If the first network element is a UPF in the UE's visited domain network, the UPF can obtain the security parameters from the AF and provide the security parameters to the UE's visited domain network.
  • related operations may include turning off encryption functionality.
  • Turning off the encryption function can be understood as not encrypting the communication data between the UE and the AF. Since the communication data is not encrypted, the UE's visited domain network can directly obtain the communication data between the UE and the AF, thereby achieving legal monitoring of the UE.
  • the AF may not encrypt the communication data.
  • AF may perform integrity protection only on communication data.
  • related operations may include denying access to the UE.
  • denying access to the UE the UE is unable to communicate in the visited domain network, thereby ensuring information security.
  • the UE in order to obtain application services, the UE needs to first establish a session connection with the AF, that is, access the AF.
  • the AF can deny the UE access.
  • the AAnF may send indication information to the AF, and the indication information may be used to indicate the network identity of the UE's home domain network.
  • the AAnF may be the AAnF in the UE's home domain network or the AAnF in the UE's visited domain network.
  • the AF may determine whether the UE is in the roaming state based on the indication information. For example, if the network identifier of the network where the UE is located is inconsistent with the network identifier of the home domain network, it means that the UE is in a roaming state and the UE is located in the visited domain network. If the network identifier of the network where the UE is located is consistent with the network identifier of the home domain network, it means that the UE is in the home domain network.
  • the AF may determine whether it is in the home domain network based on the indication information. For example, the AF may determine whether the AF is in the home domain network based on the network identifier of the UE's home domain network and the network identifier of the network where the AF is located. If the network identifier of the network where the AF is located is consistent with the network identifier of the home domain network, it means that the AF is in the home domain network. If the network identifier of the network where the AF is located is inconsistent with the network identifier of the home domain network, it means that the AF is in the visited domain network of the UE.
  • the legal interception strategies implemented by AF will be different depending on the network where AF is located. For example, if the AF is located in the home domain network, the AF can provide the vUPF with security parameters to decrypt the application traffic.
  • the AF can perform one of the following operations: provide security parameters for decrypting application traffic to the UE's visited domain network, turn off encryption Function, deny UE access.
  • the AF can provide the UE's visited domain network with security parameters for decrypting application traffic.
  • the solutions in the embodiments of this application can be applied to scenarios where the visited domain network can provide AKMA services, and can also be applied to scenarios where the visited domain network cannot provide AKMA services. In other words, regardless of whether the visited domain network can provide AKMA services, the lawful interception solution described above can be used.
  • vAAnF in the visited domain network can also provide support for lawful interception.
  • HPLMN can register the AKMA context to vAAnF, therefore, vAAnF can also obtain the AKMA context.
  • vAAnF can provide legal interception of X2 intercept related information (LI_X2 intercept related information, xIRI) key management events, including key generation, change, deletion, and provision of the LI encryption key itself, namely K AKMA and K AF .
  • vAAnF may provide AKMA context as well as xIRI key management events to vUPF.
  • AKMA context can also be called AKMA security context.
  • the AKMA context may include one or more of the following information: UE identity, A-KID, KAKMA .
  • the AKMA context may include one or more of the following information: the identity of the UE, the A-KID, the AKMA key, the identity of the AF, K AF , and the validity period of the K AF .
  • the identity of the UE may include SUPI and/or GPSI.
  • embodiments of the present application provide a solution regarding how to indicate the network identity of the UE's home domain network.
  • step S1810 the first network element sends the first message to the second network element.
  • the first message may include a first parameter and a second parameter, the first parameter is associated with the AKMA context of the UE, and the second parameter may be used to indicate the network identity of the UE's home domain network.
  • the first network element may, while sending the parameters associated with the AKMA context to the second network element, indicate to the second network element the network identity of the UE's home domain network, which may enable the second network element to obtain the UE
  • the network identifier of the home domain network may be used by the subsequent AF to determine whether the UE is in a roaming state and/or used to determine whether the AF is located in the home domain network.
  • the first parameter may include AKMA context.
  • the first parameter may include one or more of the following: UE identification, A-KID, and AKMA key (such as KAKMA ).
  • the first parameter may also include other information.
  • the first parameter may include one or more of the following information: the identity of the UE, the A-KID, the AKMA key, the identity of the AF, K AF , and the validity period of the K AF .
  • the information included in the first parameter may be different, which will be introduced in detail below.
  • the identity of the UE may include an internal identity of the UE and/or an external identity of the UE.
  • the internal identification of the UE may include SUPI, for example.
  • the external identity of the UE may include GPSI, for example.
  • the second parameter may include the home domain network identification of the UE.
  • the first parameter may include the HPLMN ID and/or the registration SN ID.
  • the second parameter may indicate the home domain network identity of the UE in an indirect manner.
  • the second parameter may include A-KID.
  • the embodiment of this application does not specifically limit the network where the first network element and the second network element are located.
  • the first network element may be located in the home domain network
  • the second network element may be located in the visited domain network of the UE.
  • the first network element and the second network element are both located in the visited domain network of the UE.
  • the first network element is located in the visited domain network of the UE
  • the second network element is located in the home domain network of the UE.
  • the following is an example of the first network element and the second network element.
  • the first network element may be the AUSF, and the second network element may be the AAnF in the visited domain network of the UE.
  • the first network element may be the AAnF in the home domain network
  • the second network element may be the AAnF in the UE's visited domain network.
  • the first network element may be AAnF
  • the second network element may be AF.
  • the AAnF can be the AAnF in the UE's home domain network, or it can be the AAnF in the UE's visited domain network; the AF can be located in the UE's home domain network, or it can be located in the UE's visited domain network. The embodiment of this application There is no specific limit on this.
