WO2024060626A1 - 鉴权方法、通信装置及通信系统 - Google Patents
鉴权方法、通信装置及通信系统 Download PDFInfo
- Publication number
- WO2024060626A1 WO2024060626A1 PCT/CN2023/091346 CN2023091346W WO2024060626A1 WO 2024060626 A1 WO2024060626 A1 WO 2024060626A1 CN 2023091346 W CN2023091346 W CN 2023091346W WO 2024060626 A1 WO2024060626 A1 WO 2024060626A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- authentication
- network element
- terminal device
- mobility management
- management network
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 326
- 230000006854 communication Effects 0.000 title claims abstract description 136
- 238000004891 communication Methods 0.000 title claims abstract description 135
- 230000007774 longterm Effects 0.000 claims abstract description 46
- 230000005540 biological transmission Effects 0.000 claims abstract description 42
- 238000004590 computer program Methods 0.000 claims description 13
- 238000007726 management method Methods 0.000 description 142
- 230000004044 response Effects 0.000 description 68
- 230000006870 function Effects 0.000 description 55
- 101100055418 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) AMF1 gene Proteins 0.000 description 22
- 238000012545 processing Methods 0.000 description 17
- 238000004846 x-ray emission Methods 0.000 description 14
- 238000010586 diagram Methods 0.000 description 13
- 230000011664 signaling Effects 0.000 description 13
- 238000005516 engineering process Methods 0.000 description 8
- 230000000977 initiatory effect Effects 0.000 description 7
- 238000012546 transfer Methods 0.000 description 7
- 238000010295 mobile communication Methods 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- FFBHFFJDDLITSX-UHFFFAOYSA-N benzyl N-[2-hydroxy-4-(3-oxomorpholin-4-yl)phenyl]carbamate Chemical compound OC1=C(NC(=O)OCC2=CC=CC=C2)C=CC(=C1)N1CCOCC1=O FFBHFFJDDLITSX-UHFFFAOYSA-N 0.000 description 2
- 238000009795 derivation Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 101150119040 Nsmf gene Proteins 0.000 description 1
- 230000003190 augmentative effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001568 sexual effect Effects 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/04—Large scale networks; Deep hierarchical networks
- H04W84/06—Airborne or Satellite Networks
Definitions
- the present application relates to the field of wireless communication technology, and in particular to authentication methods, communication devices and communication systems.
- satellite communication technology has developed rapidly, and the 3rd generation partnership project (3GPP) has been formulating relevant specifications for satellite communications.
- 3GPP 3rd generation partnership project
- base stations access and mobility management function (AMF) network elements, session management function (SMF) network elements, and user plane functions can be deployed on satellites , UPF) network elements and other network elements or equipment.
- the satellite can communicate with the terminal equipment in the user segment, and the satellite can also communicate with the ground station.
- the ground station serves as a transfer station between the satellite and the core network.
- the core network can deploy unified data management (UDM) network elements, Authentication server function (AUSF) network element, etc.
- UDM unified data management
- AUSF Authentication server function
- the satellite may not be able to communicate with the terminal equipment in the user segment and the ground station in the ground segment at the same time.
- the satellite can communicate with the terminal equipment in the user segment, but cannot communicate with the ground station in the ground segment.
- the satellite and the terminal in the user segment cannot communicate.
- the devices cannot communicate with each other, but they can communicate with the ground station in the ground segment.
- the satellite needs to store the information after receiving the information from the terminal device, and then forward the information to the ground station when the satellite moves to a position where it can connect to the ground station. ground station.
- the satellite stores the information after receiving it from the ground station, and then forwards the information to the terminal device when the satellite moves to a position where it can be connected to the terminal device.
- the terminal device needs to be authenticated when initially accessing the network.
- the terminal device can send and receive data only after the terminal device is successfully authenticated.
- the authentication here includes the network authenticating the terminal device and the terminal device authenticating the network.
- the satellite after receiving the authentication-related signaling information from the sending end (terminal equipment or ground station), the satellite stores the signaling information, and then waits for the satellite to operate until it can connect to the receiving end ( ground station or terminal equipment), the signaling information is forwarded to the receiving end.
- the authentication time generally required is relatively long, resulting in a long wait before actually transmitting data.
- the present application provides an authentication method, a communication device and a communication system, which are used to reduce the waiting time for data transmission in the authentication process, thereby improving communication efficiency.
- embodiments of the present application provide an authentication method, which can be executed by a mobility management network element on a satellite or a module applied in a mobility management network element on a satellite.
- the mobility management network element generates a first random number; the mobility management network element sends the first random number to the terminal device; the mobility management network element receives the first random number from the The first authentication information of the terminal device, the first authentication information is generated based on the first random number and the long-term key, the long-term key is the root key used for the terminal device to communicate with the network; the mobile The mobility management network element sends the first authentication information and the first random number to the authentication network element, and the first authentication information and the first random number are used to authenticate the terminal device; the mobility management network element Receive an authentication result from the authentication network element; the mobility management network element sends a notification message to the terminal device based on the authentication result, where the notification message indicates the authentication result of the terminal device.
- the terminal device in the scenario where the satellite cannot connect to the terminal device and the ground station at the same time, the terminal device only needs to wait for the satellite to circle the earth to complete the authentication process. After completing the authentication process, the data transmission can be started, so it can Reducing the time waiting for data transmission helps improve communication efficiency.
- the mobility management network element generates second authentication information; the mobility management network element sends the second authentication information to the terminal device, and the second authentication information is used for the mobile device. Perform authentication on the security management network element.
- the terminal device can authenticate the mobility management network element, which can further improve communication security.
- the mobility management network element generates the second authentication information, including: the mobility management network element receives a second random number from the terminal device; the mobility management network element generates the second authentication information according to the second random number. Random number to generate the second authentication information.
- the mobility management network element generates second authentication information, including: the mobility management network element encrypts information in the mobility management network element to obtain the second authentication information.
- the mobility management network element before the mobility management network element sends a notification message to the terminal device according to the authentication result, the mobility management network element receives data from the terminal device through the control plane; wherein, the data and the first authentication information are carried in the same message or in different messages.
- the terminal device has already started transmitting data before the authentication process is completed, so the start time of data transmission is further advanced, which helps to improve communication efficiency.
- the mobility management network element receives first indication information from the terminal device, and the first indication information instructs the terminal device to transmit data before the authentication is completed.
- the mobility management network element sends second indication information to the terminal device, and the second indication information indicates one or more of the following information: supporting the terminal device to transmit before the authentication is completed. Data, the terminal device is allowed to transmit data before authentication is completed, the data size allowed to be transmitted, or rate limit information.
- the mobility management network element sends temporary security information to the terminal device.
- the temporary security information is selected by the mobility management network element and is used to perform data transmission through the control plane before the authentication is completed. Protected security information.
- the above solution uses temporary security information to encrypt data, which can ensure communication security.
- the mobility management network element when the mobility management network element cannot communicate with the authentication network element, the mobility management network element caches the data; when the mobility management network element can communicate with the authentication network element, The mobility management network element obtains the cached data and sends the data to the data network.
- the mobility management network element when the mobility management network element cannot communicate with the authentication network element, the mobility management network element notifies other network elements to cache the data; when the mobility management network element can communicate with the authentication network element Network element communication, the mobility management network element notifies the other network elements to send the buffered data to the data network.
- the mobility management network element determines that it is currently unable to communicate with the authentication network element.
- embodiments of the present application provide an authentication method, which can be executed by a terminal device or a module applied in the terminal device.
- the terminal device receives the first random number from the mobility management network element on the satellite; the terminal device generates the first authentication information based on the first random number and the long-term key, and sends the first authentication information to the terminal device.
- the mobility management network element sends the first authentication information, the first authentication information is used to authenticate the terminal device, and the long-term key is a root key used for the terminal device to communicate with the network;
- the terminal device receives a notification message from the mobility management network element, and the notification message indicates the authentication result of the terminal device.
- the terminal device in the scenario where the satellite cannot connect to the terminal device and the ground station at the same time, the terminal device only needs to wait for the satellite to circle the earth to complete the authentication process. After completing the authentication process, the data transmission can be started, so it can Reducing the time waiting for data transmission helps improve communication efficiency.
- the terminal device receives second authentication information from the mobility management network element; the terminal device authenticates the mobility management network element based on the second authentication information; the terminal The device generates first authentication information based on the first random number and the long-term key, including: in the case of successful authentication of the mobility management network element, the terminal device generates first authentication information based on the first random number and the long-term key. , generate the first authentication information.
- the terminal device can authenticate the mobility management network element, which can further improve communication security.
- the second authentication information is generated by the mobility management network element or is pre-configured on the mobility management network element, and the first random number is generated by the mobility management network element. Meta-generated.
- the second authentication information is generated based on the second random number sent by the terminal device to the mobility management network element; the terminal device authenticates the mobility management network element based on the second authentication information.
- the management network element performs authentication, including: the terminal device generates third authentication information based on the second random number; when the second authentication information is the same as the third authentication information, the terminal device determines whether the mobility management Network element authentication is successful; or, when the second authentication information is different from the third authentication information, the terminal device determines that authentication of the mobility management network element fails.
- the second authentication information is obtained by encrypting information in the mobility management network element; the terminal device performs authentication on the mobility management network element based on the second authentication information.
- Authentication includes: the terminal device uses the public key to decrypt the second authentication information; when the decryption is successful, the terminal device determines that the authentication of the mobility management network element is successful; or, when the decryption fails, the terminal device determines The authentication of the mobility management network element failed.
- the terminal device before the terminal device receives the notification message from the mobility management network element, the terminal device sends data to the access network device through the user; or, the terminal device sends data to the mobility management network element, and the data and the first authentication information are carried in the same message or in different messages.
- the UE has already started transmitting data before the authentication process is completed, so the start time of data transmission is further advanced, which helps to improve communication efficiency.
- the terminal device sends first indication information to the mobility management network element, and the first indication information instructs the terminal device to transmit data before the authentication is completed.
- the terminal device receives second indication information from the mobility management network element, and the second indication information indicates one or more of the following information: supporting the terminal device before the authentication is completed. Transmit data, allow the terminal device to transmit data before authentication is completed, allow data size or rate limit information to be transmitted.
- the terminal device receives temporary security information; wherein the temporary security information is security information selected by the mobility management network element to protect data transmitted through the control plane before authentication is completed; Alternatively, the temporary security information is security information selected by the access network device to protect data transmitted through the user plane before authentication is completed.
- embodiments of the present application provide an authentication method, which can be executed by an authentication network element or a module applied in the authentication network element.
- the authentication network element determines to complete the authentication process between the authentication network element and the terminal device; the authentication network element sends a first authentication notification message to the first satellite, and the authentication network element sends a first authentication notification message to the first satellite.
- the first authentication notification message includes the first security context of the terminal device; wherein the first security context is used for secure communication between the terminal device and the first satellite, which is where the terminal device will be located in the future. Satellites that may provide services to the terminal device cannot be connected to the authentication network element.
- the above solution can avoid unnecessary authentication by sending the security context of the terminal device to the terminal device and satellite in advance, reduce signaling overhead and the waiting time before data transmission, and help improve communication efficiency.
- the authentication network element sends a second security context of the terminal device to the terminal device.
- the second security context is used for secure communication between the terminal device and the first satellite.
- the third security context corresponds to the same security key as the first security context.
- the authentication network element sends a second authentication notification message to the second satellite, and the second authentication notification message includes the third security context of the terminal device; wherein the third security context is Regarding the secure communication between the terminal device and the second satellite, the second satellite is a satellite that may provide services to the terminal device when the terminal device is in a place where it cannot connect to the authentication network element in the future.
- the second satellite The satellite is different from the first satellite, and the third security context is different from the first security context.
- the authentication network element sends a fourth security context of the terminal device to the terminal device.
- the fourth security context is used for secure communication between the terminal device and the second satellite.
- the third security context is used for secure communication between the terminal device and the second satellite.
- the fourth security context corresponds to the same security key as the third security context, and the fourth security context is different from the third security context.
- the authentication network element determines the information of the first satellite based on the subscription information of the terminal device.
- the authentication network element receives first indication information, and the first indication information indicates the information of the first satellite.
- the authentication network element receives second indication information, and the second indication information indicates area information where the terminal device may be located when it is unable to connect to the authentication network element in the future;
- the authentication network element determines the information of the first satellite based on the second indication information and ephemeris information.
- an embodiment of the present application provides an authentication method, which can be executed by a mobility management network element on a satellite or a module in a mobility management network element applied to a satellite.
- the mobility management network element on the satellite receives a first message from a terminal device, the first message including identification information and encryption information of the terminal device; the mobility management network element obtains a security context of the terminal device, and decrypts the encrypted information according to the security context; when the decryption is successful, the mobility management network element determines not to execute the authentication process; or, when the decryption fails, the mobility management network element triggers the execution of the authentication process.
- the above solution can avoid unnecessary authentication by sending the security context of the terminal device to the terminal device and satellite in advance, reduce signaling overhead and the waiting time before data transmission, and help improve communication efficiency.
- the mobility management network element receives the security context from the authentication network element.
- embodiments of the present application provide a communication device, which may be a mobility management network element on a satellite, It can also be a chip used for mobility management network elements on satellites.
- the device has the function of implementing any implementation method of the above-mentioned first aspect or fourth aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software.
- the hardware or software includes one or more modules corresponding to the above functions.
- embodiments of the present application provide a communication device, which may be a terminal device or a chip for the terminal device.
- the device has the function of implementing any implementation method of the above second aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software.
- the hardware or software includes one or more modules corresponding to the above functions.
- embodiments of the present application provide a communication device, which may be an authentication network element or a chip used for authenticating the network element.
- the device has the function of implementing any implementation method of the above third aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software.
- the hardware or software includes one or more modules corresponding to the above functions.
- an embodiment of the present application provides a communication device, including a processor coupled to a memory, and the processor is configured to call a program stored in the memory to execute any implementation method in the above first to fourth aspects.
- the memory may be located within the device or external to the device.
- the processor can be one or more.
- embodiments of the present application provide a communication device, including a processor and a memory; the memory is used to store computer instructions, and when the device is running, the processor executes the computer instructions stored in the memory to cause the device to execute Any implementation method in the above first to fourth aspects.
- embodiments of the present application provide a communication device, including units or means (means) for executing each step of any implementation method in the above-mentioned first to fourth aspects.
- embodiments of the present application provide a communication device, including a processor and an interface circuit.
- the processor is configured to communicate with other devices through the interface circuit and execute any implementation method in the above first to fourth aspects.
- the processor includes one or more.
- embodiments of the present application further provide a computer-readable storage medium, in which instructions are stored, and when run on a communication device, the instructions in the first to fourth aspects are implemented. Any implementation method of is executed.
- embodiments of the present application further provide a computer program product.
- the computer program product includes a computer program or instructions.
- the computer program or instructions are run by a communication device, any one of the above-mentioned first to fourth aspects is enabled.
- the implementation method is executed.
- embodiments of the present application further provide a chip system, including: a processor, configured to execute any implementation method in the above first to fourth aspects.
- inventions of the present application also provide a communication system.
- the communication system includes an authentication network element and a mobility management network element used to perform any implementation method of the first aspect.
- the authentication network element is configured to receive the first authentication information and the first random number from the mobility management network element; authenticate the terminal device according to the first authentication information and the first random number; and The mobility management network element sends the authentication result.
- embodiments of the present application also provide a communication method, including: the mobility management network element on the satellite generates a first random number; the mobility management network element sends the first random number to the terminal device; The mobility management network element receives the first authentication information from the terminal device. The first authentication information is generated based on the first random number and the long-term key. The long-term key is used for the terminal device to communicate with the network. root key; the mobility management network element sends the first authentication information and the first random number to the authentication network element, and the first authentication information and the first random number are used to authenticate the terminal device. authority; the authentication network element sends the authentication result to the mobility management network element; the mobility management network element responds to the authentication result As a result, a notification message is sent to the terminal device, and the notification message indicates the authentication result of the terminal device.
- Figure 1 is a schematic diagram of a communication system provided by an embodiment of the present application.
- Figure 2 is a schematic diagram of the 5G network architecture based on service-based architecture
- Figure 3 is a schematic diagram of the 5G network architecture based on point-to-point interface
- Figure 4 is a schematic diagram of satellite communication provided by an embodiment of the present application.
- Figure 5 is a schematic diagram of the authentication initiation process provided by the embodiment of the present application.
- Figure 6 is a flow chart of the EAP-AKA' authentication method
- Figure 7 is a schematic flow chart of the 5G-AKA authentication method
- FIG8( a) is a schematic diagram of a flow chart of an authentication method provided in an embodiment of the present application.
- Figure 8(b) is a schematic flow chart of an authentication method provided by an embodiment of the present application.
- Figure 9 is a schematic flow chart of an authentication method provided by an embodiment of the present application.
- Figure 10 is a schematic flow chart of an authentication method provided by an embodiment of the present application.
- Figure 11 is a schematic flow chart of an authentication method provided by an embodiment of the present application.
- FIG12 is a schematic diagram of a flow chart of an authentication method provided in an embodiment of the present application.
- Figure 13 is a schematic diagram of a communication device provided by an embodiment of the present application.
- Figure 14 is a schematic diagram of a communication device provided by an embodiment of the present application.
- the system includes a mobility management network element and an authentication network element.
- the system shown in Figure 1 can be used in the fifth generation (5G) network architecture shown in Figure 2 or Figure 3.
- 5G fifth generation
- 6G sixth generation
- Network architecture, etc. are not limited by this application.
- the mobility management network element is configured to generate a first random number; send the first random number to the terminal device; and receive first authentication information from the terminal device, the first authentication information is based on the first random number and Generated by a long-term key, which is a root key used for communication between the terminal device and the network; sending the first authentication information and the first random number to the authentication network element, the first authentication information and the first random number are used to authenticate the terminal device; receive the authentication result from the authentication network element; and send a notification message to the terminal device according to the authentication result, the notification message indicating the authentication result of the terminal device.
- Authentication result authentication network element, configured to receive the first authentication information and the first random number from the mobility management network element; and authenticate the terminal device according to the first authentication information and the first random number. ; and sending the authentication result to the mobility management network element.
- the mobility management network element is also configured to receive data from the terminal device through the control plane before sending a notification message to the terminal device according to the authentication result; wherein the data is consistent with the The first authentication information is carried in the same message or different messages.
- the mobility management network element is also configured to receive first instruction information from the terminal device, where the first instruction information instructs the terminal device to transmit data before the authentication is completed.
- the mobility management network element is also used to cache the data when the mobility management network element cannot communicate with the authentication network element; when the mobility management network element can communicate with the authentication network element Network element communication to obtain the cached number data and sends the data to the data network.
- the mobility management network element is also used to notify other network elements to cache the data when the mobility management network element cannot communicate with the authentication network element; when the mobility management network element can Communicate with the authentication network element and notify other network elements to send the cached data to the data network.
- next generation mobile communication network system Next Generation System
- 5G network architecture Next Generation Mobile communication network system
- This architecture not only supports wireless access technologies defined by the 3GPP standards group (such as long term evolution (LTE) access technology, 5G radio access network (RAN) access technology, etc.) to be connected to the 5G core Core network (CN), and supports the use of non-3GPP (non-3GPP) access technology through non-3GPP interworking function (N3IWF) or next generation packet data gateway (ngPDG) Access to the core network.
- LTE long term evolution
- RAN radio access network
- CN 5G core Core network
- N3IWF non-3GPP interworking function
- ngPDG next generation packet data gateway
- FIG. 2 is a schematic diagram of the 5G network architecture based on service-based architecture.
- the 5G network architecture shown in Figure 2 may include access network equipment and core network equipment. Terminal equipment is connected to the data network (DN) through access network equipment and core network equipment.
- the core network equipment includes but is not limited to some or all of the following network elements: AUSF network element (not shown in the figure), UDM network element, unified database (unified data repository, UDR) network element, network storage function (network repository function (NRF) network element (not shown in the figure), network exposure function (NEF) network element (not shown in the figure), application function (AF) network element, policy control function ( policy control function, PCF) network element, AMF network element, SMF network element, UPF network element.
- AUSF network element not shown in the figure
- UDM unified database
- UDR unified data repository
- NRF network repository function
- NEF network exposure function
- AF application function
- PCF policy control function
- Terminal device can be user equipment (UE), mobile station, mobile terminal device, etc.
- Terminal devices can be widely used in various scenarios, such as device-to-device (D2D), vehicle to everything (V2X) communication, machine-type communication (MTC), and the Internet of Things (internet of things, IOT), virtual reality, augmented reality, industrial control, autonomous driving, telemedicine, smart grid, smart furniture, smart office, smart wear, smart transportation, smart city, etc.