  • the information included in the first parameter may be different.
  • the information included in the first parameter is illustrated below with examples for different situations.
  • the first parameter may include one or more of the following: SUPI, A-KID, AKMA key wait.
  • the first message may be an AKMA key registration request.
  • the AUSF may indicate the network identity of the home domain network to hAAnF during the process of registering the AKMA key (or AKMA context) to hAAnF.
  • the first parameter may include one or more of the following: SUPI, A-KID, AKMA keys, etc.
  • the first message may be an AKMA context push request (Naanf_AKMA_Context_Push Request).
  • hAAnF may indicate the network identification of the home domain network to vAAnF.
  • the first parameter may include one or more of the following: K AF , validity period of K AF , SUPI, etc.
  • the first message may be an AKMA application key acquisition response.
  • the AAnF may indicate the network identification of the home domain network to the AF. If the AAnF is a vAAnF in the UE's visited domain network, the network identifier of the home domain network can be sent to vAAnF by hAAnF or sent to vAAnF by AUSF.
  • Example 1 AUSF’s solution to register AKMA context to hAAnF and vAAnF
  • This example may include the following three processes: 1. AUSF registers the AKMA context to hAAnF and vAAnF; 2. UE accesses AF; 3. Legal interception of the visited domain network.
  • Figure 19 shows a schematic flow chart of AUSF registering AKMA context to hAAnF and vAAnF.
  • AUSF sends a UE authentication acquisition request (Nudm_UEAuthentication_Get Request) to UDM.
  • the UE authentication acquisition request may include SUPI and/or SUCI.
  • UDM sends a UE authentication acquisition response (Nudm_UEAuthentication_Get Response) to AUSF.
  • the UE authentication acquisition response may include one or more of the following information: AV, AKMA indication, RID, AKMA roaming indication (AKMA roaming Ind).
  • the AKMA indication is used to indicate whether an AKMA key needs to be generated for the UE.
  • the AKMA roaming indication is used to indicate whether the AKMA context can be provided to the UE's visited domain network.
  • the UDM can send an AKMA roaming indication to the AUSF when the UE is located in the visited domain network.
  • UDM can determine whether the UE is located in the visited domain network based on the network identifier of the network where the UE is located (such as SN-name) and the network identifier of the UE's home domain network.
  • the network identity of the network where the UE is located may be obtained during the authentication process.
  • the network identity of the UE's home domain network can be obtained from the AKMA subscription corresponding to SUPI.
  • the AKMA roaming indication can be determined based on one or more of the following information: whether the home domain network and the visited domain network have reached a consensus, whether the roaming UE can use the AKMA service of the visited domain network, whether the visited domain network provides AKMA services, whether the visited domain network Legal monitoring requirements of the network, etc.
  • AUSF In step S1906, AUSF generates K AKMA and A-KID based on K AUSF . Similarly, the UE can also generate K AKMA and A-KID based on K AUSF .
  • the AUSF may determine whether the UE is in roaming state.
  • the AUSF may determine whether the UE is in a roaming state based on the first information.
  • the first information may include one or more of the following information: AKMA roaming indication, network identification of the UE serving network.
  • the network identity of the UE serving network may be obtained by the AUSF during the initial authentication process.
  • the AKMA roaming indication may carry the network identifier of the UE's serving network, or the AKMA roaming indication may carry indication information indicating whether the UE is in a roaming state.
  • the AUSF registers the AKMA context to hAAnF.
  • AUSF may perform step S1908 and step S1910.
  • the AUSF may determine whether to register the AKMA context to the vAAnF based on the second information.
  • the second information may include one or more of the following information: local configuration, service level agreement (service level agreement, SLA), and AKMA roaming indication. If it is determined that the AKMA context is to be registered to vAAnF, steps S1912 to S1918 may be performed.
  • the AUSF can register the AKMA context to hAAnF regardless of whether the UE is in roaming state. That is, AUSF can register the AKMA context to hAAnF and vAAnF.
  • AUSF sends an AKMA anchor key registration request (Naanf_AKMA_AnchorKey_Register Request) to hAAnF.
  • the AKMA anchor key registration request includes one or more of the following information: SUPI, A-KID, KAKMA .
  • SUPI Secure Digital
  • A-KID A-KID
  • KAKMA KAKMA .
  • AUSF can register the AKMA context to hAAnF.
  • step S1910 hAAnF sends an AKMA anchor key registration response (Naanf_AKMA_AnchorKey_Register Response) to AUSF.
  • AKMA anchor key registration response Naanf_AKMA_AnchorKey_Register Response
  • AUSF sends a NF discovery request (Nnrf_NF Discovery Request) to NRF.
  • AUSF sending a NF discovery request to NRF can be understood as AUSF calling NRF's Nnrf_NF Discovery service.
  • the NF discovery request may include one or more of the following information: SUPI, A-KID, SN-name, AKMA roaming indication (AKMA roaming Ind).
  • the AKMA roaming indication can be used by the NRF to determine whether the VPLMN supports AKMA services.
  • the NF discovery request may also include the addressed service name "AKMA" and/or the addressed network element name "AAnF".
  • the AUSF may send an NF discovery request to one NRF or may send an NF discovery request to multiple NRFs. This is not specifically limited in the embodiment of this application.
  • NRF sends a NF discovery response (Nnrf_NF Discovery Response) to AUSF.
  • the NF discovery response may include the address of vAAnF.
  • the number of vAAnF can be one or multiple.
  • NRF can determine vAAnF based on SN-name.
  • the NRF may determine the vAAnF based on the SN-name and/or AKMA roaming indication. For example, the NRF can determine whether the VPLMN supports the AKMA service based on the AKMA roaming indication; if the VPLMN supports the AKMA service, the NRF can send the vAAnF address to the AUSF.
  • AUSF can register the AKMA context into vAAnF.
  • AUSF can register an AKMA context into vAAnF via an AKMA anchor key registration request.
  • the AKMA context may include one or more of the following information: SUPI, A-KID, KAKMA .
  • AUSF sends an AKMA anchor key registration request (Naanf_AKMA_AnchorKey_Register Request) to vAAnF.
  • the AKMA anchor key registration request may include one or more of the following information: SUPI, A-KID, KAKMA .
  • the AKMA anchor key registration request may also include the network identifier of the UE's home domain network.
  • the network identifier of the home domain network may be the SN ID and/or the HPLMN ID.
  • the network identifier of the home domain network can be used by subsequent AF to determine whether the UE is in a roaming state.
  • step S1918 vAAnF returns the AKMA anchor key registration response (Naanf_AKMA_AnchorKey_Register Response) to AUSF.
  • Figure 20 shows a schematic flow chart for a roaming UE to access the AF in the VPLMN or the AF in the HPLMN.
  • step S2002 the UE sends an application session establishment request (Application session Establishment Request) to the AF.
  • the application session establishment request may include the A-KID.
  • the application session establishment request may also include the network identifier of the UE's visited domain network.
  • AF sends an NF discovery request (Nnrf_NFDiscovery Request) to NRF, or in other words, AF can request NRF's Nnrf_NFDiscovery service.
  • the request message may include one or more of the following information: A-KID, AF_ID, network identification (AF_LOCATION_IND) of the network where the AF is located, network identification of the UE's visited domain network, and AKMA roaming indication.
  • the request message may include one or more of the following information: A-KID, AF_ID, network identification (AF_LOCATION_IND) of the network where the AF is located, and network identification of the visited domain network of the UE.
  • the NF discovery request may also include the addressed service name "AKMA" and/or the addressed network element name "AAnF".
  • the AF can directly send an NF discovery request to the NRF. If the AF is located outside the operator's network, the AF can send an NF discovery request to the NRF through the NEF. In other words, AF can call NRF's Nnrf_NFDiscovery service through NEF.
  • the NRF requested by the AF may be one or multiple, which is not specifically limited in the embodiment of this application.
  • the AF can request the Nnrf_NFDiscovery service of one or more NRFs.
  • the NRF sends an NF discovery response (Nnrf_NFDiscovery Response) to the AF.
  • the NF discovery response may include the address of the AAnF. If the AF is located in the VPLMN, the NF discovery response includes the address of vAAnF; if the AF is located in the HPLMN, the NF discovery response includes the address of hAAnF. In some embodiments, if the AF is located in the VPLMN, but the VPLMN does not support the AKMA service, the address of hAAnF may be included in the NF discovery response.
  • step S2008 AF sends an AKMA application key acquisition request (Naanf_AKMA_ApplicationKey_Get Request) to AAnF (hAAnF or vAAnF).
  • the AKMA application key acquisition request may include A-KID and/or AF_ID.
  • step S2010 after the AAnF receives the AKMA application key acquisition request sent by the AF, it can retrieve the corresponding AKMA context based on the A-KID, and calculate the AF's application key K AF based on the AKMA context.
  • AAnF sends an AKMA application key acquisition response (Naanf_AKMA_ApplicationKey_Get Response) to AF.
  • the AKMA application key acquisition response may include one or more of the following information: K AF , validity period of K AF , SUPI, and GPSI.
  • the AKMA application key acquisition response may also include the home domain network identification of the UE.
  • the home domain network identifier may be an SN ID and/or an HPLMN ID. The home domain network identifier can be used by subsequent AF to determine whether the UE is in roaming state.
  • step S2018 the AF sends an application session establishment response (Application session Establishment Response) to the UE.
  • Application session Establishment Response Application session Establishment Response
  • vAAnF is able to provide xIRI key management events and/or LI encryption keys.
  • the management event may include one or more of the following: key generation, key change, key deletion.
  • the LI encryption key may include K AKMA and/or K AF .
  • the embodiment of this application can be discussed in two situations based on the network where the AF is located.
  • the AF can be used as an execution point for legal interception.
  • the AF can also provide xIRI and/or communication context (LI_X3 communications content, xCC) intercepted by lawful interception X3 for lawful interception.
  • xIRI may include security parameters and/or other application specific information.
  • the security parameters include one or more of the following: K AF , TLS session key, and security parameters of the Ua* protocol.
  • the security parameters of the Ua* protocol may be, for example, the parameters defined in Section 4.4.1 of TS 33.535.
  • Other application-specific information may be, for example, the information defined in TS 33.127 section 7.15.2.
  • the AF can determine the roaming situation of the UE based on the network identifier of the home domain network received in step S2012 and the network identifier of the network where the AF is located. For example, the AF can determine whether the UE is in a roaming state and whether the AF is located in the home domain network based on the network identifier of the home domain network and the network identifier of the network where the AF is located.
  • the AF can perform lawful interception related operations according to the regional policy and/or the locally stored lawful interception policy, see step S2014 in Figure 20.
  • Lawful interception-related operations may include one or more of the following: the AF provides the UE's visited domain network with security parameters for decrypting application traffic; turning off the encryption function; and denying the UE access. If the AF turns off the encryption function, the UE's visited domain network can directly obtain the communication data between the AF and the UE. The AF can reject the UE's access by sending an Application Session Establishment Reject (Application Session Establishment Reject) message to the UE.
  • Application Session Establishment Reject Application Session Establishment Reject
  • the AF can also provide the UE's visited domain network with security parameters for decrypting application traffic.
  • the AF may provide security parameters to the UPF or SMF in the UE's visited domain network.
  • Scenario 2 The roaming UE accesses the AF in the home domain network
  • AF If the AF is located in the home domain network, a user plane connection is established between the AF and the UE. AF and UE can communicate through vUPF in the visited domain. This vUPF can be used as the execution point of legal interception, see step S2016 in Figure 20. For this case, AF can provide vUPF with security parameters to decrypt application traffic.
  • Example 2 and Example 3 below are both related solutions for hAAnF to register the AKMA context to vAAnF.
  • the difference is that in Example 2, hAAnF directly registers the AKMA context to vAAnF (hereinafter also referred to as hAAnF trigger), and in Example 3, hAAnF is receiving After the request to AF, register the AKMA context to vAAnF (hereinafter also referred to as AF trigger).
  • This example may include the following three processes: 1. hAAnF registers the AKMA context to vAAnF; 2. UE accesses AF; 3. Legal interception of the visited domain network.
  • Process 2 in Example 2 is similar to Process 2 in Example 1
  • Process 3 in Example 2 is similar to Process 3 in Example 1. For the sake of brevity, they will not be described again here.
  • Figure 21 shows a schematic flow chart of hAAnF registering the AKMA context to vAAnF.
  • AUSF sends a UE authentication acquisition request (Nudm_UEAuthentication_Get Request) to UDM.
  • the UE authentication acquisition request may include SUPI and/or SUCI.
  • UDM sends a UE authentication acquisition response (Nudm_UEAuthentication_Get Response) to AUSF.
  • the UE authentication acquisition response may include one or more of the following information: AV, AKMA indication, RID, AKMA roaming indication (AKMA roaming Ind).
  • the AKMA indication is used to indicate whether an AKMA key needs to be generated for the UE.
  • the AKMA roaming indication is used to indicate whether the AKMA context can be provided to the UE's visited domain network.
  • the UDM can send an AKMA roaming indication to the AUSF when the UE is located in the visited domain network.
  • UDM can determine whether the UE is located in the visited domain network based on the network identifier of the network where the UE is located (such as SN-name) and the network identifier of the UE's home domain network.
  • the network identity of the network where the UE is located may be obtained during the authentication process.
  • the network identity of the UE's home domain network can be obtained from the AKMA subscription corresponding to SUPI.