- Terminal devices can be mobile phones, tablets, computers with wireless transceiver functions, wearable devices, vehicles, urban air vehicles (such as drones, helicopters, etc.), ships, robots, robotic arms, smart home devices, etc.
- the access network equipment may be a wireless access network equipment (RAN equipment) or a wired access network equipment.
- wireless access network equipment includes 3GPP access network equipment, untrusted non-3GPP access network equipment and trusted non-3GPP access network equipment.
- 3GPP access network equipment includes but is not limited to: evolved base stations (evolved NodeB, eNodeB) in LTE, next generation base stations (next generation NodeB, gNB) in 5G mobile communication systems, base stations or completed base stations in future mobile communication systems Modules or units with partial functions, such as centralized units (CU), distributed units (DU), etc.
- Untrusted non-3GPP access network equipment includes but is not limited to: untrusted non-3GPP access gateway or N3IWF equipment, untrusted wireless local area network (WLAN) access point (access point, AP), switch ,router.
- Trusted non-3GPP access network equipment includes but is not limited to: trusted non-3GPP access gateways, trusted WLAN APs, switches, and routers.
- Wired access network equipment includes but is not limited to: wired access gateway, fixed telephone network equipment, switches, and routers.
- the access network equipment and terminal equipment can be fixed or mobile.
- the access network equipment and terminal equipment can be deployed on land, including indoors or outdoors, handheld or vehicle-mounted; they can also be deployed on the water surface; they can also be deployed on aircraft, balloons and artificial satellites in the air. No limitation.
- AMF network elements include functions such as mobility management or access authentication/authorization. In addition, it is also responsible for transmitting user policies between the terminal device and the PCF.
- SMF network elements include functions such as performing session management, executing control policies issued by PCF network elements, selecting UPF network elements, or allocating Internet Protocol (IP) addresses of terminal devices.
- IP Internet Protocol
- the UPF network element includes functions such as user plane data forwarding, session/flow level-based billing statistics, or bandwidth limitation.
- UDM network elements include functions such as execution and management of contract data or user access authorization.
- UDR includes access functions for executing contract data, policy data, or application data.
- NEF network element is used to support the opening of capabilities and events.
- AF network element transmits the requirements from the application side to the network side, such as QoS requirements or user status event subscriptions.
- AF can be a third-party functional entity or an application service deployed by an operator, such as IP Multimedia Subsystem (IMS) voice call service.
- IMS IP Multimedia Subsystem
- AF network elements include AF network elements within the core network (that is, the operator's AF network elements) and third-party AF network elements (such as an enterprise's application server).
- the PCF network element includes policy control functions such as session and service flow level billing, QoS bandwidth guarantee and mobility management, or terminal device policy decision-making.
- PCF network elements include access and mobility management policy control function (AM PCF) network elements and session management policy control function (session management PCF, SM PCF) network elements.
- AM PCF access and mobility management policy control function
- SM PCF session management policy control function
- the AM PCF network element is used to formulate AM policies and user policies for terminal equipment.
- the AM PCF network element can also be called the policy control network element (PCF for a UE) that provides services for terminal equipment).
- the SM PCF network element is used to formulate a session management policy (SM policy) for the session.
- the SM PCF network element can also be called a policy control network element that provides services for the session ((PCF for a PDU session)).
- NRF network elements can be used to provide network element discovery functions and provide network element information corresponding to the network element type based on requests from other network elements. NRF network elements also provide network element management services, such as network element registration, update, deregistration, or network element status subscription and push.
- the AUSF network element is responsible for authenticating users to determine whether users or devices are allowed to access the network.
- DN is a network located outside the operator's network.
- the operator's network can access multiple DNs.
- a variety of services can be deployed on the DN, which can provide data and/or voice services to terminal devices.
- DN is a private network of a smart factory.
- the sensors installed in the workshop of the smart factory can be terminal devices.
- the control server of the sensor is deployed in the DN, and the control server can provide services for the sensor.
- the sensor can communicate with the control server, obtain instructions from the control server, and transmit the collected sensor data to the control server according to the instructions.
- DN is the internal office network of a company.
- the mobile phones or computers of employees of the company can be used as terminal devices.
- the employees' mobile phones or computers can access information and data resources on the company's internal office network.
- Npcf, Nudr, Nudm, Naf, Namf, and Nsmf are the service interfaces provided by the above-mentioned PCF, UDR, UDM, AF, AMF, and SMF respectively, and are used to call corresponding service operations.
- N1, N2, N3, N4 and N6 are interface serial numbers. The meanings of these interface serial numbers are as follows:
- N1 The interface between the AMF network element and the terminal device, which can be used to transmit non-access stratum (NAS) signaling (such as QoS rules from the AMF network element) to the terminal device.
- NAS non-access stratum
- N2 The interface between the AMF network element and the access network equipment, which can be used to transmit wireless bearer control information from the core network side to the access network equipment.
- N3 The interface between access network equipment and UPF network elements, mainly used to transfer access network equipment and UPF network elements uplink and downlink user plane data.
- N4 The interface between the SMF network element and the UPF network element can be used to transfer information between the control plane and the user plane, including controlling the delivery of user plane-oriented forwarding rules, QoS rules, traffic statistics rules, etc. Report information on the user interface.
- N6 The interface between the UPF network element and the DN, used to transmit the uplink and downlink user data flows between the UPF network element and the DN.
- Figure 3 is a schematic diagram of the 5G network architecture based on point-to-point interfaces.
- the interfaces between the control plane network elements in Figure 2 are service-oriented interfaces, while the interfaces between the control plane network elements in Figure 3 are point-to-point interfaces.
- N1, N2, N3, N4 and N6 interfaces can refer to the previous description.
- N5 The interface between the AF network element and the PCF network element, which can be used to deliver application service requests and report network events.
- N7 The interface between PCF network element and SMF network element, which can be used to send PDU session granularity and service data flow granularity control strategy.
- N8 The interface between AMF network elements and UDM network elements, which can be used by AMF network elements to obtain access and mobility management-related subscription data and authentication data from UDM network elements, and for AMF to register terminal device mobility with UDM Management related information, etc.
- N9 The user plane interface between UPF network elements and UPF network elements, used to transmit uplink and downlink user data flows between UPF network elements.
- N10 The interface between the SMF network element and the UDM network element, which can be used for the SMF network element to obtain session management-related contract data from the UDM network element, and for the SMF network element to register terminal device session-related information with UDM.
- N11 The interface between the SMF network element and the AMF network element can be used to transfer PDU session tunnel information between the access network device and the UPF network element, transfer control messages sent to the terminal device, or transfer Radio resource control information of access network equipment, etc.
- N15 The interface between the PCF network element and the AMF network element, which can be used to deliver terminal device policies and access control-related policies.
- N35 The interface between UDM network element and UDR network element, which can be used by UDM network element to obtain user subscription data information from UDR network element.
- N36 The interface between the PCF network element and the UDR network element, which can be used by the PCF network element to obtain policy-related contract data and application data-related information from the UDR network element.
- the above network element or function can be a network element in a hardware device, a software function running on dedicated hardware, or a virtualized function instantiated on a platform (e.g., a cloud platform).
- a platform e.g., a cloud platform
- the above network element or function can be implemented by one device, or by multiple devices, or a functional module in one device, which is not specifically limited in the embodiments of the present application.
- the mobility management network element in this application can be an AMF network element in the 5G system, or a network element with the functions of the above-mentioned AMF network element in future communications such as 6G networks. This application is not limited to this.
- the AMF network element is used as an example of the mobility management network element for description.
- the AMF network element is referred to as AMF.
- the authentication network element in this application can be an AUSF network element or a UDM network element in the 5G system, or it can be a network element with the functions of the above-mentioned AUSF network element or UDM network element in future communications such as 6G network. Not limited. exist In the embodiment of this application, the AUSF network element or the UDM network element is used as an example of the authentication network element for description. And the AUSF network element and UDM network element are abbreviated as AUSF and UDM respectively.
- the embodiment of the present application uses a UE as an example of a terminal device.
- the UE described below can be replaced with a terminal device.
- the embodiments of this application are described by taking a base station as an example of access network equipment.
- the base stations described below can be replaced by access network equipment.
- FIG. 5 is a schematic diagram of the authentication initiation process provided by the embodiment of the present application. The method includes the following steps:
- Step 501 the UE sends the N1 message to the security anchor function (SEAF). Accordingly, SEAF receives the N1 message.
- SEAF security anchor function
- SEAF is the abbreviation of SEAF network element, and SEAF is a sub-function of AMF.
- the N1 message includes a subscription concealed identifier (SUCI) or a 5G-globally unique temporary UE identity (5G-GUTI).
- 5G-GUTI is a temporary identifier assigned by AMF to UE.
- Step 502 SEAF sends an authentication request message to AUSF.
- the AUSF receives the authentication request message.
- the authentication request message includes SUCI or SUPI.
- the authentication request message also includes the service network name (service network name, SN-name).
- the N1 message in the above step 501 includes SUCI and SEAF determines to perform initial authentication on the UE, SEAF sends the authentication request message including SUCI.
- the authentication request message also includes the service network name.
- the N1 message in the above step 501 includes 5G-GUTI, and SEAF determines that the 5G-GUTI is legal and determines that the UE needs to be re-authenticated, SEAF sends the authentication request message.
- the message includes the user permanent identifier (subscription permanent identifier, SUPI).
- SUPI subscription permanent identifier
- the authentication request message also includes the service network name. This SUPI is determined based on 5G-GUTI.
- the AUSF if the AUSF receives the service network name in step 502, the AUSF needs to check whether it has the right to use the service network name. If you have the right to use it, continue the subsequent authentication process. If you are not authorized to use it, stop the authentication process.
- the authentication request message is a Nausf_UEAuthentication_Authenticate Request message.
- Step 503 AUSF sends an authentication request message to UDM.
- UDM receives the authentication request message.
- the authentication request message includes SUCI or SUPI, and optionally also includes the service network name.
- UDM needs to decrypt SUCI into SUPI.
- UDM After UDM obtains SUPI, it can select the authentication method based on SUPI. For example, UDM obtains the UE's subscription data based on SUPI and selects an authentication method based on the subscription data.
- the embodiment of the present application does not limit the implementation method of selecting the authentication method.
- the authentication request message is a Nudm_UEAuthentication_Get Request message.
- the UE triggers the network side to enter the authentication process through the N1 message.
- EAP-AKA' extended authentication protocol-authentication and key agreement
- 5G-authentication and key agreement 5G-AKA authentication method.
- 5G-AKA 5G-authentication and key agreement
- FIG. 6 is a schematic flow chart of the EAP-AKA' authentication method. The method includes the following steps:
- Step 601 UDM generates an authentication vector (AV).
- the authentication vector includes random number (RAND), expected response (XRES), encryption key (cipher key, CK'), integrity key (integrity key, IK') and authentication token (authentication token) , AUTN).
- UDM obtains AUTN, XRES, CK, and IK respectively based on the long-term secret key of RAND and the universal subscriber identity module (USIM), as well as combining different derivation functions. Furthermore, UDM also obtains CK' based on CK and IK' based on IK. Optionally, the service network name can also be used in the process of deriving CK' and IK'.
- USIM universal subscriber identity module
- AUTN is used for UE to authenticate the network.
- USIM is a part of UE.
- the long-term key can be represented by the symbol K, which refers to the long-term key shared by USIM and UDM.
- Step 602 UDM sends an authentication response message to AUSF.
- the AUSF receives the authentication response message.
- the authentication response message includes the authentication vector.
- the response message may also include SUPI.
- the authentication response message is a Nudm_UEAuthentication_Get Response message.
- Step 603 AUSF sends an authentication response message to SEAF.
- SEAF receives the authentication response message.
- the authentication response message includes an EAP-Request message or an AKA'-Challenge message, and the EAP-Request message or the AKA'-Challenge message includes RAND and AUTN from the UDM. That is, the AUSF obtains RAND and AUTN from the received authentication vector and sends them to the SEAF through the authentication response message.
- the authentication response message is a Nausf_UEAuthentication_Authenticate Response message.
- Step 604 SEAF sends the N1 message to the UE. Accordingly, the UE receives the N1 message.
- the N1 message includes an EAP-Request message or an AKA'-Challenge message, and the EAP-Request message or AKA'-Challenge message comes from the AUSF.
- the N1 message is an Authentication-Ruquest message.
- Step 605 The UE authenticates the network.
- the UE obtains RAND and AUTN from the received EAP-Request message or AKA'-Challenge message, and then the UE derives AUTN' based on RAND and the long-term key of USIM.
- the UE compares AUTN' with AUTN. If they are the same, the UE determines that AUTN is acceptable, that is, the UE successfully authenticates the network. If the two are different, the UE determines that the AUTN is not acceptable, that is, the UE fails to authenticate the network.
- Step 606 If the UE successfully authenticates the network, the UE determines a response (RES) based on the RAND and long-term key.
- RES response
- Step 607 The UE sends the N1 message to SEAF. Accordingly, SEAF receives the N1 message.
- the N1 message includes an EAP-Response message or an AKA'-Challenge message, and the EAP-Response message or AKA'-Challenge message includes a RES.
- Step 608 SEAF sends an authentication request message to AUSF.
- the AUSF receives the authentication request message.
- the authentication request message includes an EAP-Response message or an AKA'-Challenge message.
- the authentication request message is a Nausf_UEAuthentication_Authenticate Request message.
- Step 609 AUSF authenticates the UE.
- AUSF compares XRES and RES. If they are the same, the AUSF authenticates the UE successfully. If they are different, AUSF fails to authenticate the UE.
- AUSF receives XRES in step 602 and receives RES in step 608.
- Step 610 AUSF sends the authentication result to UDM.
- UDM receives the authentication result.
- AUSF can also send the authentication result to the UE through SEAF, and then the network negotiates with the UE on the key for secure communication.
- the UE and the network can achieve mutual authentication, which can improve communication security.
- Figure 7 is a flow chart of a 5G-AKA authentication method. The method includes the following steps:
- Step 701 UDM generates an authentication vector (AV).
- the authentication vector includes a random number (RAND), an authentication token (AUTN), an expected response (XRES*), and K AUSF , where K AUSF is the anchor key of AUSF.
- Step 702 UDM sends an authentication response message to AUSF.
- the AUSF receives the authentication response message.
- the authentication response message includes the authentication vector.
- the authentication response message is a Nudm_UEAuthentication_Get Response message.
- Step 703 AUSF stores XRES*.
- Step 704 AUSF determines HXRES* based on XRES*.
- Step 705 AUSF sends an authentication response message to SEAF. Accordingly, SEAF receives the authentication response message.
- the authentication response message includes RAND, AUTN, and HXRES*.
- the authentication response message is a Nausf_UEAuthentication_Authenticate Response message.
- Step 706 SEAF sends the N1 message to the UE. Accordingly, the UE receives the N1 message.
- the N1 message includes RAND and AUTN.
- the N1 message is an Authentication-Ruquest message.
- Step 707 The UE authenticates the network.
- the UE derives AUTN' based on the long-term key of RAND and USIM.
- the UE compares AUTN' with AUTN. If they are the same, the UE determines that AUTN is acceptable, that is, the UE successfully authenticates the network. If the two are different, the UE determines that the AUTN is not acceptable, that is, the UE fails to authenticate the network.
- Step 708 If the UE successfully authenticates the network, the UE determines RES*.
- the UE determines the response (response, RES) based on RAND and long-term key, and then determines RES* based on RES.
- Step 709 The UE sends the N1 message to SEAF. Accordingly, SEAF receives the N1 message.
- the N1 message includes RES*.
- Step 710 SEAF authenticates the UE.
- SEAF determines HRES* based on RES*, and then compares HRES* and HXRES*. If they are the same, SEAF determines that the authentication is successful. If they are not the same, SEAF determines that the authentication failed.
- Step 711 SEAF sends an authentication request message to AUSF.
- the AUSF receives the authentication request message.
- the authentication request message includes RES*.
- the authentication request message is a Nausf_UEAuthentication_Authenticate Request message.
- Step 712 If the AUSF determines that the authentication vector has not expired, the AUSF authenticates the UE.
- AUSF compares RES* and XRES*. If they are the same, AUSF determines that the authentication is successful. If they are not the same, AUSF determines that the authentication failed.
- Step 713 AUSF sends an authentication response message to SEAF.
- SEAF receives the authentication response message.
- the authentication response message is used to indicate authentication success or authentication failure.
- the authentication response message is a Nausf_UEAuthentication_Authenticate Response message.
- the AMF When the SEAF authentication is successful and the AUSF authentication is successful, it indicates that the network has successfully authenticated the UE, so the AMF will initiate the NAS security mode command process, that is, send the NAS security mode command message to the UE.
- SEAF can also send the authentication result to the UE, and then the network and the UE negotiate the key for secure communication.
- the UE and the network can achieve mutual authentication, which can improve communication security.
- the authentication initiation process and authentication process shown in Figures 5 to 7 above generally include the following processes:
- UDM generates an authentication vector, and then sends the RAND and AUTN in the authentication vector to the UE through SEAF, and the UE authenticates the network based on the AUTN.
- Process 3 The UE determines the response (i.e. RES or RES*) based on RAND, and sends the response to SEAF.
- SEAF (or SEAF and AUSF) authenticates the UE based on the response.
- Process 4 SEAF sends the authentication result to the UE.
- network elements or equipment such as base stations, AMF, SMF, and UPF are deployed on satellites, and network elements such as UDM and AUSF are deployed on ground stations.
- UDM, AUSF, etc. are deployed in remote locations. of. Therefore, in the above process, after the UE completes process 1, it needs to wait for the satellite to circle the earth once before executing process 2, and after the UE completes process 3, it needs to wait for the satellite to circle the earth once before executing process 4. Therefore, execute The above processes 1 to 4 require the satellite to orbit the earth twice, causing the UE to wait for a long time before transmitting data.
- the UE needs to complete authentication before actually transmitting data, and authentication takes a long time, the UE needs to wait for a long time before actually transmitting data.
- one or more network elements may be deployed on the satellite in the embodiment of the present application, such as network elements or equipment such as base stations, AMFs, SMFs, and UPFs.
- network elements or equipment such as base stations, AMFs, SMFs, and UPFs.
- one or more network elements deployed on the satellite can be co-located.
- AMF and SMF can be co-located.
- the base station and UPF can be co-located.
- the base station, AMF, SMF and UPF can be co-located.
- This application does not limit the form of deploying network elements or equipment on satellites.
- Figure 8(a) is a schematic flow chart of an authentication method provided by an embodiment of the present application. The method includes the following steps:
- Step 801a AMF generates a first random number.
- An implementation method when the AMF determines that it cannot currently maintain communication with the ground segment, the AMF generates a first random number. That is, the AMF determines that it can currently only communicate with the UE in the user segment, but cannot maintain communication with the ground segment.
- Step 802a AMF sends the first random number to the UE.
- the UE receives the first random number.
- the satellite can maintain communication with the UE in the user plane segment, but cannot maintain communication with the authentication network element in the ground segment.
- the AMF sends an N2 message to the base station, the N2 message includes an N1 message, and the N1 message includes a first random number.
- the base station includes the N1 message in the access stratum (AS) message and transparently transmits it to the UE.
- the base station is deployed on the same satellite as the AMF.
- Step 803a The UE determines the first authentication information.
- the UE generates first authentication information based on the first random number and the long-term key.
- This long-term key is the root key used by the UE to communicate with the network.
- K can be used to represent the long-term key.
- the AMF before step 803a, the AMF also generates second authentication information or the AMF obtains preconfigured second authentication information locally, and then the AMF sends the second authentication information to the UE.
- the UE authenticates the AMF according to the second authentication information.
- step 803a is executed.
- the AMF authentication fails, there is no need to perform subsequent steps after step 803a, that is, the authentication process ends.
- AMF can use but is not limited to use any of the following methods to generate the second authentication information:
- Method 1 AMF receives a second random number from the UE, and AMF generates second authentication information based on the second random number.
- the method for the UE to authenticate the AMF based on the second authentication information is specifically: the UE generates the third authentication information based on the second random number, and when the second authentication information is the same as the third authentication information, Then the UE determines that the authentication of the AMF is successful, or when the second authentication information is different from the third authentication information, the UE determines that the authentication of the AMF fails.
- Method 2 AMF encrypts the information in the AMF to obtain the second authentication information.
- the information in the AMF can be any information, which is not limited by this application.
- the method for the UE to authenticate the AMF based on the second authentication information is specifically: the UE uses the public key to decrypt the second authentication information.
- the UE uses the public key to decrypt the second authentication information.
- the AMF may send the second authentication information before or after step 802a, or may send the first random number and the second authentication information simultaneously in step 802a. , this application is not limited to this.