  • the AKMA roaming indication can be determined based on one or more of the following information: whether the home domain network and the visited domain network have reached a consensus, whether the roaming UE can use the AKMA service of the visited domain network, whether the visited domain network provides AKMA services, etc.
  • AUSF In step S2106, AUSF generates K AKMA and A-KID based on K AUSF . Likewise, the UE can generate K AKMA and A-KID based on K AUSF .
  • AUSF sends an AKMA anchor key registration request (Naanf_AKMA_AnchorKey_Register Request) to hAAnF.
  • the AKMA anchor registration request includes one or more of the following information: SUPI, A-KID, K AKMA .
  • SUPI Secure Digital
  • A-KID K AKMA
  • K AKMA K AKMA .
  • the AKMA anchor key registration request may also include an AKMA roaming indication.
  • the AKMA anchor key registration request may also include indication information, and the indication information is used to indicate the network where the UE is located.
  • the indication information may be SN-name.
  • the indication information may be an SN ID or a VPLMN ID. This instruction information can be used for subsequent hAAnF discovery and vAAnF selection.
  • step S2110 hAAnF sends an AKMA anchor key registration response (Naanf_AKMA_AnchorKey_Register Response) to AUSF.
  • AKMA anchor key registration response Naanf_AKMA_AnchorKey_Register Response
  • hAAnF sends a NF discovery request (Nnrf_NF Discovery Request) to NRF.
  • the NF discovery request may include one or more of the following information: SUPI, A-KID, SN-name, and AKMA roaming indication.
  • the AKMA roaming indication can be used by the NRF to determine whether the VPLMN supports AKMA services.
  • the NF discovery request may also include the addressed service name "AKMA" and/or the addressed network element name "AAnF”.
  • hAAnF can send NF discovery requests to one NRF, or can send NF discovery requests to multiple NRFs. This is not specifically limited in the embodiment of this application.
  • NRF sends a NF discovery response (Nnrf_NF Discovery Response) to hAAnF.
  • the NF discovery response may include the address of vAAnF.
  • the number of vAAnF can be one or multiple.
  • the NRF may determine the vAAnF based on the SN-name and/or AKMA roaming indication. For example, the NRF can determine whether the VPLMN supports the AKMA service based on the AKMA roaming indication; if the VPLMN supports the AKMA service, the NRF can send the address of the vAAnF to the hAAnF.
  • hAAnF can register the AKMA context into vAAnF.
  • hAAnF can register the AKMA context into vAAnF via an AKMA context push request.
  • the AKMA context may include one or more of the following information: SUPI, A-KID, KAKMA .
  • hAAnF sends an AKMA context push request (Naanf_AKMA_Context_Push Request) to vAAnF.
  • the AKMA context push request may include one or more of the following information: SUPI, A-KID, and K AKMA .
  • An AKMA context can be registered into vAAnF via an AKMA context push request.
  • the AKMA context push request may also include the home domain network identity of the UE.
  • the home domain network identifier may be a registered SN ID and/or HPLMN ID. The home domain network identifier can be used by subsequent AF to determine whether the UE is in roaming state.
  • step S2118 vAAnF sends an AKMA context push response (Naanf_AKMA_Context_Push Response) to hAAnF.
  • AKMA context push response Naanf_AKMA_Context_Push Response
  • This example can include the following three processes: 1. AUSF registers the AKMA context to hAAnF; 2. When triggered by AF, hAAnF registers the AKMA context to vAAnF; 3. Legal interception of the visited domain network.
  • Process 1 in Example 3 is similar to steps S1902 to S1910 shown in Figure 19 in Example 1.
  • Process 3 in Example 3 is similar to Process 3 in Example 1. For the sake of brevity, they will not be described again here.
  • Figure 22 shows a schematic flow chart of hAAnF registering the AKMA context to vAAnF when triggered by AF.
  • step S2202 the UE sends an application session establishment request (Application session Establishment Request) to the AF.
  • the application session establishment request may include the A-KID.
  • AF sends an AKMA application key acquisition request (Naanf_AKMA_ApplicationKey_Get Request) to hAAnF.
  • the AKMA application key acquisition request may include A-KID and/or AF_ID.
  • the AKMA application key acquisition request may also include a first parameter, and the first parameter may be used to indicate the network identity of the network where the AF is located and/or the network identity of the network where the UE is located.
  • the first parameter can be used to discover hAAnF, select the corresponding vAAnF, and/or determine whether the AF is located in the HPLMN.
  • step S2206 hAAnF generates K AF based on KAKMA .
  • hAAnF determines whether to redirect the AKMA application key and request to vAAnF. hAAnF determines whether the UE is in a roaming state and whether the AF is located in the HPLMN based on the first parameter and/or the AKMA roaming indication sent by the AUSF. Further, hAAnF may determine whether to redirect the AKMA application key and request to vAAnF based on one or more of the roaming status of the UE, the AKMA roaming indication, and the network where the AF is located.
  • hAAnF When the UE is in the roaming state, hAAnF further determines whether the AF is located in the HPLMN. If the AF is located in HPLMN, step S2210 is performed. If the AF is located in the VPLMN, hAAnF can determine whether the roaming UE can use the AKMA service of the visited domain network, and/or whether the VPLMN provides AKMA services and other factors to determine whether to register the AKMA context to vAAnF. In some embodiments, hAAnF can determine whether the UE can use the AKMA service of the visited domain network according to the AKMA roaming indication, and/or whether the VPLMN provides the AKMA service. In other embodiments, hAAnF may determine whether the UE can use the AKMA service of the visited domain network according to the local configuration, and/or whether the VPLMN provides the AKMA service.
  • steps S2212 to S2218 are executed.
  • hAAnF sends an AKMA application key acquisition response (Naanf_AKMA_ApplicationKey_Get Response) to AF.
  • the AKMA application key acquisition response includes one or more of the following information: K AF , validity period of K AF , and SUPI.
  • the AKMA application key acquisition response may also include the home domain network identification of the UE.
  • the home domain network identifier may be a registered SN ID and/or HPLMN ID. The home domain network identifier can be used by subsequent AF to determine whether the UE is in roaming state.
  • step S2212 hAAnF calls the Nnrf_NFDiscovery service of the NRF network element to obtain the address of vAAnF.
  • hAAnF sends a NF discovery request to NRF.
  • the NF discovery request may include one or more of the following information: SUPI, A-KID, SN-name, and AKMA roaming indication.
  • the AKMA roaming indication can be used by the NRF to determine whether the VPLMN supports AKMA services.
  • the NF discovery request may also include the addressed service name "AKMA" and/or the addressed network element name "AAnF”.
  • hAAnF can send NF discovery requests to one NRF, or can send NF discovery requests to multiple NRFs. This is not specifically limited in the embodiment of this application.
  • the NRF sends NF discovery response to hAAnF.
  • the NF discovery response may include the address of vAAnF.
  • the number of vAAnF can be one or multiple.
  • the NRF may determine the vAAnF based on the SN-name and/or AKMA roaming indication. For example, the NRF can determine whether the VPLMN supports the AKMA service based on the AKMA roaming indication; if the VPLMN supports the AKMA service, the NRF can send the address of the vAAnF to the hAAnF.
  • hAAnF can register the AKMA context into vAAnF.
  • hAAnF can register the AKMA context into vAAnF through the AKMA context push request.
  • the AKMA context may include one or more of the following information: SUPI, A-KID, KAKMA .
  • hAAnF sends an AKMA context push request (Naanf_AKMA_Context_Push) to vAAnF.
  • the AKMA context push request may include one or more of the following information: SUPI, A-KID, and K AKMA .
  • hAAnF pushes the request through the AKMA context and can register the AKMA context into vAAnF.
  • the AKMA context push request may also include the home domain network identity of the UE.
  • the home domain network identifier may be a registered SN ID and/or HPLMN ID. The home domain network identifier can be used by subsequent AF to determine whether the UE is in roaming state.
  • hAAnF can also generate K AF based on KAKMA , and then send K AF and the validity period of K AF to vAAnF.
  • the AKMA context push request may include the K AF and the validity period of the K AF .
  • step S2216 if the AKMA context push request does not include K AF , vAAnF generates K AF based on KAKMA .
  • vAAnF sends an AKMA application key acquisition response (Naanf_AKMA_ApplicationKey_Get Response) to AF.
  • the AKMA application key acquisition response may include one or more of the following information: K AF , validity period of K AF , SUPI, and GPSI.
  • the AKMA application key acquisition response may also include the home domain network identification of the UE.
  • the home domain network identifier may be a registered SN ID and/or HPLMN ID. The home domain network identifier can be used by subsequent AF to determine whether the UE is in roaming state.
  • the AKMA context push request sent by hAAnF to vAAnF includes K AF and the validity period of K AF
  • the AKMA context push request includes SUPI, A-KID, K AKMA , K AF , and the validity period of K AF
  • vAAnF can send the K AF and the validity period of the K AF to the AF directly (or through NEF).
  • the AKMA context push request sent by hAAnF to vAAnF does not include K AF and the validity period of K AF , for example, the AKMA context push request includes SUPI, A-KID, K AKMA , and AF_ID, then vAAnF can generate K AF and K based on K AKMA . The validity period of AF . Further, vAAnF can send K AF and the validity period of K AF to AF directly (or through NEF).
  • the AF located in the VPLMN can directly select vAAnF through the AAnF discovery and selection mechanism and request the AKMA application key from vAAnF.
  • step S2220 the AF sends an application session establishment response (Application session Establishment Response) to the UE.
  • Application session Establishment Response Application session Establishment Response
  • Figure 23 shows a schematic block diagram of a wireless communication device.
  • the device 2300 shown in Figure 23 may be any first network element described above.
  • the device 2300 may include a sending unit 2310.
  • the sending unit 2310 is configured to send a first message to the network registration function NRF, where the first message carries a first parameter, and the first parameter is used to indicate one or more of the following: the network identifier of the network where the AF is located; The network identifier of the network where the UE is located; and AKMA roaming instructions.
  • the first network element includes one or more of the following: AF, AAnF, and AUSF in the UE's home domain network.
  • the first network element is an AF
  • the first parameter is used to indicate one or more of the following information: a network identifier of the network where the AF is located, and a network identifier of the network where the UE is located.
  • the apparatus further includes: a receiving unit 2320, configured to receive a response to the first message from the NRF if the AF or the network where the UE is located is the home domain network of the UE. message, the response message carries the address of the AAnF in the home domain network of the UE.
  • the apparatus further includes: a receiving unit 2320, configured to receive a response to the first message from the NRF if the AF or the network where the UE is located is the visited domain network of the UE. message, the response message carries the address of the AAnF in the visited domain network of the UE.
  • the first network element is the AAnF or AUSF in the UE's home domain network
  • the first parameter is used to indicate one or more of the following information: the network identity of the UE's visited domain network , AKMA roaming instructions.
  • the apparatus further includes: a receiving unit 2320, configured to receive the first message from the NRF if the AKMA roaming indication indicates that the visited domain network of the UE supports the AKMA service.
  • a response message the response message carries the address of the AAnF in the visited domain network of the UE.
  • Figure 24 shows a schematic block diagram of a wireless communication device.
  • the device 2400 shown in Figure 24 can be any NRF described above.
  • the device 2400 may include a receiving unit 2410.
  • the receiving unit 2410 is configured to receive the first message sent by the first network element, where the first message carries a first parameter, and the first parameter is used to indicate one or more of the following: the network identifier of the network where the AF is located. ;The network identification of the network where the UE is located; and the AKMA roaming indication.
  • the first network element includes one or more of the following: AF, AAnF, and AUSF in the UE's home domain network.
  • the first network element is an AF
  • the first parameter is used to indicate one or more of the following information: a network identifier of the network where the AF is located, and a network identifier of the network where the UE is located.
  • the device further includes: a sending unit 2420, configured to send a response to the first message to the AF if the network where the AF or the UE is located is the home domain network of the UE.
  • the response message carries the address of the authentication and key management anchor function AAnF of the application in the home domain network of the UE.
  • the device further includes: a sending unit 2420, configured to send a response to the first message to the AF if the network where the AF or the UE is located is the visited domain network of the UE.
  • the response message carries the address of the AAnF in the visited domain network of the UE.
  • the first network element is the AAnF or AUSF in the UE's home domain network
  • the first parameter is used to indicate one or more of the following information: the network identity of the UE's visited domain network , AKMA roaming instructions.
  • the device further includes: a sending unit 2420, configured to send the first network element to the first network element if the AKMA roaming indication indicates that the visited domain network of the UE supports the AKMA service.
  • a response message of a message the response message carries the address of the AAnF in the visited domain network of the UE.
  • Figure 25 shows a schematic block diagram of a wireless communication device.
  • the device 2500 shown in Figure 25 may be any first network element described above.
  • the apparatus 2500 may include an execution unit 2510.
  • the execution unit 2510 is configured to perform related operations of legal interception, which include one of the following operations: providing the UE's visited domain network with security parameters required to decrypt application traffic; turning off the encryption function; and rejecting all The access of the UE.
  • the first network element is the AF.
  • the first network element is the UPF of the visited domain network.