- Step 804a the UE sends first authentication information to the AMF.
- the AMF receives the first authentication information.
- the UE sends an access layer message to the base station, the access layer message includes an N1 message, and the N1 message includes first authentication information. Then the base station sends an N2 message to the AMF, and the N2 message includes the N1 message. That is, the base station transparently transmits the N1 message to the AMF.
- the base station is deployed on the same satellite as the AMF.
- Step 805a The AMF sends the first authentication information and the first random number to the authentication network element.
- the satellite can maintain communication with the authentication network element in the ground segment, but cannot maintain communication with the UE in the user plane segment.
- the authentication network element can be AUSF or UDM.
- Step 806a The authentication network element sends the authentication result to the AMF.
- AMF receives the authentication result.
- the authentication result indicates that the authentication of the UE is successful, or indicates that the authentication of the UE fails.
- the authentication network element generates fourth authentication information based on the first random number and the long-term key.
- the authentication network element determines to successfully authenticate the UE.
- the authentication network element determines to authenticate the UE. fail.
- the long-term key here is the same as the long-term key used by the UE when generating the first authentication information in step 803a.
- step 805a is specifically: AMF sends the first authentication information and the first random number to AUSF, and then AUSF determines the authentication result, and sends the authentication to AMF through step 806a. result.
- step 805a is specifically: AMF sends the first authentication information and the first random number to UDM through the interface between AMF and UDM, and then UDM determines the authentication result, And send the authentication result to the AMF through step 806a.
- step 805a when the authentication network element is a UDM, step 805a specifically includes: the AMF sends the first authentication information and the first random number to the AUSF, and the AUSF sends the first authentication information and the first random number to the UDM. . then, UDM determines the authentication result.
- Step 806a is specifically: UDM sends the authentication result to AUSF, and AUSF sends the authentication result to AMF.
- step 805a when the authentication network element is AUSF and UDM, step 805a specifically includes: AMF sends the first authentication information and the first random number to AUSF, and AUSF sends the first random number to UDM. Then, UDM generates the fourth authentication information based on the first random number and the long-term key, and sends the fourth authentication information to AUSF. After receiving the fourth authentication information, AUSF compares the first authentication information to determine the authentication result.
- Step 806a specifically includes: AUSF sends the authentication result to AMF.
- Step 807a AMF sends a notification message to the UE according to the authentication result. Accordingly, the UE receives the notification message.
- the satellite can maintain communication with the UE in the user plane segment, but cannot maintain communication with the authentication network element in the ground segment.
- the notification message indicates the authentication result for the UE.
- the notification message explicitly indicates the authentication result.
- the notification message does not explicitly indicate the authentication result, but implicitly indicates the authentication.
- the AMF sends a NAS security mode command message to the UE. Once a legitimate NAS security mode command message is received, the UE considers the authentication to be successful.
- the UE in a scenario where the satellite cannot connect to the UE and the ground station at the same time, the UE only needs to wait for the satellite to circle the earth to complete the authentication process. After completing the authentication process, the data transmission can be started, thus reducing the waiting time. The time for data transmission helps improve communication efficiency.
- the embodiment of the present application can also transmit data during the authentication process.
- the UE can start transmitting data after step 803a and before step 807a.
- the following introduces different implementation methods of data transmission.
- Method A the UE sends data to the base station through control, and then the base station sends data to the AMF through control.
- the data can be transmitted in the same message as the first authentication information of step 804a, for example, the UE sends an N1 message to the AMF via the base station, and the N1 message includes the first authentication information and the data.
- the data can also be sent to the AMF via a separate control plane message, which is not limited in this application.
- Method B the UE sends data to the base station through the user, and then the base station sends data to the UPF through the user.
- the UE may send data to the AMF through control or send data to the base station through the user if the AMF authentication is successful.
- the UE After the UE sends the data to the AMF or UPF on the satellite, since the AMF/UPF cannot maintain communication with the ground station at this time, it can cache the data first, and then send the cached data to the UE after it can maintain communication with the ground station.
- Data network for the ground segment can not only be AMF, UPF, but also other network elements such as SMF and NEF, which is not limited by this application.
- AMF/UPF notifies SMF/NEF to cache the received data. After AMF determines that it can maintain communication with the ground station, AMF notifies SMF/NEF to send the cached data to the data network in the ground segment.
- the UE has started transmitting data before the authentication process is completed, thereby further advancing the start time of data transmission, which helps to improve communication efficiency.
- the UE before sending data to the AMF, may send first indication information to the AMF.
- the first indication information instructs the UE to transmit data before the authentication is completed.
- the AMF may send second indication information to the UE.
- the second indication information indicates one or more of the following information: supporting the UE to transmit data before the authentication is completed, allowing the UE to transmit data before the authentication is completed, and allowing the UE to complete the authentication. Transfer data before completion, data size allowed to be transferred, or rate limit information.
- the AMF or the base station also sends temporary security information to the UE. The temporary security information is used by the UE to process the data to be transmitted. Encryption is performed to ensure communication security. The details are explained below.
- Method 1 AMF sends an N2 message to the base station.
- the N2 message includes an N1 message.
- the N1 message includes second indication information and temporary security information.
- the base station includes the N1 message in the access layer message and transparently transmits it to the UE.
- the temporary security information is the security information selected by the AMF to protect the data transmitted through the control plane before the authentication is completed.
- the UE After receiving the second indication information, the UE encrypts the data according to the temporary security information, and then sends the data to the AMF through the control plane. Specifically, when sending data, the UE can also refer to the data size or rate limit information allowed to be transmitted indicated by the second indication information.
- Method 2 AMF sends an N2 message to the base station.
- the N2 message includes an N1 message.
- the N1 message includes second indication information.
- the base station generates temporary security information, and then the base station sends the N1 message and the temporary security information to the UE.
- the temporary security information is security information selected by the base station to protect data transmitted through the user plane before authentication is completed.
- the UE After receiving the second indication information, the UE encrypts the data according to the temporary security information, and then sends the data to the base station through the user. Specifically, when sending data, the UE may also refer to the data size or rate limit information allowed for transmission indicated by the second indication information.
- the authentication network element determines the satellites that may pass the UE's location in the future based on the UE's location information and ephemeris information, and then Send an authentication notification message to the AMF on these satellites (hereinafter taking AMF1 as an example, this AMF1 is different from the AMF described in the embodiment of Figure 8(a)), the authentication notification message includes the identification information and anchor point of the UE Key, this anchor key is used to derive the communication key between UE and AMF1.
- AMF1 generates the security context of the UE according to the authentication notification message.
- AMF1 When AMF1 has the security context of the UE, AMF1 can decrypt and verify the integrity of the N1 message sent by the UE. Subsequently, when AMF1 establishes a communication connection with the UE and the UE sends the encrypted N1 message, if AMF1 can decrypt the N1 message based on the pre-saved security context of the UE, it indicates that encrypted communication can be carried out between the UE and AMF1, so AMF1 The authentication process can be skipped with the UE. This method avoids unnecessary authentication by sharing security context, can reduce signaling overhead and waiting time before data transmission, and helps improve communication efficiency.
- Figure 8(b) is a schematic flow chart of an authentication method provided by an embodiment of the present application. The method includes the following steps:
- Step 801b The authentication network element determines to complete the authentication process between the authentication network element and the UE.
- the authentication process between the authentication network element and the UE can refer to the authentication process shown in Figure 5 and Figure 6, or refer to the authentication process shown in Figure 5 and Figure 7, or refer to Figure 8(a)
- the authentication process is not limited by this application.
- Step 802b The authentication network element sends the first authentication notification message to the first satellite.
- the first satellite receives the first authentication notification message.
- the first authentication notification message includes the first security context of the UE, and the first security context is used for secure communication between the UE and the first satellite.
- the first satellite is a satellite that may provide services to the UE when the UE is in a place where it cannot connect to the authentication network element in the future.
- the authentication network element sends the first authentication notification message to the first satellite. Specifically, the authentication network element sends the first authentication notification message to the AMF on the first satellite.
- Step 803b The authentication network element sends the second security context to the UE. Accordingly, the UE receives the second security context.
- the second security context is used for secure communication between the UE and the first satellite.
- the second security context contains the same or different keys as the above-mentioned first security context.
- the AMF and UE on the first satellite can respectively use the first security context according to the first security context.
- the following and the second security context directly obtain or derive the same security key, which is used to securely protect the communication between the UE and the AMF on the first satellite.
- the first security context includes the identification information and anchor key of the UE
- the second security context includes the authentication network element key
- the UE can derive the anchor key based on the authentication network element key.
- the anchor key is the same as the anchor key in the first security context.
- the anchor key is a security key.
- the UE when the UE establishes a connection with the first satellite, it generally needs to complete the authentication process first.
- the authentication network element in this embodiment since the authentication network element in this embodiment has already sent the first security context to the AMF of the first satellite in advance and the second security context to the UE in advance, the relationship between the UE and the AMF can be based on the first security context and the Communicate with the second security context.
- the UE sends a first message to the AMF of the first satellite.
- the first message includes the UE's identification information and encrypted information.
- the encrypted information is security protected according to the second security context.
- AMF can decrypt the encrypted information according to the first security context. When the decryption is successful, AMF determines not to perform the authentication process.
- AMF triggers the execution of the authentication process.
- This authentication process can refer to the authentication process shown in Figure 5 and Figure 6, or refer to the authentication process shown in Figure 5 and Figure 7, or refer to Figure 8(a) The authentication process is not limited by this application.
- Figure 8(b) also includes the following steps 804b and 805b.
- Step 804b The authentication network element sends a second authentication notification message to the second satellite.
- the second satellite receives the second authentication notification message.
- the second authentication notification message includes the third security context of the UE.
- the third security context is used for secure communication between the UE and the second satellite.
- the third security context is the same as or different from the above-mentioned first security context.
- the second satellite is a satellite that may provide services to the UE when the UE is in a place where it cannot connect to the authentication network element in the future.
- the second satellite is different from the first satellite.
- the authentication network element sends the second authentication notification message to the second satellite. Specifically, the authentication network element sends the second authentication notification message to the AMF on the second satellite.
- Step 805b The authentication network element sends the fourth security context to the UE. Accordingly, the UE receives the fourth security context.
- the fourth security context is used for secure communication between the UE and the second satellite.
- the fourth security context may be the same as the above-mentioned second security context, or may be different.
- the fourth security context contains the same or different keys as the above-mentioned third security context.
- the AMF and UE on the second satellite can directly obtain or derive the same security key according to the third security context and the fourth security context respectively.
- the security key is used to securely protect communications between the UE and the AMF on the second satellite.
- the third security context includes the identification information and anchor key of the UE
- the fourth security context includes the authentication network element key
- the UE can derive the anchor key based on the authentication network element key.
- the anchor key is the same as the anchor key in the third security context.
- the anchor key is a security key.
- the security key for communication between the UE and the first satellite and the security key for communication between the UE and the second satellite may be the same or different, and are not limited by this application.
- the UE when the UE establishes a connection with the second satellite, it generally needs to complete the authentication process first.
- the authentication network element in this embodiment since the authentication network element in this embodiment has already sent the third security context to the AMF of the second satellite in advance and the fourth security context to the UE in advance, the relationship between the UE and the AMF can be based on the third security context and Fourth security context for communication.
- the UE sends a second message to the AMF of the second satellite.
- the second message includes the UE's identification information and encrypted information, and the encrypted information is encrypted according to the fourth security context.
- the encrypted information can be decrypted according to the third security context.
- the AMF determines not to perform the authentication process.
- AMF triggers the execution of the authentication process.
- This authentication process can refer to the authentication process shown in Figure 5 and Figure 6, or refer to the authentication process shown in Figure 5 and Figure 7, or refer to Figure 8(a)
- the authentication process is not limited by this application.
- the above solution can avoid unnecessary authentication by sending the UE's security context to the UE and the satellite in advance, reduce signaling overhead and the waiting time before data transmission, and help improve communication efficiency.
- the authentication network element before step 802b, the authentication network element also needs to determine a satellite that may provide service to the UE when the UE is in a place where it cannot connect to the authentication network element in the future.
- a satellite that may provide service to the UE when the UE is in a place where it cannot connect to the authentication network element in the future.
- the authentication network element determines the satellites that may provide services to the UE when the UE is in a place where it cannot connect to the authentication network element in the future based on the UE's subscription information.
- the authentication network element receives first indication information from the UE or other network elements.
- the indication information indicates satellites that may provide services to the UE when the UE is in a place where it cannot connect to the authentication network element in the future.
- Method 3 The authentication network element receives second indication information from the UE or other network elements.
- the second indication information indicates the area information where the UE may be located when it is unable to connect to the authentication network element in the future.
- the network element determines, based on the ephemeris information and the second indication information, the satellites that may provide services to the UE when the UE is in a place where it cannot connect to the authentication network element in the future.
- the satellites that may provide services to the UE when the UE is in a place where it cannot connect to the authentication network element in the future include the above-mentioned first satellite, the second satellite, and may also include other satellites.
- the embodiment of FIG. 8(b) is explained by taking two satellites as an example. In practical applications, the number of satellites is not limited and may be one, two or more.
- FIG. 8(a) and FIG. 8(b) will be described below with reference to specific embodiments.
- the following embodiments in FIGS. 9 and 10 are specific examples of the above-mentioned embodiment in FIG. 8(a)
- the embodiment in FIG. 11 is a specific example of the above-mentioned embodiment in FIG. 8(b) .
- FIG 9 is a schematic flowchart of an authentication method provided by an embodiment of the present application.
- the network authentication information, authentication information, random number 1, and random number 2 in this embodiment are respectively the second authentication information, the first authentication information, the second random number, and the random number in the embodiment of Figure 8(a). Specific example of first random number.
- the method includes the following steps:
- Step 901 UE sends N1 message to AMF. Accordingly, the AMF receives the N1 message.
- the N1 message includes SUCI or 5G-GUTI.
- the N1 message also includes a random number 1 (RAND1) generated by the UE.
- RAND1 random number 1
- the UE may also determine the AMF or determine the satellite where the AMF is located. This application does not limit the method for the UE to determine the AMF or the satellite where the AMF is located.
- Step 902 AMF sends the N1 message to the UE. Accordingly, the UE receives the N1 message.
- the N1 message includes network authentication information and random number 2 (RAND2) generated by AMF.
- RAND2 random number 2
- the network authentication information is used by the UE to authenticate the AMF.
- the embodiment of the present application does not limit the implementation method of the network authentication information.
- the network authentication information may be in the form of AUTN or other forms.
- the above network authentication information is generated by AMF.
- the AMF can generate the network authentication information based on the random number 1.
- AMF can use the private key to encrypt the information on the AMF to obtain encrypted information, and use the encrypted information as network authentication information.
- the above network authentication information is pre-configured on the AMF.
- AMF determines that it is currently unable to connect to AUSF, that is, AMF triggers the execution of the above step 902 when it determines that it cannot connect to AUSF.
- AMF determines that it is currently unable to connect to AUSF based on ephemeris information.
- the "currently unable to connect to the AUSF" here can be expressed as “the AMF is currently unable to connect to the ground station", and the ground station can be connected to the AUSF, or it can be understood as “the AUSF is currently unreachable”, “the ground station is currently unreachable”, etc. It should be understood that there are some scenarios that can also be considered as being unable to connect to the AUSF. For example, the current AMF can connect to the ground station, but the ground station cannot connect to the AUSF that needs to be connected.
- the subsequent AMF when the subsequent AMF can be connected to the AUSF, it can be described as “can be connected to the AUSF”, “can be connected to the ground station”, “reachable to the AUSF”, “reachable to the ground station”, etc.
- part or all of the contents of the N1 message in the above step 901 are securely protected by the UE, and the AMF is unable to decrypt or verify the N1 message, triggering the AMF to perform step 902.
- the UE may have performed an authentication process with the network before, and the security context is saved in the UE, and the UE performs security protection on the N1 message based on the saved security context. If the AMF cannot decrypt or verify the securely protected N1 message after receiving it, the AMF determines that it needs to re-execute the authentication process, thus triggering step 902. For example, the last time the UE performed the authentication process with AMF1, so the negotiated security context was stored on both the UE and AMF1. As the satellite moves, the UE is currently establishing a connection with AMF2, so the security context may not be stored on AMF2. Therefore, AMF2 cannot decrypt or verify the N1 message sent by the UE, and triggers re-authentication.
- Implementation method 3 Part or all of the contents of the N1 message in the above step 901 are securely protected by the UE.
- the AMF can decrypt or verify the N1 message, but the AMF still decides to re-authenticate the UE, triggering the AMF to perform this step 902 .
- Step 903 The UE authenticates the AMF.
- the UE obtains the network authentication information from the N1 message and authenticates the AMF based on the network authentication information.
- the embodiment of this application does not limit the method for the UE to authenticate the AMF.
- the UE can generate the network authentication information based on the random number 1.
- the UE compares the network authentication information received from the AMF with the network authentication information generated by the UE. If the two are the same, the UE determines that the AMF authentication is successful, otherwise the authentication fails.
- the UE uses the public key to decrypt the network authentication information after receiving the network authentication information. If the decryption is successful, the UE determines that the AMF authentication is successful, otherwise, the UE determines that the AMF authentication has failed.
- Step 904 If the UE successfully authenticates the AMF, determine the authentication information.
- the UE determines the authentication information based on the random number 2 and the long-term key. This application does not limit the derivation process for determining authentication information.
- the UE determines the RES based on the random number 2 and the long-term key, and uses the RES as authentication information.
- the UE determines the RES based on the random number 2 and the long-term key, and then determines the RES* based on the RES, or determines the RES* based on the RES and the serving network name, and uses the RES* as authentication information.
- Step 905 The UE sends the N1 message to the AMF. Accordingly, the AMF receives the N1 message.
- the N1 message includes authentication information.
- Step 906 AMF determines that it can connect to AUSF and sends an authentication request message to AUSF. Correspondingly, the AUSF receives the authentication request message.
- the authentication request message includes random number 2 and authentication information.
- AMF after receiving the N1 message, AMF will store the authentication information in the N1 message if it determines that it cannot connect to AUSF. Subsequently, when it is determined that the AUSF can be connected, the authentication request message is sent to the AUSF.
- the AMF can be connected to the AUSF, which means that after the satellite moves, the AMF on the satellite can establish a connection and communicate with the AUSF on the ground. At this time, the communication connection between the satellite and the UE is disconnected.
- Step 907 AUSF sends an authentication request message to UDM.
- UDM receives the authentication request message.
- the authentication request message includes a random number 2, and optionally the authentication request message also includes authentication information.
- Step 908 UDM determines the desired authentication information.
- the UDM determines the expected authentication information based on the random number 2 and the long-term key.
- the long-term key is the same as the long-term key used by the UE when generating authentication information, and both are long-term keys in the UE's USIM.
- UDM determines the XRES based on the random number 2 and the long-term key, and uses the XRES as the expected authentication information.
- UDM determines XRES based on the random number 2 and the long-term key, determines XRES* based on XRES, and uses this XRES* as the expected authentication information.
- Step 909 UDM sends an authentication response message to AUSF.
- the AUSF receives the authentication response message.
- the UE can be authenticated by the AUSF, and the authentication response message includes the desired authentication information. Specifically, after receiving the authentication response message carrying the expected authentication information, the AUSF compares whether the expected authentication information is the same as the authentication information received by the AUSF from step 906. If they are the same, UDM determines that the UE has been authenticated successfully; otherwise, the UE has failed to be authenticated. It should be noted that for this method, the above step 907 does not need to carry authentication information.
- the UDM can authenticate the UE, and the authentication response message includes the authentication result.
- the above step 907 also includes authentication information. After the UDM determines the expected authentication information, it compares whether the expected authentication information generated by the UDM is the same as the authentication information received from step 907. If they are the same, UDM determines that the UE has been authenticated successfully; otherwise, the UE has failed to authenticate. Then the UDM carries the authentication result in the authentication response message sent to the AUSF, and the authentication result indicates whether the authentication of the UE is successful or failed.
- Step 910 AUSF sends an authentication response message to AMF.
- the AMF receives the authentication response message.
- the authentication response message includes an authentication result, which indicates success or failure in authenticating the UE.
- Step 911 AMF determines that it can be connected to the UE, and AMF sends an N1 message to the UE. Accordingly, the UE receives the N1 message.
- the N1 message is used to negotiate security context, etc.
- the security context includes but is not limited to: selected security algorithm (such as encryption algorithm, integrity protection algorithm), key set identifier, and UE security capabilities.
- the AMF can be connected to the UE, which means that after the satellite moves, the AMF on the satellite can establish a connection and communicate with the UE on the ground. At this time, the communication connection between the satellite and the ground station, as well as the AUSF, UDM, etc. on the ground is disconnected.