  • the first network element is an AF in the home domain network of the UE
  • providing the security parameters required to decrypt application traffic to the visited domain network includes: providing the visited domain network with security parameters required to decrypt the application traffic.
  • the UPF in provides the security parameters.
  • the first network element is an AF
  • the device further includes: a receiving unit 2520, configured to receive indication information sent by the AAnF of the visited domain network, where the indication information is used to instruct the UE The network identifier of the home domain network.
  • the security parameters include one or more of the following: application keys, transport layer security protocol TLS session keys, and security parameters in the Unified Architecture Ua* protocol.
  • Figure 26 shows a schematic block diagram of a wireless communication device.
  • the device 2600 shown in Figure 26 may be any first network element described above.
  • the device 2600 may include a sending unit 2610.
  • the sending unit 2610 is configured to send a first message to the second network element.
  • the first message includes a first parameter and a second parameter.
  • the first parameter is associated with the AKMA context of the user equipment UE.
  • the second parameter is used to indicate the network identity of the home domain network of the UE.
  • the first network element is AUSF
  • the second network element is AAnF in the visited domain network of the UE; or the first network element is the AAnF in the home domain network of the UE.
  • the second network element is AAnF in the visited domain network; or the first network element is AAnF in the visited domain network, and the second network element is AF.
  • the first parameter includes one or more of the following: the identity of the UE, the AKMA key identifier A-KID, the AKMA key, the identity of the AF, the application key, the application key's Validity period.
  • Figure 27 shows a schematic block diagram of a wireless communication device.
  • the device 2700 shown in Figure 27 may be any second network element described above.
  • the device 2700 may include a receiving unit 2710.
  • the receiving unit 2710 is configured to receive the first message sent by the first network element.
  • the first message includes a first parameter and a second parameter.
  • the first parameter is associated with the AKMA context of the UE.
  • the second parameter is used to Indicates the network identifier of the home domain network of the UE.
  • the first network element is AUSF
  • the second network element is the AKMA anchor function AAnF in the visited domain network of the UE; or the first network element is the home network of the UE.
  • the AAnF in the visited domain network, the second network element is the AAnF in the visited domain network; or the first network element is the AAnF in the visited domain network of the UE, and the second network element is the AF.
  • the first parameter includes one or more of the following: the identity of the UE, the AKMA key identifier A-KID, the AKMA key, the identity of the AF, the application key, the application key's Validity period.
  • Figure 28 is a schematic structural diagram of a wireless communication device according to an embodiment of the present application.
  • the dashed line in Figure 28 indicates that the unit or module is optional.
  • the device 2800 can be used to implement the method described in the above method embodiment.
  • the device 2800 may be a chip, AF, NRF, first network element or second network element, etc.
  • Apparatus 2800 may include one or more processors 2810.
  • the processor 2810 can support the device 2800 to implement the method described in the previous method embodiment.
  • the processor 2810 may be a general-purpose processor or a special-purpose processor.
  • the processor may be a central processing unit (CPU).
  • the processor can also be another general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), or an off-the-shelf programmable gate array (FPGA) Or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA off-the-shelf programmable gate array
  • a general-purpose processor may be a microprocessor or the processor may be any conventional processor, etc.
  • Apparatus 2800 may also include one or more memories 2820.
  • the memory 2820 stores a program, which can be executed by the processor 2810, so that the processor 2810 executes the method described in the foregoing method embodiment.
  • the memory 2820 may be independent of the processor 2810 or integrated in the processor 2810.
  • Apparatus 2800 may also include a transceiver 2830.
  • Processor 2810 may communicate with other devices or chips through transceiver 2830.
  • the processor 2810 can transmit and receive data with other devices or chips through the transceiver 2830.
  • An embodiment of the present application also provides a computer-readable storage medium for storing a program.
  • the computer-readable storage medium can be applied in the terminal or network device provided by the embodiments of the present application, and the program causes the computer to execute the methods performed by the terminal or network device in various embodiments of the present application.
  • An embodiment of the present application also provides a computer program product.
  • the computer program product includes a program.
  • the computer program product can be applied in the terminal or network device provided by the embodiments of the present application, and the program causes the computer to execute the methods performed by the terminal or network device in various embodiments of the present application.
  • An embodiment of the present application also provides a computer program.
  • the computer program can be applied to the terminal or network device provided by the embodiments of the present application, and the computer program causes the computer to execute the methods performed by the terminal or network device in various embodiments of the present application.
  • B corresponding to A means that B is associated with A, and B can be determined based on A.
  • determining B based on A does not mean determining B only based on A.
  • B can also be determined based on A and/or other information.
  • the size of the sequence numbers of the above-mentioned processes does not mean the order of execution.
  • the execution order of each process should be determined by its functions and internal logic, and should not be used in the embodiments of the present application.
  • the implementation process constitutes any limitation.
  • the disclosed systems, devices and methods can be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented.
  • the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application can be integrated into one processing unit, each unit can exist physically alone, or two or more units can be integrated into one unit.
  • the computer program product includes one or more computer instructions.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another, e.g., the computer instructions may be transferred from a website, computer, server, or data center Transmission to another website, computer, server or data center through wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) means.
  • the computer-readable storage medium may be any available medium that can be read by a computer or a data storage device such as a server or data center integrated with one or more available media.
  • the available media may be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., digital video discs (DVD)) or semiconductor media (e.g., solid state disks (SSD) )wait.
  • magnetic media e.g., floppy disks, hard disks, magnetic tapes
  • optical media e.g., digital video discs (DVD)
  • semiconductor media e.g., solid state disks (SSD)