- the UE in a scenario where the satellite cannot connect to the UE and the ground station at the same time, the UE only needs to wait for the satellite to circle the earth to complete the authentication process. After completing the authentication process, the data transmission can be started, thus reducing the waiting time. The time for data transmission helps improve communication efficiency.
- the AUSF determines the satellites that may pass by the UE in the future based on the UE's location information and ephemeris information, and then sends an authentication notification message to the AMFs on these satellites (AMF1 is taken as an example below, and the AMF1 is different from the AMF described in the embodiment of FIG. 9 ).
- the authentication notification message includes the UE's identification information and an anchor key, and the anchor key is used to derive the communication key between the UE and AMF1.
- AMF1 generates a security context for the UE based on the authentication notification message.
- AMF1 can decrypt and integrity-check the N1 message sent by the UE.
- AMF1 After AMF1 establishes a communication connection with the UE, when the UE sends an encrypted N1 message, if AMF1 can decrypt the N1 message based on the pre-saved UE security context, it indicates that encrypted communication can be performed between the UE and AMF1, so the authentication process can be skipped between AMF1 and the UE.
- This method avoids unnecessary authentication by sharing the security context, can reduce signaling overhead and reduce the waiting time before data transmission, and helps improve communication efficiency.
- FIG 10 is a schematic flowchart of an authentication method provided by an embodiment of the present application.
- the network authentication information, authentication information, random number 1, and random number 2 in this embodiment are respectively the second authentication information, the first authentication information, the second random number, and the random number in the embodiment of Figure 8(a). Specific example of first random number.
- This method enables data transmission during the authentication process.
- the method includes the following steps:
- Step 1001 is the same as step 901 in the embodiment of FIG. 9 .
- the N1 message also includes indication information 1, which indicates that the UE needs/requests to transmit data before the authentication is completed.
- the Indication information 1 also indicates that the UE has the ability to transmit data before authentication is completed.
- Transmitting data here may be transmitting data through the control plane and/or the user plane.
- Step 1002 is the same as step 902 in the embodiment of FIG9 .
- the AMF sends an N1 message to the UE.
- the UE receives the N1 message.
- the N1 message also includes indication information 2 and temporary security information.
- the AMF sends an N2 message to the base station, the N2 message includes the N1 message, and then the base station sends an RRC message to the UE, and the RRC message includes the N1 message. That is, the base station transparently transmits the N1 message to the UE, and the indication information 2 and the temporary security information are both from the AMF.
- the indication information 2 indicates one or more of the following information: supporting the UE to transmit data before the authentication is completed, allowing the UE to transmit data before the authentication is completed, data size allowed for transmission, or rate limit information.
- Temporary security information is security information selected by AMF to encrypt and/or integrity protect data transmitted through the control plane before authentication is completed. For example, temporary security information includes algorithm information, etc.
- the AMF may also send the indication information 2 to the UE, and the temporary security information is generated by the base station and sent to the UE.
- the AMF sends an N2 message to the base station.
- the N2 message includes indication information 1 and an N1 message.
- the N1 message includes network authentication information, random number 2 (RAND2) generated by AMF, and indication information 2.
- RAND2 random number 2
- the meanings of the indication information 1 and the indication information 2 refer to the previous description.
- the base station generates temporary security information based on the instruction information 1.
- the temporary security information is the security information selected by the base station to encrypt and/or completely protect the data transmitted through the user plane before the authentication is completed, such as algorithm information, etc.
- the base station sends an RRC message to the UE, and the RRC message includes the N1 message and the temporary security information.
- both the indication information 2 and the temporary security information are generated by the base station and sent to the UE.
- the AMF sends an N2 message to the base station.
- the N2 message includes indication information 1 and an N1 message.
- the N1 message includes network authentication information and a random number 2 (RAND2) generated by the AMF.
- RAND2 random number 2
- the meaning of this indication information 1 refers to the previous description.
- the base station generates temporary security information and indication information 2 based on the indication information 1.
- the meaning of the indication information 2 refers to the previous description.
- the temporary security information is selected by the base station to encrypt and/or data transmitted through the user plane before the authentication is completed. Completely protected security information, such as algorithm information, etc.
- the base station sends an RRC message to the UE.
- the RRC message includes the N1 message, the indication information 2 and the temporary security information.
- Steps 1003 to 1004 are the same as steps 903 to 904 in the embodiment of FIG. 9 .
- Step 1005 the UE sends the N1 message to the AMF. Accordingly, the AMF receives the N1 message.
- the N1 message includes authentication information.
- the UE determines based on the indication information 2 that the network supports the UE to transmit data before the authentication is completed and allows the UE to transmit data before the authentication is completed, then the UE can transmit small data after step 1004.
- the UE may choose to transmit small data through the control plane.
- the UE also carries small data in the N1 message in step 1005.
- the UE transmits small data through another N1 message independent of step 1005.
- the path for transmitting small data on the control plane may be: UE-base station-AMF.
- This path may also include AMF-SMF-UPF or AMF-SMF-NEF within the core network.
- the small data After the small data is transmitted to the satellite, it can be cached in AMF, SMF, UPF or NEF on the satellite. This application does not limit the location of the data cache.
- the UE can choose to transmit small data through the user plane. For example, the UE sends small data to the base station through the user plane, and then the base station sends the small data to the AMF.
- the path for transmitting small data in the user plane can be: UE-base station, and the path may also include base station-UPF inside the core network. After the small data is transmitted to the satellite, it can be cached in the base station or UPF on the satellite. This application does not limit the place where the data is cached.
- the control plane uses signaling radio bearer (SRB), and the user plane uses signaling radio bearer (SRB).
- DRB Data radio bearer
- the transmitted small data can be encrypted using temporary security information, or encrypted using a public key pre-configured on the UE. If the indication information 2 also indicates the data size and/or rate limit information allowed for transmission, the UE also needs to comply with the data size and/or rate limit information allowed for transmission when transmitting small data.
- the UE before the UE determines to transmit small data through the control plane or user plane transmission path, the UE also sends a session establishment request message to the SMF through the base station and AMF, such as sending the session establishment request message through the N1 message in step 1005 or other messages.
- Request message this session establishment request message requests the establishment of a PDU session for transmitting data.
- the SMF After receiving the session establishment request message, the SMF performs one or more of the following operations: assigning a PDU session identifier, selecting a UPF for data transmission, instructing the UPF to cache the UE's data, and establishing a connection between SMF and NEF for data transmission. Connection.
- the SMF sends a session establishment acceptance message to the UE, which includes a PDU session identifier, etc.
- the UE decides to use the identifier of the PDU session to transmit small data through the transmission path of the control plane or user plane. Subsequently, the UE can bring the PDU session identifier when sending small data, so that the network side can determine the forwarding path based on the PDU session identifier. If the session establishment acceptance message sent to the UE contains the UPF selected for data transmission and tunnel information of the UPF, the UE selects the user plane to transmit small data.
- the AMF is triggered based on the indication information 1 to send a session management request message to the SMF.
- the session management request message requests the creation of a session management context for the UE.
- the SMF After receiving the session management request message, the SMF performs one or more of the following operations: allocate a PDU session identifier, select a UPF for data transmission, instruct the UPF to cache the UE's data, and establish a connection between SMF and NEF for data transmission. Connection. Then the SMF sends a session management response message to the AMF.
- the session management response message includes the PDU session identifier. Subsequently, the AMF sends the PDU session identifier to the UE.
- the UE After receiving the PDU session identifier, the UE decides to use the PDU session identifier to transmit small data through the control plane or user plane transmission path. Subsequently, the UE can bring the PDU session identifier when sending small data, so that the network side can determine the forwarding path based on the PDU session identifier. Among them, if the SMF also sends the UPF and UPF tunnel information selected for transmitting data to the AMF, and the AMF sends the UPF and UPF selected for transmitting data to the UE, UPF tunnel information, the UE selects the user plane to transmit small data.
- Step 1006 AMF determines that it can connect to AUSF and sends an authentication request message to AUSF. Correspondingly, the AUSF receives the authentication request message.
- the authentication request message includes random number 2 and authentication information.
- the AMF After receiving the N1 message, if the AMF determines that it cannot connect to the AUSF, it will store the authentication information in the N1 message. When it is determined that the AUSF can be connected later, it will send the authentication request message to the AUSF.
- the AMF can be connected to the AUSF, which means that after the satellite moves, the AMF on the satellite can establish a connection and communicate with the AUSF on the ground. At this time, the communication connection between the satellite and the UE is disconnected.
- the AMF if the AMF receives small data from the UE, the AMF also caches the small data.
- AMF if AMF continues to forward the small data, AMF does not need to cache the small data. For example, AMF forwards the small data to SMF or UPF.
- the target network element that actually caches the small data may also receive indication information from other network elements before receiving the small data.
- the indication information indicates the cached data. Or indicates that it is currently unable to connect to the receiving end, then the target network element caches the received small data. Or the target network element determines that it cannot connect to the receiving end and caches the received small data.
- Steps 1007 to 1010 are the same as steps 907 to 910 in the embodiment of Figure 9 .
- the target network element on the satellite that actually caches the small data can send the small data to the AF or DN in the ground segment. .
- the network elements on the satellite such as AMF, base station or SMF, receive data from the AF or DN, they can cache the data and send the cached data to the UE after the subsequent satellite establishes a connection with the UE.
- Step 1011 AMF determines that it can be connected to the UE, and AMF sends an N1 message to the UE. Accordingly, the UE receives the N1 message.
- the N1 message is used to negotiate security context, etc.
- the security context includes but is not limited to: selected security algorithm (such as encryption algorithm, integrity protection algorithm), key set identifier, and UE security capabilities.
- the N1 message may also include data that the AF or DN needs to send to the UE.
- the AMF can be connected to the UE, which means that after the satellite moves, the AMF on the satellite can establish a connection and communicate with the UE on the ground. At this time, the communication connection between the satellite and the ground station, as well as the AUSF, UDM, etc. on the ground is disconnected.
- the UE in a scenario where the satellite cannot connect to the UE and the ground station at the same time, the UE only needs to wait for the satellite to circle the earth to complete the authentication process, and data transmission can be performed during the authentication process, so it can reduce waiting.
- the time for data transmission helps improve communication efficiency.
- FIG 11 is a schematic flowchart of an authentication method provided by an embodiment of the present application. The method includes the following steps:
- Step 1101 UE and AUSF complete the authentication process.
- the authentication process includes an authentication initiation process and an authentication process, specifically including the aforementioned embodiments of Figures 5 and 6, or the embodiments of Figures 5 and 7, or the embodiment of Figure 8(a).
- the scenario of this embodiment is that the UE is first authenticated where it can connect to the AUSF (it can be through satellite access or ground access, no limitation), and then as the satellite moves, the satellite cannot connect to the UE at the same time. and ground station scenes.
- Step 1102 AUSF sends security context information to the UE. Accordingly, the UE receives the security context information.
- the security context information includes multiple security contexts, each security context corresponds to a satellite, and different security contexts correspond to different satellites.
- the security context is used to perform security protection on communication data or signaling between the UE and the satellite.
- the security context includes, for example, an anchor key, a security algorithm, and the like.
- the AUSF determines that the authentication is successful and the UE may move to a place where it cannot connect to the AUSF, it sends the above security context information to the UE.
- Each security context in the security context information corresponds to a satellite, and the satellite is Satellites that may serve the UE when the UE is somewhere in the future that cannot connect to the AUSF.
- the AUSF needs to determine the satellites that may provide services to the UE when the UE is in a place where it cannot connect to the AUSF in the future.
- Step 1103 The AUSF sends an authentication notification message to the AMF on the satellite that may serve the UE in the future.
- the AMF receives the authentication notification message.
- the authentication notification message includes security context.
- the security context includes the UE's identification information, anchor key, security algorithm, etc.
- the security context information sent by the AUSF to the UE includes security context 1 and security context 2.
- the AUSF sends security context 1' to satellite 1 and security context 2' to satellite 2.
- security context 1 and security context 1' have a corresponding relationship. For example, they contain the same anchor key, security algorithm and other information.
- security context 2 and security context 2' For example, they contain the same anchor key, security algorithm and other information.
- the UE can use security context 1 to access the network through the network element on satellite 1.
- the network element on satellite 1 can use security context 1' to determine that the UE is a successfully authenticated UE. Therefore, the UE and the satellite After the connection is established between 1 and later, the authentication process can be skipped, thereby saving the waiting time before data transmission.
- the following description takes the communication process between the UE and satellite 1 as an example.
- Step 1104 The UE sends the N1 message to the AMF. Accordingly, the AMF receives the N1 message.
- the UE determines the security context 1 corresponding to satellite 1 or the AMF on satellite 1, performs security protection on the N1 message based on the security context 1, and sends the N1 message for security protection to the AMF.
- the N1 message includes SUCI or 5G-GUTI.
- the AMF After receiving the N1 message, the AMF determines the security context corresponding to the UE. If the AMF locally stores the UE's security context 1', the AMF decrypts and integrity checks the N1 message based on the security context 1'. If the AMF is decrypted and integrity checked successfully, it is determined that there is no need to perform an authentication process on the UE, that is, the UE and the AMF of satellite 1 can communicate with each other based on security context 1 and security context 1'.
- the N1 message also includes small data. Please refer to the embodiment of Figure 10 for details.
- the AMF does not store the UE's security context locally, or the AMF locally stores the UE's security context 1' but the AMF fails to decrypt and integrity check the N1 message based on the security context 1', you need to perform step 1105 after step 1104. .
- Step 1105 the UE completes the authentication process.
- step 1105 For the specific process of step 1105, refer to the description of step 902 to step 911 in the embodiment of FIG. 9, or the description of step 1002 to step 1011 in the embodiment of FIG. 10, which will not be described again.
- the above solution can avoid unnecessary authentication by sending the UE's security context to the UE and the satellite in advance, reduce signaling overhead and the waiting time before data transmission, and help improve communication efficiency.
- FIG 12 is a schematic flowchart of an authentication method provided by an embodiment of the present application.
- a base station is deployed on the satellite, and optionally a UPF, etc. are also deployed.
- the core network deployment connected to the ground station includes AUSF, UDM, AMF, and SMF Wait for the network element.
- the difference between this embodiment and the previous embodiments is that in this embodiment the AMF/SMF is deployed on the ground, while in the previous implementations the AMF/SMF is deployed on the satellite.
- the method includes the following steps:
- Step 1201 the UE performs the authentication process.
- the authentication process includes an authentication initiation process and an authentication process, specifically including the aforementioned embodiments of Figures 5 and 6, or the embodiments of Figures 5 and 7.
- the authentication process can be completed based on ground communications and does not require the participation of satellites.
- Step 1202 PDU session establishment process.
- This process is used to establish a PDU session for transmitting control plane data.
- This process is optional.
- Step 1203 The UE sends the N1 message to the base station of the satellite.
- the base station receives the N1 message.
- the satellite can communicate with the UE, but cannot communicate with the network elements in the ground segment such as AUSF, UDM, AMF, SMF, etc.
- the N1 message contains data sent by the UE.
- the UE performs security protection on the N1 message based on the security context obtained through the authentication process.
- the N1 message is included in the access layer message and sent to the base station on the satellite.
- the access layer message is not security protected.
- Step 1204 The base station determines that it cannot connect to the AMF, and caches the received N1 message.
- Step 1205 After determining that the base station can connect to the AMF, the base station sends the N2 message to the AMF. Accordingly, the AMF receives the N2 message.
- the N2 message contains the cached N1 message, which contains the data.
- the AMF After receiving the N1 message, the AMF decrypts and performs integrity verification on the N1 message.
- Step 1206 The AMF sends the data through the control plane and also receives the data that needs to be sent to the UE.
- the AMF sends data to the data network in the ground core network, and the data comes from the UE.
- AMF receives data from the data network of the ground core network.
- Step 1207 AMF sends the N2 message to the base station. Accordingly, the base station receives the N2 message.
- the N2 message includes an N1 message, and the N1 message includes data received by the AMF from the data network of the ground core network and needs to be sent to the UE.
- the N1 message is protected based on the security context.
- Step 1208 The base station determines that it cannot connect to the UE, and caches the received N1 message.
- Step 1209 After determining that the base station can connect to the UE, the base station sends the N1 message to the UE. Accordingly, the UE receives the N1 message.
- the base station sends an access layer message to the UE, the access layer message includes the N1 message, and the N1 message includes data that the network needs to send to the UE.
- the above solution changes the AMF deployed on the satellite to be deployed on the ground. Therefore, when the UE authenticates with the AUSF/UDM via the AMF, it does not need to wait to establish a communication connection with the satellite. Instead, it can directly communicate with the AUSF/UDM via the AMF based on the ground communication.
- UDM performs authentication, that is, the authentication process can be completed directly based on ground communication, without relying on satellite communication, so that the authentication process can be completed quickly. After completing the authentication process, as long as the UE can establish communication with the satellite, it can send data to or receive data from the base station on the satellite, which can realize rapid transmission of data.
- the mobility management network element, terminal device or authentication network element includes corresponding hardware structures and/or software modules for executing each function.
- the mobility management network element, terminal device or authentication network element includes corresponding hardware structures and/or software modules for executing each function.
- Those skilled in the art should easily realize that Combining the units and method steps of each example described in the embodiments disclosed in this application, this application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software driving the hardware depends on the specific application scenarios and design constraints of the technical solution.
- Figures 13 and 14 are schematic structural diagrams of possible communication devices provided by embodiments of the present application. These communication devices can be used to implement the functions of the mobility management network element, terminal equipment or authentication network element in the above method embodiments, and therefore can also achieve the beneficial effects of the above method embodiments.
- the communication device may be a mobility management network element, a terminal device or an authentication network element, or it may be a module (such as a chip) applied to the mobility management network element, terminal device or authentication network element. ).
- the communication device 1300 shown in FIG. 13 includes a processing unit 1310 and a transceiver unit 1320.
- the communication device 1300 is used to implement the functions of the mobility management network element, terminal equipment or authentication network element in the method embodiment shown in Figure 8(a) or Figure 8(b).
- the processing unit 1310 is used to generate a first random number; the transceiver unit 1320 is used to send a message to the terminal The device sends the first random number; the device receives first authentication information from the terminal device. The first authentication information is generated based on the first random number and a long-term key. The long-term key is used for the terminal.
- AMF mobility management network element
- the processing unit 1310 is also used to generate second authentication information; the transceiver unit 1320 is also used to send the second authentication information to the terminal device, and the second authentication information is used to The mobility management network element performs authentication.
- the transceiver unit 1320 is also configured to receive data from the terminal device through the control plane before sending a notification message to the terminal device according to the authentication result; wherein the data is consistent with the first authentication result.
- the rights information is carried in the same message or different messages.
- the transceiver unit 1320 is also configured to receive first instruction information from the terminal device, where the first instruction information instructs the terminal device to transmit data before the authentication is completed.
- the processing unit 1310 is also used to cache the data when the mobility management network element cannot communicate with the authentication network element; when the mobility management network element can communicate with the authentication network element , obtain the cached data and send the data to the data network through the transceiver unit 1320.
- the transceiver unit 1320 is also used to notify other network elements to cache the data when the mobility management network element cannot communicate with the authentication network element; when the mobility management network element can communicate with the authentication network element, The right network element communicates to notify other network elements to send the cached data to the data network.
- the processing unit 1310 is also configured to determine that it is currently unable to communicate with the authentication network element before generating the first authentication information and the first random number.
- the transceiver unit 1320 is used to receive the first random number from the mobility management network element on the satellite;
- the processing unit 1310 is configured to generate first authentication information based on the first random number and the long-term key; the transceiver unit 1320 is also configured to send the first authentication information to the mobility management network element.
- the right information is used to authenticate the terminal device, and the long-term key is the root key used for the terminal device to communicate with the network; and receives a notification message from the mobility management network element, the notification message indicates that the The authentication result of the terminal device.
- the transceiver unit 1320 is also configured to receive the second authentication information from the mobility management network element; the processing unit 1310 is also configured to process the mobility management network element according to the second authentication information.
- the network element performs authentication;
- the processing unit 1310 is configured to generate first authentication information according to the first random number and the long-term key, specifically including: in the case of successful authentication of the mobility management network element, according to the The first random number and the long-term key generate the first authentication information.
- the second authentication information is generated based on the second random number sent by the terminal device to the mobility management network element; the processing unit 1310 is configured to perform the processing according to the second authentication information.
- the mobility management network element performs authentication, which specifically includes: generating third authentication information based on the second random number; when the second authentication information is the same as the third authentication information, determining whether the mobility management network element Network element authentication is successful; or, when the second authentication information is different from the third authentication information, it is determined that authentication of the mobility management network element fails.
- the second authentication information is obtained by encrypting the information in the mobility management network element; the processing unit 1310 is configured to perform the authentication on the mobility management network element based on the second authentication information.
- the network element authenticates, specifically including: using the public key to decrypt the second authentication information; when the decryption is successful, it is determined that the mobility management network element is authenticated successfully; or, when the decryption fails, it is determined that the mobility management network element is authenticated successfully.
- the transceiver unit 1320 is also configured to send data to the access network device through the user before receiving the notification message from the mobility management network element; or, to send data to the mobility management network element.
- the data and the first authentication information are carried in the same message or different messages.
- the transceiver unit 1320 is also configured to send first indication information to the mobility management network element, where the first indication information instructs the terminal device to transmit data before the authentication is completed.
- the processing unit 1310 is used to determine the completion of the authentication process between the authentication network element and the terminal device; send and receive Unit 1320, configured to send a first authentication notification message to the first satellite, the first authentication notification message including the first security context of the terminal device; wherein the first security context is used between the terminal device and the first
- the first satellite is a satellite that may provide services to the terminal device when the terminal device is in a place where it cannot connect to the authentication network element in the future.
- the transceiver unit 1320 is also used to send the second security context of the terminal device to the terminal device.
- the second security context is used for secure communication between the terminal device and the first satellite,
- the second security context corresponds to the same security key as the first security context.
- the transceiver unit 1320 is also configured to send a second authentication notification message to the second satellite, where the second authentication notification message includes the third security context of the terminal device; wherein, the third security context
- the context is used for secure communication between the terminal device and the second satellite.
- the second satellite is a satellite that may provide services to the terminal device when the terminal device is in a place where it cannot connect to the authentication network element in the future.
- the second satellite is different from the first satellite, and the third security context is different from the first security context.
- the transceiver unit 1320 is also used to send the fourth security context of the terminal device to the terminal device.
- the fourth security context is used for secure communication between the terminal device and the second satellite,
- the fourth security context and the third security context correspond to the same security key, and the fourth security context is different from the third security context.
- the transceiver unit 1320 is used to receive a first message from the terminal device, where the first message includes The identification information and encryption information of the terminal device; the processing unit 1310 is used to obtain the security context of the terminal device, and decrypt the encrypted information according to the security context; when the decryption is successful, it is determined not to execute the authentication process; or, when Decryption failed, Trigger the execution of the authentication process.
- the processing unit 1310 is used to obtain the security context of the terminal device, and decrypt the encrypted information according to the security context; when the decryption is successful, it is determined not to execute the authentication process; or, when Decryption failed, Trigger the execution of the authentication process.
- the transceiver unit 1320 is also used to receive the security context from the authentication network element.
- the communication device 1400 shown in FIG. 14 includes a processor 1410 and an interface circuit 1420.
- the processor 1410 and the interface circuit 1420 are coupled to each other.
- the interface circuit 1420 may be a transceiver or an input-output interface.
- the communication device 1400 may also include a memory 1430 for storing instructions executed by the processor 1410 or input data required for the processor 1410 to run the instructions or data generated after the processor 1410 executes the instructions.
- the processor 1410 is used to implement the function of the above-mentioned processing unit 1310
- the interface circuit 1420 is used to implement the function of the above-mentioned transceiver unit 1320.
- the processor in the embodiment of the present application can be a central processing unit (Central Processing Unit, CPU), or other general-purpose processor, digital signal processor (Digital Signal Processor, DSP), or application specific integrated circuit. (Application Specific Integrated Circuit, ASIC), Field Programmable Gate Array (FPGA) or other programmable logic devices, transistor logic devices, hardware components or any combination thereof.
- a general-purpose processor can be a microprocessor or any conventional processor.
- the method steps in the embodiments of the present application can be implemented by hardware, or by a processor executing software instructions.
- the software instructions can be composed of corresponding software modules, and the software modules can be stored in a random access memory, a flash memory, a read-only memory, a programmable read-only memory, an erasable programmable read-only memory, an electrically erasable programmable read-only memory, a register, a hard disk, a mobile hard disk, a CD-ROM, or any other form of storage medium well known in the art.
- An exemplary storage medium is coupled to the processor so that the processor can read information from the storage medium and can write information to the storage medium.
- the storage medium can also be a component of the processor.
- the processor and the storage medium can be located in an ASIC.
- the ASIC can be located in a base station or a terminal device.
- the processor and the storage medium can also be present in a base station or a terminal device as discrete components.
- the computer program product includes one or more computer programs or instructions.
- the computer may be a general-purpose computer, a special-purpose computer, a computer network, a base station, a user equipment, or other programmable device.
- the computer program or instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another.
- the computer program or instructions may be transmitted from a website, computer, A server or data center transmits via wired or wireless means to another website site, computer, server, or data center.
- the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or data center that integrates one or more available media.
- the available media may be magnetic media, such as floppy disks, hard disks, and tapes; optical media, such as digital video optical disks; or semiconductor media, such as solid-state hard drives.
- the computer-readable storage medium may be volatile or nonvolatile storage media, or may include both volatile and nonvolatile types of storage media.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- Astronomy & Astrophysics (AREA)
- General Physics & Mathematics (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
本申请一种提供鉴权方法、通信装置及通信系统。该方法包括:移动性管理网元生成第一随机数;向终端设备发送第一随机数;接收来自终端设备的第一鉴权信息,第一鉴权信息是根据第一随机数和长期密钥生成的;向鉴权网元发送第一鉴权信息和第一随机数,第一鉴权信息和第一随机数用于对终端设备进行认证;接收来自鉴权网元的鉴权结果;根据鉴权结果向终端设备发送通知消息,通知消息指示对终端设备的鉴权结果。该方案,在卫星无法同时连接终端设备和地面站的场景下,终端设备只需等待卫星绕地球一圈的时间就可以完成鉴权流程,在完成鉴权流程之后即可以开始数据传输,因此能够减少等待进行数据传输的时间,有助于提升通信效率。
Description
相关申请的交叉引用
本申请要求在2022年09月21日提交中国专利局、申请号为202211154133.5、申请名称为“鉴权方法、通信装置及通信系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
本申请涉及无线通信技术领域,尤其涉及鉴权方法、通信装置及通信系统。
随着通信产业的发展,地面通信技术已高度发达,通信信号已覆盖地面大部分区域。然而,在某些区域,如沙漠、海洋、偏远地区等,由于经济或环境等因素没有覆盖通信网络。
近年来,卫星通信技术发展迅速,第三代合作伙伴计划(3rd generation partnership project,3GPP)一直在制定卫星通信的相关规范。在卫星通信中,卫星上可以部署基站、接入与移动性管理功能(access and mobility management function,AMF)网元、会话管理功能(session management function,SMF)网元、用户面功能(user plane function,UPF)网元等网元或设备。卫星能够与用户段的终端设备通信,卫星也能够与地面站通信,该地面站作为卫星与核心网之间的中转站,该核心网可以部署统一数据管理(unified data management,UDM)网元、鉴权服务器功能(authentication server function,AUSF)网元等。
然而,在一些卫星通信应用场景中,卫星可能无法同时与用户段的终端设备和地面段的地面站进行通信。以图4为例,在T1时刻,卫星与用户段的终端设备之间能够通信,但与地面段的地面站之间不能通信,随着卫星的移动,在T2时刻,卫星与用户段的终端设备之间不能通信,但与地面段的地面站之间能够通信。
在这种场景下,若终端设备期望通过卫星进行通信,则需要卫星在接收到来自终端设备的信息后存储该信息,然后待卫星运行到能连接到地面站的位置时,将该信息转发给地面站。或者,卫星在接收到来自地面站的信息后存储该信息,然后待卫星运行到能连接到终端设备的位置时,将该信息转发给终端设备。
一般情况下,终端设备在初始接入网络时需要进行鉴权,终端设备鉴权成功后才能发送和接收数据,这里的鉴权包括网络对终端设备进行鉴权和终端设备对网络进行鉴权。如上所述,在上述场景下,卫星在接收到来自发送端(终端设备或地面站)的与鉴权相关的信令信息后存储该信令信息,然后待卫星运行到能连接到接收端(地面站或终端设备)的位置时,将该信令信息转发给接收端。
在卫星不能同时与终端设备和地面站保持通信的场景下,一般需要的鉴权时间比较长,导致在实际传输数据之前,需要等待较长时间。
发明内容
本申请提供鉴权方法、通信装置及通信系统,用以实现在鉴权流程中,减少数据传输的等待时间,从而提升通信效率。
第一方面,本申请实施例提供一种鉴权方法,该方法可以由卫星上的移动性管理网元或应用于卫星上的移动性管理网元中的模块来执行。以卫星上的移动性管理网元执行该方法为例,移动性管理网元生成第一随机数;移动性管理网元向终端设备发送该第一随机数;该移动性管理网元接收来自该终端设备的第一鉴权信息,该第一鉴权信息是根据该第一随机数和长期密钥生成的,该长期密钥是用于该终端设备与网络进行通信的根密钥;该移动性管理网元向鉴权网元发送该第一鉴权信息和该第一随机数,该第一鉴权信息和该第一随机数用于对该终端设备进行认证;该移动性管理网元接收来自该鉴权网元的鉴权结果;该移动性管理网元根据该鉴权结果,向该终端设备发送通知消息,该通知消息指示对该终端设备的鉴权结果。
上述方案,在卫星无法同时连接终端设备和地面站的场景下,终端设备只需等待卫星绕地球一圈的时间就可以完成鉴权流程,在完成鉴权流程之后即可以开始数据传输,因此能够减少等待进行数据传输的时间,有助于提升通信效率。
一种可能的实现方法中,该移动性管理网元生成第二鉴权信息;该移动性管理网元向该终端设备发送该第二鉴权信息,该第二鉴权信息用于对该移动性管理网元进行鉴权。
上述方案,终端设备可以对移动性管理网元进行鉴权,可以进一步提升通信安全。