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé et un appareil de communication sans fil. Le procédé comprend les étapes suivantes : un premier élément de réseau envoie un premier message à une NRF, le premier message transportant un premier paramètre, et le premier paramètre étant utilisé pour indiquer un ou plusieurs des éléments suivants : un identifiant de réseau d'un réseau où se trouve une AF ; un identifiant de réseau d'un réseau où se trouve un UE ; et une indication d'itinérance AKMA. Un identifiant de réseau d'un réseau où se trouve un UE et une indication d'itinérance AKMA sont envoyés à une NRF, de telle sorte que la NRF peut apprendre un service AKMA du réseau où se trouve l'UE, le réseau où se trouve l'AF ou un réseau de domaine visité, permettant ainsi à la NRF d'aider une première découverte d'élément de réseau et de choisir une AAnF correspondante, et permettant l'exécution de la demande pour le service AKMA.
PCT/CN2022/117293 2022-09-06 2022-09-06 Procédé et appareil de communication sans fil WO2024050692A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/117293 WO2024050692A1 (fr) 2022-09-06 2022-09-06 Procédé et appareil de communication sans fil

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/117293 WO2024050692A1 (fr) 2022-09-06 2022-09-06 Procédé et appareil de communication sans fil

Publications (1)

Publication Number Publication Date
WO2024050692A1 true WO2024050692A1 (fr) 2024-03-14