一种可能的实现方法中,该移动性管理网元生成第二鉴权信息,包括:该移动性管理网元接收来自该终端设备的第二随机数;该移动性管理网元根据该第二随机数,生成该第二鉴权信息。
一种可能的实现方法中,该移动性管理网元生成第二鉴权信息,包括:该移动性管理网元对该移动性管理网元中的信息进行加密,得到该第二鉴权信息。
一种可能的实现方法中,该移动性管理网元根据该鉴权结果,向该终端设备发送通知消息之前,该移动性管理网元通过控制面接收来自该终端设备的数据;其中,该数据与该第一鉴权信息携带于同一个消息或不同消息中。
上述方案,在鉴权流程完成之前,终端设备已经开始传输数据,因此进一步提前了数据传输的开始时间,有助于提升通信效率。
一种可能的实现方法中,该移动性管理网元接收来自该终端设备的第一指示信息,该第一指示信息指示该终端设备在鉴权完成前传输数据。
一种可能的实现方法中,该移动性管理网元向该终端设备发送第二指示信息,该第二指示信息指示以下信息中的一项或多项:支持该终端设备在鉴权完成前传输数据、允许该终端设备在鉴权完成前传输数据、允许传输的数据大小或速率限制信息。
一种可能的实现方法中,该移动性管理网元向该终端设备发送临时安全信息,该临时安全信息是该移动性管理网元选择的用于对鉴权完成前通过控制面传输的数据进行保护的安全信息。
上述方案,使用临时安全信息对数据进行加密,可以保障通信安全。
一种可能的实现方法中,当该移动性管理网元不能与该鉴权网元通信,该移动性管理网元缓存该数据;当该移动性管理网元能够与该鉴权网元通信,该移动性管理网元获取缓存的该数据并向数据网络发送该数据。
一种可能的实现方法中,当该移动性管理网元不能与该鉴权网元通信,该移动性管理网元通知其它网元缓存该数据;当该移动性管理网元能够与该鉴权网元通信,该移动性管理网元通知该其它网元向数据网络发送缓存的该数据。
一种可能的实现方法中,该移动性管理网元生成第一鉴权信息和第一随机数之前,该移动性管理网元确定当前无法与该鉴权网元通信。
第二方面,本申请实施例提供一种鉴权方法,该方法可以由终端设备或应用于终端设备中的模块来执行。以终端设备执行该方法为例,终端设备接收来自卫星上的移动性管理网元的第一随机数;该终端设备根据该第一随机数和长期密钥,生成第一鉴权信息,并向该移动性管理网元发送该第一鉴权信息,该第一鉴权信息用于对该终端设备进行鉴权,该长期密钥是用于该终端设备与网络进行通信的根密钥;该终端设备接收来自该移动性管理网元的通知消息,该通知消息指示对该终端设备的鉴权结果。
上述方案,在卫星无法同时连接终端设备和地面站的场景下,终端设备只需等待卫星绕地球一圈的时间就可以完成鉴权流程,在完成鉴权流程之后即可以开始数据传输,因此能够减少等待进行数据传输的时间,有助于提升通信效率。
一种可能的实现方法中,该终端设备接收来自该移动性管理网元的第二鉴权信息;该终端设备根据该第二鉴权信息,对该移动性管理网元进行鉴权;该终端设备根据该第一随机数和长期密钥,生成第一鉴权信息,包括:在对该移动性管理网元鉴权成功的情况下,该终端设备根据该第一随机数和该长期密钥,生成该第一鉴权信息。
上述方案,终端设备可以对移动性管理网元进行鉴权,可以进一步提升通信安全。
一种可能的实现方法中,该第二鉴权信息是由该移动性管理网元生成的或是预配置在该移动性管理网元上的,该第一随机数是由该移动性管理网元生成的。
一种可能的实现方法中,该第二鉴权信息是根据该终端设备发送至该移动性管理网元的第二随机数生成的;该终端设备根据该第二鉴权信息,对该移动性管理网元进行鉴权,包括:该终端设备根据该第二随机数生成第三鉴权信息;当该第二鉴权信息与该第三鉴权信息相同,该终端设备确定对该移动性管理网元鉴权成功;或者,当该第二鉴权信息与该第三鉴权信息不同,该终端设备确定对该移动性管理网元鉴权失败。
一种可能的实现方法中,该第二鉴权信息是对该移动性管理网元中的信息进行加密后得到的;该终端设备根据该第二鉴权信息,对该移动性管理网元进行鉴权,包括:该终端设备使用公钥对该第二鉴权信息进行解密;当解密成功,该终端设备确定对该移动性管理网元鉴权成功;或者,当解密失败,该终端设备确定对该移动性管理网元鉴权失败。
一种可能的实现方法中,该终端设备接收来自该移动性管理网元的通知消息之前,该终端设备通过用户面向接入网设备发送数据;或者,该终端设备向该移动性管理网元发送数据,该数据与该第一鉴权信息携带于同一个消息或不同的消息中。
上述方案,在鉴权流程完成之前,UE已经开始传输数据,因此进一步提前了数据传输的开始时间,有助于提升通信效率。
一种可能的实现方法中,该终端设备向该移动性管理网元发送第一指示信息,该第一指示信息指示该终端设备在鉴权完成前传输数据。
一种可能的实现方法中,该终端设备接收来自该移动性管理网元的第二指示信息,该第二指示信息指示以下信息中的一项或多项:支持该终端设备在鉴权完成前传输数据、允许该终端设备在鉴权完成前传输数据、允许传输的数据大小或速率限制信息。
一种可能的实现方法中,该终端设备接收临时安全信息;其中,该临时安全信息是该移动性管理网元选择的用于对鉴权完成前通过控制面传输的数据进行保护的安全信息;或者,该临时安全信息是接入网设备选择的用于对鉴权完成前通过用户面传输的数据进行保护的安全信息。
第三方面,本申请实施例提供一种鉴权方法,该方法可以由鉴权网元或应用于鉴权网元中的模块来执行。以鉴权网元执行该方法为例,鉴权网元确定完成该鉴权网元与终端设备之间的鉴权流程;该鉴权网元向第一卫星发送第一鉴权通知消息,该第一鉴权通知消息包括该终端设备的第一安全上下文;其中,该第一安全上下文用于该终端设备与该第一卫星之间的安全通信,该第一卫星是该终端设备在未来处于无法连接到该鉴权网元的地方时可能为该终端设备提供服务的卫星。
上述方案,通过向终端设备以及卫星提前发送终端设备的安全上下文,可以避免不必要的鉴权,能够减少信令开销以及减少数据传输之前的等待时间,有助于提升通信效率。
一种可能的实现方法中,该鉴权网元向该终端设备发送该终端设备的第二安全上下文,该第二安全上下文用于该终端设备与该第一卫星之间的安全通信,该第二安全上下文与该第一安全上下文对应相同的安全密钥。
一种可能的实现方法中,该鉴权网元向第二卫星发送第二鉴权通知消息,该第二鉴权通知消息包括该终端设备的第三安全上下文;其中,该第三安全上下文用于该终端设备与该第二卫星之间的安全通信,该第二卫星是该终端设备在未来处于无法连接到该鉴权网元的地方时可能为该终端设备提供服务的卫星,该第二卫星与该第一卫星不同,该第三安全上下文与该第一安全上下文不同。
一种可能的实现方法中,该鉴权网元向该终端设备发送该终端设备的第四安全上下文,该第四安全上下文用于该终端设备与该第二卫星之间的安全通信,该第四安全上下文与该第三安全上下文对应相同的安全密钥,该第四安全上下文与该第三安全上下文不同。
一种可能的实现方法中,该鉴权网元根据该终端设备的签约信息,确定该第一卫星的信息。
一种可能的实现方法中,该鉴权网元接收第一指示信息,该第一指示信息指示该第一卫星的信息。
一种可能的实现方法中,该鉴权网元接收第二指示信息,该第二指示信息指示该终端设备在未来处于无法连接到该鉴权网元的地方时可能所处的区域信息;该鉴权网元根据该第二指示信息和星历信息,确定该第一卫星的信息。
第四方面,本申请实施例提供一种鉴权方法,该方法可以由卫星上的移动性管理网元或应用于卫星上的移动性管理网元中的模块来执行。以卫星上的移动性管理网元执行该方法为例,卫星上的移动性管理网元接收来自终端设备的第一消息,该第一消息包括该终端设备的标识信息和加密信息;该移动性管理网元获取该终端设备的安全上下文,并根据该安全上下文对该加密信息进行解密;当解密成功,该移动性管理网元确定不执行鉴权流程;或者,当解密失败,该移动性管理网元触发执行鉴权流程。
上述方案,通过向终端设备以及卫星提前发送终端设备的安全上下文,可以避免不必要的鉴权,能够减少信令开销以及减少数据传输之前的等待时间,有助于提升通信效率。
一种可能的实现方法中,该移动性管理网元接收来自鉴权网元的该安全上下文。
第五方面,本申请实施例提供一种通信装置,该装置可以是卫星上的移动性管理网元,
还可以是用于卫星上的移动性管理网元的芯片。该装置具有实现上述第一方面或第四方面的任意实现方法的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块。
第六方面,本申请实施例提供一种通信装置,该装置可以是终端设备,还可以是用于终端设备的芯片。该装置具有实现上述第二方面的任意实现方法的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块。
第七方面,本申请实施例提供一种通信装置,该装置可以是鉴权网元,还可以是用于鉴权网元的芯片。该装置具有实现上述第三方面的任意实现方法的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块。
第八方面,本申请实施例提供一种通信装置,包括与存储器耦合的处理器,该处理器用于调用所述存储器中存储的程序,以执行上述第一方面至第四方面中的任意实现方法。该存储器可以位于该装置之内,也可以位于该装置之外。且该处理器可以是一个或多个。
第九方面,本申请实施例提供一种通信装置,包括处理器和存储器;该存储器用于存储计算机指令,当该装置运行时,该处理器执行该存储器存储的计算机指令,以使该装置执行上述第一方面至第四方面中的任意实现方法。
第十方面,本申请实施例提供一种通信装置,包括用于执行上述第一方面至第四方面中的任意实现方法的各个步骤的单元或手段(means)。
第十一方面,本申请实施例提供一种通信装置,包括处理器和接口电路,所述处理器用于通过接口电路与其它装置通信,并执行上述第一方面至第四方面中的任意实现方法。该处理器包括一个或多个。
第十二方面,本申请实施例还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在通信装置上运行时,使得上述第一方面至第四方面中的任意实现方法被执行。
第十三方面,本申请实施例还提供一种计算机程序产品,该计算机程序产品包括计算机程序或指令,当计算机程序或指令被通信装置运行时,使得上述第一方面至第四方面中的任意实现方法被执行。
第十四方面,本申请实施例还提供一种芯片系统,包括:处理器,用于执行上述第一方面至第四方面中的任意实现方法。
第十五方面,本申请实施例还提供了一种通信系统,该通信系统包括鉴权网元,和用于执行第一方面任意实现方法的移动性管理网元。该鉴权网元,用于接收来自该移动性管理网元的第一鉴权信息和第一随机数;根据该第一鉴权信息和该第一随机数对终端设备进行鉴权;以及向该移动性管理网元发送鉴权结果。
第十六方面,本申请实施例还提供了一种通信方法,包括:卫星上的移动性管理网元生成第一随机数;该移动性管理网元向终端设备发送该第一随机数;该移动性管理网元接收来自该终端设备的第一鉴权信息,该第一鉴权信息是根据第一随机数和长期密钥生成的,该长期密钥是用于该终端设备与网络进行通信的根密钥;该移动性管理网元向鉴权网元发送该第一鉴权信息和该第一随机数,该第一鉴权信息和该第一随机数用于对该终端设备进行鉴权;该鉴权网元向该移动性管理网元发送鉴权结果;该移动性管理网元根据该鉴权结
果,向该终端设备发送通知消息,该通知消息指示对该终端设备的鉴权结果。
图1为本申请实施例提供的一种通信系统示意图;
图2为基于服务化架构的5G网络架构示意图;
图3为基于点对点接口的5G网络架构示意图;
图4为本申请实施例提供的卫星通信示意图;
图5为本申请实施例提供的鉴权发起流程的示意图;
图6为EAP-AKA'鉴权方法的流程示意图;
图7为5G-AKA鉴权方法的流程示意图;
图8(a)为本申请实施例提供的一种鉴权方法的流程示意图;
图8(b)为本申请实施例提供的一种鉴权方法的流程示意图;
图9为本申请实施例提供的一种鉴权方法的流程示意图;
图10为本申请实施例提供的一种鉴权方法的流程示意图;
图11为本申请实施例提供的一种鉴权方法的流程示意图;
图12为本申请实施例提供的一种鉴权方法的流程示意图;
图13为本申请实施例提供的一种通信装置示意图;
图14为本申请实施例提供的一种通信装置示意图。
为实现减少数据传输的等待时间,从而提升通信效率,本申请提供一种通信系统,参考图1,该系统包括移动性管理网元和鉴权网元。图1所示的系统可以用在图2或图3所示的第五代(5th generation,5G)网络架构中,当然,也可以用在未来网络架构,比如第六代(6th generation,6G)网络架构等,本申请不做限定。
移动性管理网元,用于生成第一随机数;向终端设备发送该第一随机数;接收来自该终端设备的第一鉴权信息,该第一鉴权信息是根据该第一随机数和长期密钥生成的,该长期密钥是用于该终端设备与网络进行通信的根密钥;向鉴权网元发送该第一鉴权信息和该第一随机数,该第一鉴权信息和该第一随机数用于对该终端设备进行认证;接收来自该鉴权网元的鉴权结果;根据该鉴权结果,向该终端设备发送通知消息,该通知消息指示对该终端设备的鉴权结果;鉴权网元,用于从移动性管理网元接收该第一鉴权信息和该第一随机数;根据该第一鉴权信息和该第一随机数对终端设备进行鉴权;以及向该移动性管理网元发送该鉴权结果。
一种可能的实现方法中,该移动性管理网元,还用于根据该鉴权结果,向该终端设备发送通知消息之前,通过控制面接收来自该终端设备的数据;其中,该数据与该第一鉴权信息携带于同一个消息或不同消息中。
一种可能的实现方法中,该移动性管理网元,还用于接收来自该终端设备的第一指示信息,该第一指示信息指示该终端设备在鉴权完成前传输数据。
一种可能的实现方法中,该移动性管理网元,还用于当该移动性管理网元不能与该鉴权网元通信,缓存该数据;当该移动性管理网元能够与该鉴权网元通信,获取缓存的该数
据并向数据网络发送该数据。
一种可能的实现方法中,该移动性管理网元,还用于当该移动性管理网元不能与该鉴权网元通信,通知其它网元缓存该数据;当该移动性管理网元能够与该鉴权网元通信,通知该其它网元向数据网络发送缓存的该数据。
系统中各个网元之间的交互,以及具体的执行,可以参考下面方法实施例,这里不再赘述。
为了应对无线宽带技术的挑战,保持3GPP网络的领先优势,3GPP标准组制定了下一代移动通信网络系统(Next Generation System)架构,称为5G网络架构。该架构不但支持3GPP标准组定义的无线接入技术(如长期演进(long term evolution,LTE)接入技术,5G无线接入网(radio access network,RAN)接入技术等)接入到5G核心网(core network,CN),而且支持使用非3GPP(non-3GPP)接入技术通过非3GPP转换功能(non-3GPP interworking function,N3IWF)或下一代接入网关(next generation packet data gateway,ngPDG)接入到核心网。
图2为基于服务化架构的5G网络架构示意图。图2所示的5G网络架构中可包括接入网设备以及核心网设备。终端设备通过接入网设备和核心网设备接入数据网络(data network,DN)。其中,核心网设备包括但不限于以下网元中的部分或者全部:AUSF网元(图中未示出)、UDM网元、统一数据库(unified data repository,UDR)网元、网络存储功能(network repository function,NRF)网元(图中未示出)、网络开放功能(network exposure function,NEF)网元(图中未示出)、应用功能(application function,AF)网元、策略控制功能(policy control function,PCF)网元、AMF网元、SMF网元、UPF网元。
终端设备(terminal device)可以是用户设备(user equipment,UE)、移动台、移动终端设备等。终端设备可以广泛应用于各种场景,例如,设备到设备(device-to-device,D2D)、车物(vehicle to everything,V2X)通信、机器类通信(machine-type communication,MTC)、物联网(internet of things,IOT)、虚拟现实、增强现实、工业控制、自动驾驶、远程医疗、智能电网、智能家具、智能办公、智能穿戴、智能交通、智慧城市等。终端设备可以是手机、平板电脑、带无线收发功能的电脑、可穿戴设备、车辆、城市空中交通工具(如无人驾驶机、直升机等)、轮船、机器人、机械臂、智能家居设备等。
接入网设备可以是无线接入网设备(RAN设备)或有线接入网设备。其中,无线接入网设备包括3GPP接入网设备、非可信非3GPP接入网设备和可信非3GPP接入网设备。3GPP接入网设备包括但不限于:LTE中的演进型基站(evolved NodeB,eNodeB)、5G移动通信系统中的下一代基站(next generation NodeB,gNB)、未来移动通信系统中的基站或完成基站部分功能的模块或单元,如集中式单元(central unit,CU),分布式单元(distributed unit,DU)等。非可信非3GPP接入网设备包括但不限于:非可信非3GPP接入网关或N3IWF设备、非可信无线局域网(wireless local area network,WLAN)接入点(access point,AP)、交换机、路由器。可信非3GPP接入网设备包括但不限于:可信非3GPP接入网关、可信WLAN AP、交换机、路由器。有线接入网设备包括但不限于:有线接入网关(wireline access gateway)、固定电话网络设备、交换机、路由器。
接入网设备和终端设备可以是固定位置的,也可以是可移动的。接入网设备和终端设备可以部署在陆地上,包括室内或室外、手持或车载;也可以部署在水面上;还可以部署在空中的飞机、气球和人造卫星上。本申请的实施例对接入网设备和终端设备的应用场景
不做限定。
AMF网元,包含执行移动性管理、或接入鉴权/授权等功能。此外,还负责在终端设备与PCF间传递用户策略。
SMF网元,包含执行会话管理、执行PCF网元下发的控制策略、选择UPF网元、或分配终端设备的互联网协议(internet protocol,IP)地址等功能。
UPF网元,包含完成用户面数据转发、基于会话/流级的计费统计、或带宽限制等功能。
UDM网元,包含执行管理签约数据、或用户接入授权等功能。
UDR,包含执行签约数据、策略数据、或应用数据等类型数据的存取功能。
NEF网元,用于支持能力和事件的开放。
AF网元,传递应用侧对网络侧的需求,例如,QoS需求或用户状态事件订阅等。AF可以是第三方功能实体,也可以是运营商部署的应用服务,如IP多媒体子系统(IP Multimedia Subsystem,IMS)语音呼叫业务。其中,AF网元包括核心网内的AF网元(即运营商的AF网元)和第三方AF网元(如某个企业的应用服务器)。
PCF网元,包含负责针对会话、业务流级别进行计费、QoS带宽保障及移动性管理、或终端设备策略决策等策略控制功能。PCF网元包括接入与移动性管理策略控制网元(access and mobility management policy control function,AM PCF)网元和会话管理策略控制功能(session management PCF,SM PCF)网元。其中,AM PCF网元用于为终端设备制定AM策略和用户策略,AM PCF网元也可以称为为终端设备提供服务的策略控制网元(PCF for a UE))。SM PCF网元用于为会话制定会话管理策略(session management policy,SM策略),SM PCF网元也可以称为为会话提供服务的策略控制网元((PCF for a PDU session))。
NRF网元,可用于提供网元发现功能,基于其他网元的请求,提供网元类型对应的网元信息。NRF网元还提供网元管理服务,如网元注册、更新、去注册、或网元状态订阅和推送等。
AUSF网元,负责对用户进行鉴权,以确定是否允许用户或设备接入网络。
DN,是位于运营商网络之外的网络,运营商网络可以接入多个DN,DN上可部署多种业务,可为终端设备提供数据和/或语音等服务。例如,DN是某智能工厂的私有网络,智能工厂安装在车间的传感器可为终端设备,DN中部署了传感器的控制服务器,控制服务器可为传感器提供服务。传感器可与控制服务器通信,获取控制服务器的指令,根据指令将采集的传感器数据传送给控制服务器等。又例如,DN是某公司的内部办公网络,该公司员工的手机或者电脑可为终端设备,员工的手机或者电脑可以访问公司内部办公网络上的信息、数据资源等。
图2中Npcf、Nudr、Nudm、Naf、Namf、Nsmf分别为上述PCF、UDR、UDM、AF、AMF和SMF提供的服务化接口,用于调用相应的服务化操作。N1、N2、N3、N4以及N6为接口序列号,这些接口序列号的含义如下:
1)、N1:AMF网元与终端设备之间的接口,可以用于向终端设备传递非接入层(non access stratum,NAS)信令(如包括来自AMF网元的QoS规则)等。
2)、N2:AMF网元与接入网设备之间的接口,可以用于传递核心网侧至接入网设备的无线承载控制信息等。
3)、N3:接入网设备与UPF网元之间的接口,主要用于传递接入网设备与UPF网元
间的上下行用户面数据。
4)、N4:SMF网元与UPF网元之间的接口,可以用于控制面与用户面之间传递信息,包括控制面向用户面的转发规则、QoS规则、流量统计规则等的下发以及用户面的信息上报。
5)、N6:UPF网元与DN的接口,用于传递UPF网元与DN之间的上下行用户数据流。
图3为基于点对点接口的5G网络架构示意图,其中的网元的功能的介绍可以参考图2中对应的网元的功能的介绍,不再赘述。图3与图2的主要区别在于:图2中的各个控制面网元之间的接口是服务化的接口,图3中的各个控制面网元之间的接口是点对点的接口。
在图3所示的架构中,各个网元之间的接口名称及功能如下:
1)、N1、N2、N3、N4和N6接口的含义可以参考前述描述。
2)、N5:AF网元与PCF网元之间的接口,可以用于应用业务请求下发以及网络事件上报。
3)、N7:PCF网元与SMF网元之间的接口,可以用于下发PDU会话粒度以及业务数据流粒度控制策略。
4)、N8:AMF网元与UDM网元间的接口,可以用于AMF网元向UDM网元获取接入与移动性管理相关签约数据与鉴权数据,以及AMF向UDM注册终端设备移动性管理相关信息等。
5)、N9:UPF网元和UPF网元之间的用户面接口,用于传递UPF网元间的上下行用户数据流。
6)、N10:SMF网元与UDM网元间的接口,可以用于SMF网元向UDM网元获取会话管理相关签约数据,以及SMF网元向UDM注册终端设备会话相关信息等。
7)、N11:SMF网元与AMF网元之间的接口,可以用于传递接入网设备和UPF网元之间的PDU会话隧道信息、传递发送给终端设备的控制消息、或传递发送给接入网设备的无线资源控制信息等。
8)、N15:PCF网元与AMF网元之间的接口,可以用于下发终端设备策略及接入控制相关策略。
9)、N35:UDM网元与UDR网元间的接口,可以用于UDM网元从UDR网元中获取用户签约数据信息。
10)、N36:PCF网元与UDR网元间的接口,可以用于PCF网元从UDR网元中获取策略相关签约数据以及应用数据相关信息。
可以理解的是,上述网元或者功能既可以是硬件设备中的网络元件,也可以是在专用硬件上运行软件功能,或者是平台(例如,云平台)上实例化的虚拟化功能。可选的,上述网元或者功能可以由一个设备实现,也可以由多个设备共同实现,还可以是一个设备内的一个功能模块,本申请实施例对此不作具体限定。
本申请中的移动性管理网元可以是5G系统中的AMF网元,也可以是未来通信如6G网络中具有上述AMF网元的功能的网元,本申请对此不限定。在本申请的实施例中,以AMF网元为移动性管理网元的一个示例进行描述。并且将AMF网元简称为AMF。
本申请中的鉴权网元可以是5G系统中的AUSF网元或UDM网元,也可以是未来通信如6G网络中具有上述AUSF网元或UDM网元的功能的网元,本申请对此不限定。在
本申请的实施例中,以AUSF网元或UDM网元为鉴权网元的一个示例进行描述。并且将AUSF网元、UDM网元分别简称为AUSF、UDM。
为便于说明,本申请实施例以UE作为终端设备的一个示例进行说明,以下描述的UE均可以替换为终端设备。本申请实施例以基站作为接入网设备的一个示例进行说明,以下描述的基站均可以替换为接入网设备。
下面结合附图介绍鉴权发起流程和鉴权流程。关于该鉴权发起流程和鉴权流程的详细实现过程,可以参考3GPP TS 33.501或3GPP TS33.102的相关描述。
图5为本申请实施例提供的鉴权发起流程的示意图。该方法包括以下步骤:
步骤501,UE向安全锚点功能(security anchor function,SEAF)发送N1消息。相应地,SEAF接收该N1消息。
其中,SEAF是SEAF网元的简称,SEAF是AMF的子功能。
该N1消息包括签约隐藏标识(subscription concealed identifier,SUCI)或5G全局唯一临时标识(5G-globally unique temporary UE identity,5G-GUTI)。5G-GUTI是AMF为UE分配的临时标识符。
步骤502,SEAF向AUSF发送鉴权请求消息。相应地,AUSF接收该鉴权请求消息。
该鉴权请求消息中包括SUCI或SUPI。可选的,该鉴权请求消息中还包括服务网络名称(service network name,SN-name)。
一种实现方法中,若上述步骤501的N1消息中包括SUCI,SEAF确定对UE进行初始鉴权,则SEAF发送该鉴权请求消息中包括SUCI。可选的,该鉴权请求消息中还包括服务网络名称。
又一种实现方法中,若上述步骤501的N1消息中包括5G-GUTI,SEAF确定该5G-GUTI合法且确定需要重新对UE进行鉴权,则SEAF发送该鉴权请求消息,该鉴权请求消息中包括用户永久标识(subscription permanent identifier,SUPI)。可选的,该鉴权请求消息中还包括服务网络名称。该SUPI是根据5G-GUTI确定的。
其中,若AUSF在步骤502中收到服务网络名称,则AUSF需要检查是否有权使用该服务网络名称。如果有权使用,则继续后续鉴权流程。如果无权使用则停止鉴权流程。
一种实现方法中,该鉴权请求消息是Nausf_UEAuthentication_Authenticate Request消息。
步骤503,AUSF向UDM发送鉴权请求消息。相应地,UDM接收该鉴权请求消息。
该鉴权请求消息中包括SUCI或SUPI,可选的还包括服务网络名称。
其中,若UDM收到SUCI,则UDM需要将SUCI解密为SUPI。
UDM获取到SUPI之后,可以根据SUPI选择鉴权方法。比如,UDM根据SUPI获取UE的签约数据,并根据签约数据选择鉴权方法。本申请实施例对选择鉴权方法的实现方法不做限定。
一种实现方法中,该鉴权请求消息是Nudm_UEAuthentication_Get Request消息。
上述方案,UE通过N1消息触发网络侧进入鉴权流程。
示例性地,下面介绍两种不同的鉴权方法,分别为扩展认证协议-认证和密钥协商(extensible authentication protocol-authentication and key agreement,EAP-AKA')鉴权方法和5G认证和密钥协商(5G-authentication and key agreement,5G-AKA)鉴权方法。这里仅作为示例,实际应用中还可以包括其它类型的鉴权方法。
图6为EAP-AKA'鉴权方法的流程示意图。该方法包括以下步骤:
步骤601,UDM生成鉴权向量(authentication vector,AV)。
该鉴权向量包括随机数(RAND)、期望响应(expected response,XRES)、加密密钥(cipher key,CK')、完整性密钥(integrity key,IK')和鉴权令牌(authentication token,AUTN)。
UDM根据RAND和全球用户识别卡(universal subscriber identity module,USIM)的长期密钥(long-term secret key),以及结合不同的推导函数,分别得到AUTN、XRES、CK、IK。进一步的,UDM还根据CK得到CK',以及根据IK得到IK'。可选的,在推导得到CK'、IK'的过程中还可以使用服务网络名称。
其中,AUTN用于UE对网络进行鉴权。USIM是UE的一部分。长期密钥可以用符号K表示,指的是USIM和UDM共享的长期密钥。
步骤602,UDM向AUSF发送鉴权响应消息。相应地,AUSF接收该鉴权响应消息。
该鉴权响应消息中包括鉴权向量。可选的,如果UDM在图5的实施例中收到了SUCI,该响应消息还可以包括SUPI。
一种实现方法中,该鉴权响应消息是Nudm_UEAuthentication_Get Response消息。
步骤603,AUSF向SEAF发送鉴权响应消息。相应地,SEAF接收该鉴权响应消息。
该鉴权响应消息中包括EAP-Request消息或AKA'-Challenge消息,该EAP-Request消息或AKA'-Challenge消息中包括来自UDM的RAND和AUTN。也即AUSF从收到的鉴权向量中获取RAND和AUTN并通过鉴权响应消息发送给SEAF。
一种实现方法中,该鉴权响应消息是Nausf_UEAuthentication_Authenticate Response消息。
步骤604,SEAF向UE发送N1消息。相应地,UE接收该N1消息。
该N1消息中包括EAP-Request消息或AKA'-Challenge消息,该EAP-Request消息或AKA'-Challenge消息来自AUSF。
一种实现方法中,该N1消息是Authentication-Ruquest消息。
步骤605,UE对网络进行鉴权。
UE从收到的EAP-Request消息或AKA'-Challenge消息获取到RAND和AUTN,然后UE根据RAND以及USIM的长期密钥,推导得到AUTN'。UE比较AUTN'与AUTN,如果二者相同,则UE确定AUTN可接受,也即UE对网络鉴权成功。如果二者不同,则UE确定AUTN不可接受,也即UE对网络鉴权失败。
步骤606,如果UE对网络鉴权成功,则UE根据RAND和长期密钥确定响应(response,RES)。
步骤607,UE向SEAF发送N1消息。相应地,SEAF接收该N1消息。
该N1消息包括EAP-Response消息或AKA'-Challenge消息,该EAP-Response消息或AKA'-Challenge消息包括RES。
步骤608,SEAF向AUSF发送鉴权请求消息。相应地,AUSF接收该鉴权请求消息。
该鉴权请求消息包括EAP-Response消息或AKA'-Challenge消息。
一种实现方法中,该鉴权请求消息是Nausf_UEAuthentication_Authenticate Request消息。
步骤609,AUSF对UE进行鉴权。
具体的,AUSF比较XRES和RES。如果二者相同,则AUSF对UE鉴权成功。如果二者不同,则AUSF对UE鉴权失败。
其中,AUSF在步骤602收到XRES,在步骤608收到RES。
步骤610,AUSF向UDM发送鉴权结果。相应地,UDM接收该鉴权结果。
AUSF还可以通过SEAF向UE发送鉴权结果,然后网络与UE协商用于安全通信的密钥。
上述方案,UE与网络可以实现互相鉴权,可以提升通信安全性。
图7为5G-AKA鉴权方法的流程示意图。该方法包括以下步骤:
步骤701,UDM生成鉴权向量(AV)。
该鉴权向量包括随机数(RAND)、鉴权令牌(AUTN)、期望响应(XRES*)和KAUSF。其中KAUSF是AUSF的锚点密钥。
步骤702,UDM向AUSF发送鉴权响应消息。相应地,AUSF接收该鉴权响应消息。
该鉴权响应消息中包括鉴权向量。
一种实现方法中,该鉴权响应消息是Nudm_UEAuthentication_Get Response消息。
步骤703,AUSF存储XRES*。
步骤704,AUSF根据XRES*,确定HXRES*。
步骤705,AUSF向SEAF发送鉴权响应消息。相应地,SEAF接收该鉴权响应消息。
该鉴权响应消息中包括RAND,AUTN,HXRES*。
一种实现方法中,该鉴权响应消息是Nausf_UEAuthentication_Authenticate Response消息。
步骤706,SEAF向UE发送N1消息。相应地,UE接收该N1消息。
该N1消息中包括RAND和AUTN。
一种实现方法中,该N1消息是Authentication-Ruquest消息。
步骤707,UE对网络进行鉴权。
具体的,UE根据RAND以及USIM的长期密钥,推导得到AUTN'。UE比较AUTN'与AUTN,如果二者相同,则UE确定AUTN可接受,也即UE对网络鉴权成功。如果二者不同,则UE确定AUTN不可接受,也即UE对网络鉴权失败。
步骤708,如果UE对网络鉴权成功,则UE确定RES*。
具体的,UE根据RAND和长期密钥确定响应(response,RES),然后根据RES确定RES*。
步骤709,UE向SEAF发送N1消息。相应地,SEAF接收该N1消息。
该N1消息包括RES*。
步骤710,SEAF对UE进行鉴权。
具体的,SEAF根据RES*确定HRES*,然后比较HRES*和HXRES*。如果相同,SEAF确定鉴权成功。如果不相同,SEAF确定鉴权失败。
步骤711,SEAF向AUSF发送鉴权请求消息。相应地,AUSF接收该鉴权请求消息。
该鉴权请求消息包括RES*。
一种实现方法中,该鉴权请求消息是Nausf_UEAuthentication_Authenticate Request消息。
步骤712,若AUSF确定鉴权向量没有过期,则AUSF对UE进行鉴权。
具体的,AUSF比较RES*和XRES*。如果相同,AUSF确定鉴权成功。如果不相同,AUSF确定鉴权失败。
步骤713,AUSF向SEAF发送鉴权响应消息。相应地,SEAF接收该鉴权响应消息。
该鉴权响应消息用于指示鉴权成功或指示鉴权失败。
一种实现方法中,该鉴权响应消息是Nausf_UEAuthentication_Authenticate Response消息。
当SEAF鉴权成功且AUSF鉴权成功,则表明网络对UE鉴权成功,因此AMF会发起NAS安全模式命令流程,即向UE发送NAS安全模式命令消息。
SEAF还可以向UE发送鉴权结果,然后网络与UE协商用于安全通信的密钥。
上述方案,UE与网络可以实现互相鉴权,可以提升通信安全性。
上述图5至图7所示的鉴权发起流程和鉴权流程,总体包括以下几个过程:
过程1:UE发送NAS消息后,SEAF发起鉴权。
过程2:UDM生成鉴权向量,然后通过SEAF将鉴权向量中的RAND和AUTN发送给UE,UE根据AUTN对网络进行鉴权。
过程3:UE根据RAND确定响应(即RES或RES*),并将响应发送给SEAF,SEAF(或者SEAF和AUSF)根据响应,对UE进行鉴权。
过程4:SEAF向UE发送鉴权结果。
根据前面描述,卫星上部署基站、AMF、SMF和UPF等网元或设备,地面站部署UDM、AUSF等网元,也可以理解为,相较于卫星而言,UDM、AUSF等是部署在远程的。因此上述过程中,UE执行完过程1之后,需要等待卫星绕地球一圈后再执行过程2,以及,UE执行完过程3之后,再需要等待卫星绕地球一圈后再执行过程4,因此执行上述过程1至过程4需要卫星绕地球两圈的时间,导致UE在进行数据传输之前需要等待的时间较长。
综上所述,在卫星无法同时与UE和地面站进行通信的场景中,由于UE在实际传输数据需要先完成鉴权,而鉴权需要花费较长时间,导致UE在实际传输数据之前,需要等待较长时间。
为解决上述问题,本申请实施例提供相应的解决方案,下面具体说明。
需要说明的是,本申请实施例中的卫星上可以部署一个或多个网元,比如部署基站、AMF、SMF和UPF等网元或设备。实际应用中,卫星上部署的一个或多个网元可以合设,比如AMF与SMF可以合设,再比如基站和UPF可以合设,再比如基站、AMF、SMF和UPF可以合设。本申请对在卫星上部署网元或设备的形式不做限定。
图8(a)为本申请实施例提供的一种鉴权方法的流程示意图。该方法包括以下步骤:
步骤801a,AMF生成第一随机数。
一种实现方法,当AMF确定当前不能与地面段保持通信,则AMF生成第一随机数。也即AMF确定当前仅能与用户段的UE通信,但不能与地面段保持通信。
步骤802a,AMF向UE发送第一随机数。相应地,UE接收该第一随机数。
此时,卫星能够与用户面段的UE保持通信,但不能与地面段的鉴权网元保持通信。
一种实现方法中,AMF向基站发送N2消息,该N2消息中包括N1消息,该N1消息中包括第一随机数。基站将N1消息包含在接入层(access stratum,AS)消息中透传给UE。该基站与AMF部署在同一卫星上。
步骤803a,UE确定第一鉴权信息。
具体的,UE根据第一随机数和长期密钥,生成第一鉴权信息。
该长期密钥是用于UE与网络进行通信的根密钥。一般地,可以用K表示该长期密钥。
一种实现方法中,在步骤803a之前,AMF还生成第二鉴权信息或者是AMF从本地获取预配置的第二鉴权信息,然后AMF向UE发送第二鉴权信息。UE根据第二鉴权信息对AMF进行鉴权。当对AMF鉴权成功,则执行步骤803a。当对AMF鉴权失败,则无需执行步骤803a之后的后续步骤,也即鉴权流程结束。
其中,AMF可以使用但不限于使用以下任一方法生成第二鉴权信息:
方法1,AMF从UE收到第二随机数,AMF根据第二随机数生成第二鉴权信息。
基于该方法1,则UE根据第二鉴权信息对AMF进行鉴权的方法具体为:UE根据第二随机数生成第三鉴权信息,当第二鉴权信息与第三鉴权信息相同,则UE确定对AMF鉴权成功,或者当第二鉴权信息与第三鉴权信息不同,则UE确定对AMF鉴权失败。
方法2,AMF对AMF中的信息进行加密,得到第二鉴权信息。其中,AMF中的信息可以是任意信息,本申请不限定。
基于该方法2,则UE根据第二鉴权信息对AMF进行鉴权的方法具体为:UE使用公钥对第二鉴权信息进行解密,当解密成功,则UE确定对AMF鉴权成功,或者当解密失败,则UE确定对AMF鉴权失败。
需要说明的是,如果AMF向UE发送第二鉴权信息,则AMF可以在步骤802a之前、之后发送第二鉴权信息,也可以在步骤802a中同时发送第一随机数和第二鉴权信息,本申请对此不限定。
步骤804a,UE向AMF发送第一鉴权信息。相应地,AMF接收该第一鉴权信息。
一种实现方法中,UE向基站发送接入层消息,该接入层消息中包含N1消息,该N1消息中包括第一鉴权信息。然后基站向AMF发送N2消息,该N2消息中包括该N1消息。也即基站将N1消息透传给AMF。该基站与AMF部署在同一卫星上。
步骤805a,AMF向鉴权网元发送第一鉴权信息和第一随机数。
此时,卫星能够与地面段的鉴权网元保持通信,但不能与用户面段的UE保持通信。
该鉴权网元可以是AUSF或UDM。
步骤806a,鉴权网元向AMF发送鉴权结果。相应地,AMF接收该鉴权结果。
该鉴权结果指示对UE鉴权成功,或指示对UE鉴权失败。
具体的,鉴权网元根据第一随机数和长期密钥生成第四鉴权信息。当第四鉴权信息与第一鉴权信息相同,则鉴权网元确定对UE鉴权成功,当第四鉴权信息与第一鉴权信息不同,则鉴权网元确定对UE鉴权失败。其中,这里的长期密钥与UE在步骤803a中生成第一鉴权信息时使用的长期密钥相同。
一种实现方法中,当鉴权网元是AUSF,步骤805a具体为:AMF向AUSF发送第一鉴权信息和第一随机数,然后AUSF确定鉴权结果,并通过步骤806a向AMF发送鉴权结果。
又一种实现方法中,当鉴权网元是UDM,步骤805a具体为:AMF通过AMF与UDM之间的接口向UDM发送第一鉴权信息和第一随机数,然后UDM确定鉴权结果,并通过步骤806a向AMF发送鉴权结果。
又一种实现方法中,当鉴权网元是UDM,步骤805a具体包括:AMF向AUSF发送第一鉴权信息和第一随机数,以及AUSF向UDM发送第一鉴权信息和第一随机数。接着,
UDM确定鉴权结果。步骤806a具体为:UDM向AUSF发送鉴权结果,以及AUSF向AMF发送鉴权结果。
又一种实现方法中,当鉴权网元是AUSF和UDM,步骤805a具体包括:AMF向AUSF发送第一鉴权信息和第一随机数,以及AUSF向UDM发送第一随机数。接着,UDM根据第一随机数和长期密钥生成第四鉴权信息,并向AUSF发送第四鉴权信息,AUSF收到后比较第四鉴权信息和第一鉴权信息,从而确定鉴权结果。步骤806a具体为:AUSF向AMF发送鉴权结果。
步骤807a,AMF根据鉴权结果,向UE发送通知消息。相应地,UE接收该通知消息。
此时,卫星能够与用户面段的UE保持通信,但不能与地面段的鉴权网元保持通信。
该通知消息指示对UE的鉴权结果。
一种实现方式中,通知消息显式的指示鉴权结果。
又一种实现方式中,通知消息没有显式的指示鉴权结果,而是隐含的指示鉴权。例如,AMF向UE发送NAS安全模式命令消息,一旦接收到合法的NAS安全模式命令消息,UE认为鉴权成功。
上述方案,在卫星无法同时连接UE和地面站的场景下,UE只需等待卫星绕地球一圈的时间就可以完成鉴权流程,在完成鉴权流程之后即可以开始数据传输,因此能够减少等待进行数据传输的时间,有助于提升通信效率。
为进一步减少数据传输的等待时间,本申请实施例还可以在鉴权流程中传输数据。比如,结合图8(a)的实施例,UE可以在步骤803a之后且在步骤807a之前,开始传输数据。下面介绍数据传输的不同实现方法。
方法A,UE通过控制面向基站发送数据,然后基站通过控制面向AMF发送数据。
一种实现方法,该数据可以与步骤804a的第一鉴权信息在同一个消息中传输,比如UE经由基站向AMF发送N1消息,该N1消息包括第一鉴权信息和数据。当然,该数据也可以通过一个单独的控制面消息发送至AMF,本申请对此不限定。
方法B,UE通过用户面向基站发送数据,然后基站通过用户面向UPF发送数据。
需要说明的是,如果UE对AMF鉴权,则UE可以是在对AMF鉴权成功的情况下,通过控制面向AMF发送数据,或通过用户面向基站发送数据。
UE将数据发送至卫星上的AMF或UPF之后,由于AMF/UPF此时还不能与地面站保持通信,因此可以先缓存数据,待后续能够与地面站保持通信之后,再将缓存的数据发送至地面段的数据网络。需要说明的是,卫星上缓存数据的网元不仅可以是AMF、UPF,也可以是SMF、NEF等其他网元,本申请不限定。比如,AMF/UPF通知SMF/NEF缓存收到的数据,后续AMF确定能够与地面站保持通信之后,AMF通知SMF/NEF将缓存的数据发送至地面段的数据网络。
上述方案,在鉴权流程完成之前,UE已经开始传输数据,因此进一步提前了数据传输的开始时间,有助于提升通信效率。
一种实现方法,UE在向AMF发送数据之前,可以向AMF发送第一指示信息,该第一指示信息指示UE在鉴权完成前传输数据。AMF在收到第一指示信息后,可以向UE发送第二指示信息,该第二指示信息指示以下信息中的一项或多项:支持UE在鉴权完成前传输数据、允许UE在鉴权完成前传输数据、允许传输的数据大小或速率限制信息。可选的,AMF或基站还向UE发送临时安全信息,该临时安全信息用于UE对待传输的数据进
行加密,以保障通信安全。下面具体说明。
方法一,AMF向基站发送N2消息,该N2消息包括N1消息,该N1消息包括第二指示信息和临时安全信息。基站将N1消息包含在接入层消息中透传给UE。其中,该临时安全信息是AMF选择的用于对鉴权完成前通过控制面传输的数据进行保护的安全信息。
基于该方法一,UE收到第二指示信息后,根据临时安全信息对数据进行加密,然后通过控制面向AMF发送数据。具体的,UE在发送数据时,还可以参考第二指示信息指示的允许传输的数据大小或速率限制信息。
方法二,AMF向基站发送N2消息,该N2消息包括N1消息,该N1消息包括第二指示信息,基站生成临时安全信息,然后基站向UE发送N1消息和临时安全信息。其中,该临时安全信息是基站选择的用于对鉴权完成前通过用户面传输的数据进行保护的安全信息。
基于该方法二,UE收到第二指示信息后,根据临时安全信息对数据进行加密,然后通过用户面向基站发送数据。具体的,UE在发送数据时,还可以参考第二指示信息指示的允许传输的数据大小或速率限制信息。
一种实现方法中,在上述步骤806a之后,也即鉴权网元确定对UE鉴权成功之后,鉴权网元根据UE的位置信息和星历信息确定将来可能经过UE所在位置的卫星,然后向这些卫星上的AMF(以下以AMF1为例,该AMF1不同于图8(a)的实施例中描述的AMF)发送鉴权通知消息,该鉴权通知消息中包括UE的标识信息和锚点密钥,该锚点密钥用于推衍UE与AMF1之间的通信密钥。AMF1根据鉴权通知消息生成UE的安全上下文。当AMF1上有了UE的安全上下文,则AMF1可以对UE发送的N1消息进行解密和完整性校验。后续当AMF1建立与UE的通信连接之后,当UE发送了加密的N1消息后,如果AMF1根据预先保存的UE的安全上下文能够解密该N1消息,表明UE与AMF1之间可以进行加密通信,因此AMF1与UE之间可以跳过鉴权流程。该方法通过共享安全上下文的方式,避免不必要的鉴权,能够减少信令开销以及减少数据传输之前的等待时间,有助于提升通信效率。
图8(b)为本申请实施例提供的一种鉴权方法的流程示意图。该方法包括以下步骤:
步骤801b,鉴权网元确定完成鉴权网元与UE之间的鉴权流程。
其中,鉴权网元与UE之间的鉴权流程,可以参考图5和图6所示的鉴权流程,或者参考图5和图7所示的鉴权流程,或者参考图8(a)的鉴权流程,本申请不限定。
步骤802b,鉴权网元向第一卫星发送第一鉴权通知消息。相应地,第一卫星接收该第一鉴权通知消息。
该第一鉴权通知消息包括UE的第一安全上下文,第一安全上下文用于UE与第一卫星之间的安全通信。
第一卫星是UE在未来处于无法连接到鉴权网元的地方时可能为UE提供服务的卫星。
其中,鉴权网元向第一卫星发送第一鉴权通知消息,具体可以是:鉴权网元向第一卫星上的AMF发送第一鉴权通知消息。
步骤803b,鉴权网元向UE发送第二安全上下文。相应地,UE接收该第二安全上下文。
第二安全上下文用于UE与第一卫星之间的安全通信,该第二安全上下文与上述第一安全上下文包含相同或不同的密钥,第一卫星上的AMF和UE可以分别根据第一安全上
下文和第二安全上下文直接获得或者推导出相同的安全密钥,该安全密钥用于对UE与第一卫星上的AMF之间的通信进行安全保护。
一种实现方法中,第一安全上下文包括UE的标识信息和锚点密钥,第二安全上下文包括鉴权网元密钥,UE可以根据鉴权网元密钥推导出锚点密钥,该锚点密钥与第一安全上下文中的锚点密钥相同。该示例中,该锚点密钥即为一种安全密钥。