Family

ID=90192696

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/117293 WO2024050692A1 (fr) 2022-09-06 2022-09-06 Procédé et appareil de communication sans fil

Country Status (1)

Country Link
WO (1) WO2024050692A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021198952A1 (fr) * 2020-03-31 2021-10-07 Telefonaktiebolaget Lm Ericsson (Publ) Poussée par ausf d'un matériau de clé akma
US20220210636A1 (en) * 2020-12-29 2022-06-30 Samsung Electronics Co., Ltd. Method and system of enabling akma service in roaming scenario
WO2022152423A1 (fr) * 2021-01-15 2022-07-21 Telefonaktiebolaget Lm Ericsson (Publ) Procédé et système pour prendre en charge l'authentification et la gestion de clés pour des applications (akma) à l'aide d'une indication d'autorisation

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021198952A1 (fr) * 2020-03-31 2021-10-07 Telefonaktiebolaget Lm Ericsson (Publ) Poussée par ausf d'un matériau de clé akma
US20220210636A1 (en) * 2020-12-29 2022-06-30 Samsung Electronics Co., Ltd. Method and system of enabling akma service in roaming scenario
WO2022152423A1 (fr) * 2021-01-15 2022-07-21 Telefonaktiebolaget Lm Ericsson (Publ) Procédé et système pour prendre en charge l'authentification et la gestion de clés pour des applications (akma) à l'aide d'une indication d'autorisation

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"AKMA service support for roaming UE", 3GPP TSG SA3 MEETING #105-E, S3-214236, 1 November 2021 (2021-11-01), XP052073645 *

Similar Documents

Publication Publication Date Title
US20210289351A1 (en) Methods and systems for privacy protection of 5g slice identifier
JP6936393B2 (ja) パラメータ保護方法及びデバイス、並びに、システム
WO2020029730A1 (fr) Procédé, dispositif et système de traitement d'informations d'identité
CN109691059B (zh) 用于ip版本的选择的方法、无线通信设备、以及网络节点
EP2235977B1 (fr) Fonction d'abstraction pour combinés mobiles
WO2021218851A1 (fr) Procédé et dispositif de communication sécurisée
CN114584969B (zh) 基于关联加密的信息处理方法及装置
US11330038B2 (en) Systems and methods for utilizing blockchain for securing browsing behavior information
WO2021204065A1 (fr) Procédé et appareil de communication
WO2022012176A1 (fr) Procédé de communication de service de proximité, élément de réseau de gestion, dispositif terminal, et système de communication
WO2022160314A1 (fr) Procédé, appareil et système pour obtenir des paramètres de sécurité
WO2022222152A1 (fr) Procédé d'apprentissage fédéré, système d'apprentissage fédéré, premier dispositif et troisième dispositif
WO2022027476A1 (fr) Procédé de gestion de clés et appareil de communication
WO2024050692A1 (fr) Procédé et appareil de communication sans fil
WO2023011630A1 (fr) Procédé et appareil de vérification d'autorisation
US20230361989A1 (en) Apparatus, methods, and computer programs
CN114362984B (zh) 一种接口安全性保护方法及装置
JP7513746B2 (ja) 時刻同期パケット処理方法および装置
WO2023213209A1 (fr) Procédé de gestion de clé et appareil de communication
WO2023169122A1 (fr) Procédé et appareil de communication
WO2023213208A1 (fr) Procédé de communication et appareil de communication
WO2017206125A1 (fr) Procédé de connexion de réseau, et procédé et dispositif de détermination de nœud sécurisé
WO2023168620A1 (fr) Procédé et appareil d'acquisition de consentement d'utilisateur, dispositif, et support de stockage
US20230379712A1 (en) Core network system
WO2023169127A1 (fr) Procédé de communication, dispositif terminal et appareil d'informations

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22957666

Country of ref document: EP

Kind code of ref document: A1