后续,当UE建立与第一卫星之间的连接时,一般情况下需要先完成鉴权流程。然而,由于该实施例中鉴权网元已经提前向第一卫星的AMF发送了第一安全上下文,以及向UE提前发送了第二安全上下文,因此UE与AMF之间可以基于第一安全上下文和第二安全上下文进行通信。比如,UE向第一卫星的AMF发送第一消息,该第一消息包括UE的标识信息和加密信息,该加密信息是根据第二安全上下文进行安全保护的。AMF收到第一消息后,可以根据第一安全上下文对该加密信息进行解密,当解密成功,则AMF确定不执行鉴权流程,也即此时双方确认通信是安全的,无需执行鉴权流程。当解密失败,AMF触发执行鉴权流程,该鉴权流程可以参考图5和图6所示的鉴权流程,或者参考图5和图7所示的鉴权流程,或者参考图8(a)的鉴权流程,本申请不限定。
可选的,图8(b)的实施例还包括以下步骤804b和步骤805b。
步骤804b,鉴权网元向第二卫星发送第二鉴权通知消息。相应地,第二卫星接收该第二鉴权通知消息。
该第二鉴权通知消息包括UE的第三安全上下文,第三安全上下文用于UE与第二卫星之间的安全通信,第三安全上下文与上述第一安全上下文相同或不同。
第二卫星是UE在未来处于无法连接到鉴权网元的地方时可能为UE提供服务的卫星,第二卫星与第一卫星不同。
其中,鉴权网元向第二卫星发送第二鉴权通知消息,具体可以是:鉴权网元向第二卫星上的AMF发送第二鉴权通知消息。
步骤805b,鉴权网元向UE发送第四安全上下文。相应地,UE接收该第四安全上下文。
第四安全上下文用于UE与第二卫星之间的安全通信,该第四安全上下文与上述第二安全上下文可以相同,也可以不同。
该第四安全上下文与上述第三安全上下文包含相同或不同的密钥,第二卫星上的AMF和UE可以分别根据第三安全上下文和第四安全上下文直接获得或者推导出相同的安全密钥,该安全密钥用于对UE与第二卫星上的AMF之间的通信进行安全保护。
一种实现方法中,第三安全上下文包括UE的标识信息和锚点密钥,第四安全上下文包括鉴权网元密钥,UE可以根据鉴权网元密钥推导出锚点密钥,该锚点密钥与第三安全上下文中的锚点密钥相同。该示例中,该锚点密钥即为一种安全密钥。
需要说明的是,UE与第一卫星之间通信的安全密钥,和UE与第二卫星之间通信的安全密钥,可以相同,也可以不同,本申请不限定。
后续,当UE建立与第二卫星之间的连接时,一般情况下需要先完成鉴权流程。然而,由于该实施例中鉴权网元已经提前向第二卫星的AMF发送了第三安全上下文,以及向UE提前发送了第四安全上下文,因此UE与AMF之间可以基于第三安全上下文和第四安全上下文进行通信。比如,UE向第二卫星的AMF发送第二消息,该第二消息包括UE的标识信息和加密信息,该加密信息是根据第四安全上下文进行加密的。AMF收到第二消息后,
可以根据第三安全上下文对该加密信息进行解密,当解密成功,则AMF确定不执行鉴权流程,也即此时双方确认通信是安全的,无需执行鉴权流程。当解密失败,AMF触发执行鉴权流程,该鉴权流程可以参考图5和图6所示的鉴权流程,或者参考图5和图7所示的鉴权流程,或者参考图8(a)的鉴权流程,本申请不限定。
上述方案,通过向UE以及卫星提前发送UE的安全上下文,可以避免不必要的鉴权,能够减少信令开销以及减少数据传输之前的等待时间,有助于提升通信效率。
一种实现方法中,在步骤802b之前,鉴权网元还需要确定UE在未来处于无法连接到该鉴权网元的地方时可能为UE提供服务的卫星。下面介绍三种不同实现方法。
方法1,鉴权网元根据UE的签约信息,确定UE在未来处于无法连接到该鉴权网元的地方时可能为UE提供服务的卫星。
方法2,鉴权网元接收来自UE或其他网元的第一指示信息,该指示信息指示UE在未来处于无法连接到鉴权网元的地方时可能为UE提供服务的卫星。
方法3,鉴权网元接收来自UE或其他网元的第二指示信息,该第二指示信息指示UE在未来处于无法连接到该鉴权网元的地方时可能所处的区域信息,鉴权网元根据星历信息和该第二指示信息,确定UE在未来处于无法连接到鉴权网元的地方时可能为UE提供服务的卫星。
其中,UE在未来处于无法连接到该鉴权网元的地方时可能为UE提供服务的卫星包括上述第一卫星、第二卫星,以及还可以包括其它卫星。该图8(b)的实施例是以两个卫星为例进行说明,实际应用中不限定卫星的数量,可以是一个、两个或两个以上。
下面结合具体实施例,对上述图8(a)和图8(b)的实施例进行说明。以下图9和图10的实施例是上述图8(a)的实施例的具体示例,图11的实施例是上述图8(b)的实施例的具体示例。
图9为本申请实施例提供的一种鉴权方法的流程示意图。该实施例中的网络鉴权信息、鉴权信息、随机数1、随机数2分别是图8(a)的实施例中的第二鉴权信息、第一鉴权信息、第二随机数、第一随机数的具体示例。
该方法包括以下步骤:
步骤901,UE向AMF发送N1消息。相应地,AMF接收该N1消息。
该N1消息中包括SUCI或5G-GUTI。
一种实现方法中,N1消息中还包括UE生成的随机数1(RAND1)。
一种实现方法中,在步骤901之前,UE还可以确定AMF或确定AMF所在的卫星。本申请对UE确定AMF或AMF所在的卫星的方法不做限定。
步骤902,AMF向UE发送N1消息。相应地,UE接收该N1消息。
该N1消息中包括网络鉴权信息和AMF生成的随机数2(RAND2)。
其中,网络鉴权信息用于UE对AMF进行鉴权。
本申请实施例对于该网络鉴权信息的实现方式不做限定,比如该网络鉴权信息可以是AUTN的形式或者是其它形式。
一种实现方法中,上述网络鉴权信息是由AMF生成的。比如,若步骤901中包含UE生成的随机数1,则AMF可以根据该随机数1生成该网络鉴权信息。再比如,AMF可以使用私钥对AMF上的信息进行加密得到加密后的信息,并将该加密后的信息作为网络鉴权信息。
又一种实现方法中,上述网络鉴权信息是预配置在AMF上的。
下面介绍触发AMF执行步骤902的不同实现方法。
实现方法1,AMF确定当前无法连接AUSF,也即AMF在确定无法连接AUSF的情况下触发执行上述步骤902。
比如,AMF根据星历信息确定当前无法连接到AUSF。这里的“当前无法连接到AUSF”,可以表述为“AMF当前无法连接到地面站”,该地面站可以连接到AUSF,或者理解为“AUSF当前不可达”、“地面站当前不可达”等。需要理解的是,有一些场景也可以认为是当前无法连接到AUSF,比如当前AMF可以连接到地面站,但该地面站无法连接到需要连接的AUSF。对应的,后续AMF可以连接到AUSF时,可以描述为“可以连接到AUSF”、“可以连接到地面站”、“AUSF可达”、“地面站可达”等。
实现方法2,上述步骤901的N1消息中的部分或全部内容被UE安全保护,AMF无法对N1消息进行解密或校验,则触发AMF执行该步骤902。
具体的,UE之前可能已经与网络执行过鉴权流程,且UE中保存有安全上下文,则UE基于保存的安全上下文对N1消息进行安全保护。AMF收到安全保护的N1消息后如果无法解密或校验,则AMF确定需要重新执行鉴权流程,因此触发执行步骤902。比如,UE上一次是与AMF1执行鉴权流程,因此UE与AMF1上均存储了协商的安全上下文,随着卫星的移动,UE当前是与AMF2建立连接,则AMF2上可能没有存储该安全上下文,因此AMF2无法解密或校验UE发送的N1消息,则触发重新鉴权。
实现方法3,上述步骤901的N1消息中的部分或全部内容被UE安全保护,AMF可以对N1消息进行解密或校验,但AMF依然决定对UE进行重新鉴权,则触发AMF执行该步骤902。
步骤903,UE对AMF进行鉴权。
UE从N1消息中获取网络鉴权信息,并根据网络鉴权信息对AMF进行鉴权。本申请实施例对于UE对AMF进行鉴权的方法不做限定。
比如,当网络鉴权信息是AMF根据随机数1生成的,则UE可以根据随机数1生成网络鉴权信息。然后UE比较从AMF收到的网络鉴权信息和UE生成的网络鉴权信息。如果二者相同,则UE确定对AMF鉴权成功,否则鉴权失败。
再比如,如果AMF是使用私钥对AMF上的信息进行加密得到网络鉴权信息,则UE收到网络鉴权信息后,使用公钥对网络鉴权信息进行解密。若解密成功,则UE确定对AMF鉴权成功,否则,UE确定对AMF鉴权失败。
步骤904,若UE对AMF鉴权成功,则确定鉴权信息。
一种实现方法中,UE根据随机数2和长期密钥确定鉴权信息。本申请对确定鉴权信息的推导过程不做限定。
比如,UE根据随机数2和长期密钥确定RES,并将该RES作为鉴权信息。
再比如,UE根据随机数2和长期密钥确定RES,然后根据RES确定RES*,或者根据RES和服务网络名称确定RES*,并将该RES*作为鉴权信息。
步骤905,UE向AMF发送N1消息。相应地,AMF接收该N1消息。
该N1消息包括鉴权信息。
步骤906,AMF确定可以连接到AUSF,向AUSF发送鉴权请求消息。相应地,AUSF接收该鉴权请求消息。
该鉴权请求消息中包括随机数2和鉴权信息。
其中,AMF收到N1消息后,在确定不能连接到AUSF的情况下,会存储N1消息中的鉴权信息。后续在确定能够连接AUSF时,向AUSF发送该鉴权请求消息。
AMF可以连接到AUSF,指的是卫星发生移动后,卫星上的AMF能够与地面的AUSF建立连接并进行通信。此时卫星与UE之间的通信连接断开。
步骤907,AUSF向UDM发送鉴权请求消息。相应地,UDM接收该鉴权请求消息。
该鉴权请求消息中包括随机数2,可选的该鉴权请求消息还包括鉴权信息。
步骤908,UDM确定期望鉴权信息。
UDM根据随机数2和长期密钥确定期望鉴权信息。该长期密钥与UE生成鉴权信息时使用的长期密钥相同,均为UE的USIM中的长期密钥。
一种实现方法中,UDM根据随机数2和长期密钥确定XRES,并将该XRES作为期望鉴权信息。
一种实现方法中,UDM根据随机数2和长期密钥确定XRES,根据XRES确定XRES*,并将该XRES*作为期望鉴权信息。
步骤909,UDM向AUSF发送鉴权响应消息。相应地,AUSF接收该鉴权响应消息。
一种实现方法中,可以由AUSF对UE进行鉴权,则该鉴权响应消息中包括期望鉴权信息。具体的,AUSF收到携带期望鉴权信息的鉴权响应消息后,比较该期望鉴权信息与AUSF从步骤906收到的鉴权信息是否相同。如果相同,UDM确定对UE鉴权成功,否则对UE鉴权失败。需要说明的是,针对该方法,上述步骤907中可以不携带鉴权信息。
又一种实现方法中,可以由UDM对UE进行鉴权,则该鉴权响应消息中包括鉴权结果。具体的,上述步骤907中还包括鉴权信息,UDM确定期望鉴权信息之后,比较UDM生成的期望鉴权信息与从步骤907收到的鉴权信息是否相同。如果相同,UDM确定对UE鉴权成功,否则对UE鉴权失败。然后UDM在向AUSF发送的鉴权响应消息中携带鉴权结果,该鉴权结果指示对UE鉴权成功或失败。
步骤910,AUSF向AMF发送鉴权响应消息。相应地,AMF接收该鉴权响应消息。
该鉴权响应消息包括鉴权结果,该鉴权结果指示对UE鉴权成功或失败。
步骤911,AMF确定可以连接到UE,AMF向UE发送N1消息。相应地,UE接收该N1消息。
该N1消息用于协商安全上下文等。该安全上下文包括但不限于:选择的安全算法(如加密算法、完整性保护算法)、密钥集标识符、UE安全能力。
AMF可以连接到UE,指的是卫星发生移动后,卫星上的AMF能够与地面的UE建立连接并进行通信。此时卫星与地面站以及地面的AUSF、UDM等之间的通信连接断开。
上述方案,在卫星无法同时连接UE和地面站的场景下,UE只需等待卫星绕地球一圈的时间就可以完成鉴权流程,在完成鉴权流程之后即可以开始数据传输,因此能够减少等待进行数据传输的时间,有助于提升通信效率。
一种实现方法中,在上述步骤909之后,也即AUSF确定对UE鉴权成功之后,AUSF根据UE的位置信息和星历信息确定将来可能经过UE所在位置的卫星,然后向这些卫星上的AMF(以下以AMF1为例,该AMF1不同于图9的实施例中描述的AMF)发送鉴权通知消息,该鉴权通知消息中包括UE的标识信息和锚点密钥,该锚点密钥用于推衍UE与AMF1之间的通信密钥。AMF1根据鉴权通知消息生成UE的安全上下文。当AMF1上
有了UE的安全上下文,则AMF1可以对UE发送的N1消息进行解密和完整性校验。后续当AMF1建立与UE的通信连接之后,当UE发送了加密的N1消息后,如果AMF1根据预先保存的UE的安全上下文能够解密该N1消息,表明UE与AMF1之间可以进行加密通信,因此AMF1与UE之间可以跳过鉴权流程。该方法通过共享安全上下文的方式,避免不必要的鉴权,能够减少信令开销以及减少数据传输之前的等待时间,有助于提升通信效率。
图10为本申请实施例提供的一种鉴权方法的流程示意图。该实施例中的网络鉴权信息、鉴权信息、随机数1、随机数2分别是图8(a)的实施例中的第二鉴权信息、第一鉴权信息、第二随机数、第一随机数的具体示例。
该方法能够实现在鉴权流程中传输数据。
该方法包括以下步骤:
步骤1001,同图9的实施例中的步骤901。
与步骤901不同的是,在步骤1001中,一种实现方法中,该N1消息中还包括指示信息1,该指示信息1指示UE需要/请求在鉴权完成前传输数据,可选的,该指示信息1还指示UE具有在鉴权完成前传输数据的能力。这里的“传输数据”可以是通过控制面和/或用户面传输数据。
步骤1002,同图9的实施例中的步骤902。AMF向UE发送N1消息。相应地,UE接收该N1消息。
与步骤902不同的是,在步骤1002中,一种实现方法中,该N1消息中还包括指示信息2和临时安全信息。具体的,AMF向基站发送N2消息,该N2消息包括该N1消息,然后基站向UE发送RRC消息,该RRC消息包括该N1消息。也即基站透传N1消息至UE,指示信息2和临时安全信息都是来自AMF。其中,该指示信息2指示以下信息中的一项或多项:支持UE在鉴权完成前传输数据、允许UE在鉴权完成前传输数据、允许传输的数据大小或速率限制信息。临时安全信息是AMF选择的用于对鉴权完成前通过控制面传输的数据进行加密和/或完整性保护的安全信息,比如临时安全信息包括算法信息等。
又一种实现方法中,也可以是由AMF向UE发送指示信息2,而临时安全信息是由基站生成并发送至UE。具体的,AMF向基站发送N2消息,该N2消息包括指示信息1和N1消息,该N1消息包括网络鉴权信息、AMF生成的随机数2(RAND2)和指示信息2。该指示信息1和指示信息2的含义参考前面描述。基站根据指示信息1生成临时安全信息,该临时安全信息是基站选择的用于对鉴权完成前通过用户面传输的数据进行加密和/或完整保护的安全信息,如算法信息等。然后基站向UE发送RRC消息,该RRC消息包括该N1消息和该临时安全信息。
又一种实现方法中,该指示信息2和临时安全信息均由基站生成并发送至UE。具体的,AMF向基站发送N2消息,该N2消息包括指示信息1和N1消息,该N1消息包括网络鉴权信息和AMF生成的随机数2(RAND2)。该指示信息1的含义参考前面描述。基站根据指示信息1生成临时安全信息和指示信息2,该指示信息2的含义参考前面描述,该临时安全信息是基站选择的用于对鉴权完成前通过用户面传输的数据进行加密和/或完整保护的安全信息,如算法信息等。然后基站向UE发送RRC消息,该RRC消息包括该N1消息、该指示信息2和该临时安全信息。
步骤1003至步骤1004,同图9实施例中的步骤903至步骤904。
步骤1005,UE向AMF发送N1消息。相应地,AMF接收该N1消息。
该N1消息包括鉴权信息。
一种实现方法中,UE根据指示信息2确定网络侧支持UE在鉴权完成前传输数据且允许UE在鉴权完成前传输数据,则UE可以在步骤1004之后传输小数据。
一种实现方法中,如果UE收到来自AMF的临时安全信息,则在步骤1004之后,UE可以选择通过控制面传输小数据。比如UE在步骤1005的N1消息中还携带小数据。再比如UE通过独立于步骤1005的另一个N1消息传输小数据。其中,控制面传输小数据的路径可以是:UE-基站-AMF,该路径在核心网内部可能还包括AMF-SMF-UPF或AMF-SMF-NEF等。小数据传输到卫星上之后,可以缓存在卫星上的AMF、SMF、UPF或NEF,本申请对数据缓存的地方不做限定。
又一种实现方法中,如果UE收到来自基站的临时安全信息,则在步骤1004之后,UE可以选择通过用户面传输小数据。比如UE通过用户面向基站发送小数据,然后基站向AMF发送小数据。其中,用户面传输小数据的路径可以是:UE-基站,该路径在核心网内部可能还包括基站-UPF。小数据传输到卫星上之后,可以缓存在卫星上的基站或UPF,本申请对数据缓存的地方不做限定。
上述通过控制面和用户面传输小数据的方法中,虽然同样是UE向基站发送小数据,但使用的承载类型不同,控制面使用的是信令无线承载(signaling radio bearer,SRB),用户面使用的是数据无线承载(data radio bearer,DRB)。
其中,传输的小数据可以通过临时安全信息进行加密,或者通过预配置在UE上的公钥进行加密。如果指示信息2还指示了允许传输的数据大小和/或速率限制信息,则UE在传输小数据时还需要遵从允许传输的数据大小和/或速率限制信息。
一种实现方法中,在UE确定通过控制面或用户面传输路径传输小数据之前,UE还通过基站、AMF向SMF发送会话建立请求消息,比如通过步骤1005的N1消息或其它消息发送该会话建立请求消息,该会话建立请求消息请求建立用于传输数据的PDU会话。SMF收到该会话建立请求消息后,执行以下操作中的一个或多个:分配PDU会话标识、选择用于传输数据的UPF、指示UPF缓存UE的数据、建立SMF与NEF之间用于传输数据的连接。然后SMF向UE发送会话建立接受消息,该会话建立接受消息包括PDU会话标识等。UE收到会话建立接受消息后,决定使用该PDU会话的标识通过控制面或用户面的传输路径传输小数据。后续UE在发送小数据时可以带上该PDU会话标识,以便于网络侧根据PDU会话标识确定转发路径。其中,如果发送给UE的会话建立接受消息中包含选择用于传输数据的UPF和UPF的隧道信息,则UE选择用户面传输小数据。
又一种实现方法中,在步骤1001之后,基于指示信息1触发AMF向SMF发送会话管理请求消息,该会话管理请求消息请求为UE创建会话管理上下文。SMF在收到会话管理请求消息后,执行以下操作中的一个或多个:分配PDU会话标识、选择用于传输数据的UPF、指示UPF缓存UE的数据、建立SMF与NEF之间用于传输数据的连接。然后SMF向AMF发送会话管理响应消息,该会话管理响应消息包括PDU会话标识,后续AMF向UE发送PDU会话标识。UE收到PDU会话标识后,决定使用该PDU会话的标识通过控制面或用户面的传输路径传输小数据。后续UE在发送小数据时可以带上该PDU会话标识,以便于网络侧根据PDU会话标识确定转发路径。其中,如果SMF还向AMF发送选择用于传输数据的UPF和UPF的隧道信息,且AMF向UE发送选择用于传输数据的UPF和
UPF的隧道信息,则UE选择用户面传输小数据。
步骤1006,AMF确定可以连接到AUSF,向AUSF发送鉴权请求消息。相应地,AUSF接收该鉴权请求消息。
该鉴权请求消息中包括随机数2和鉴权信息。
其中,AMF收到N1消息后,在确定不能连接到AUSF的情况下,会存储N1消息中的鉴权信息。后续在确定能够连接AUSF时,向AUSF发送该鉴权请求消息。
AMF可以连接到AUSF,指的是卫星发生移动后,卫星上的AMF能够与地面的AUSF建立连接并进行通信。此时卫星与UE之间的通信连接断开。
一种实现方法中,如果AMF收到来自UE的小数据,则AMF还缓存该小数据。当然,如果AMF对该小数据继续转发的话,则AMF可以不缓存该小数据。比如AMF向SMF或UPF转发该小数据。
需要说明的是,实际缓存该小数据的目标网元,比如AMF、UPF、SMF或NEF,在收到小数据之前,还可能收到来自其它网元的指示信息,该指示信息指示缓存数据,或指示当前无法连接到接收端,则该目标网元缓存收到的小数据。或者该目标网元确定无法连接到接收端,则缓存收到的小数据。
步骤1007至步骤1010,同图9实施例的步骤907至步骤910。
在步骤1010之后,如果AMF确定鉴权成功,包括UE对AMF鉴权成功和网络对UE鉴权成功,则卫星上的实际缓存小数据的目标网元可以向地面段的AF或DN发送小数据。
并且,如果卫星上的网元,如AMF、基站或SMF等收到来自AF或DN的数据,则可以缓存该数据,待后续卫星与UE建立连接之后,向UE发送缓存的数据。
步骤1011,AMF确定可以连接到UE,AMF向UE发送N1消息。相应地,UE接收该N1消息。
该N1消息用于协商安全上下文等。该安全上下文包括但不限于:选择的安全算法(如加密算法、完整性保护算法)、密钥集标识符、UE安全能力。该N1消息中还可以包括AF或DN需要发送给UE的数据。
AMF可以连接到UE,指的是卫星发生移动后,卫星上的AMF能够与地面的UE建立连接并进行通信。此时卫星与地面站以及地面的AUSF、UDM等之间的通信连接断开。
上述方案,在卫星无法同时连接UE和地面站的场景下,UE只需等待卫星绕地球一圈的时间就可以完成鉴权流程,并且在鉴权流程中就可以进行数据传输,因此能够减少等待进行数据传输的时间,有助于提升通信效率。
图11为本申请实施例提供的一种鉴权方法的流程示意图。该方法包括以下步骤:
步骤1101,UE和AUSF完成鉴权流程。
该鉴权流程包括鉴权发起流程和鉴权流程,具体包括前述图5和图6的实施例,或者包括图5和图7的实施例,或者包括图8(a)的实施例。
需要说明的是,该实施例的场景是UE在能够连接到AUSF的地方先鉴权(可以通过卫星接入或地面接入,不做限定),然后随着卫星移动,出现卫星不能同时连接UE和地面站的场景。
步骤1102,AUSF向UE发送安全上下文信息。相应地,UE接收该安全上下文信息。
该安全上下文信息包括多个安全上下文,每个安全上下文对应一个卫星,不同安全上下文对应不同的卫星。安全上下文用于对UE与卫星之间的通信数据或信令进行安全保护。
该安全上下文比如包括锚点密钥、安全算法等。
一种实现方法中,AUSF确定鉴权成功,且UE可能移动到无法连接到AUSF的地方,则向UE发送上述安全上下文信息,该安全上下文信息中的每个安全上下文对应一个卫星,该卫星是UE将来处于无法连接到AUSF的某个地方时可能为该UE提供服务的卫星。
在步骤1102之前,AUSF需要确定UE在未来处于无法连接到该AUSF的地方时可能为UE提供服务的卫星,其具体实现方法可以参考图8(b)的实施例中的描述,这里不再赘述。
步骤1103,AUSF向未来可能服务UE的卫星上的AMF发送鉴权通知消息。相应地,AMF接收该鉴权通知消息。
该鉴权通知消息包括安全上下文。该安全上下文包括UE的标识信息、锚点密钥、安全算法等。
其中,AUSF向不同的卫星上的AMF发送的安全上下文是不同的。
示例性地,上述步骤1102中,AUSF向UE发送的安全上下文信息包括安全上下文1和安全上下文2。在该步骤1103中,AUSF向卫星1发送安全上下文1',向卫星2发送安全上下文2'。其中,安全上下文1与安全上下文1'存在对应关系,比如二者包含相同的锚点密钥、安全算法等信息。安全上下文2与安全上下文2'存在对应关系,比如二者包含相同的锚点密钥、安全算法等信息。
以卫星1为例,UE可以使用安全上下文1,通过卫星1上的网元接入网络,卫星1上的网元可以使用安全上下文1'确定UE是已鉴权成功的UE,因此UE与卫星1之间后续在建立连接之后,可以跳过鉴权流程,从而节约数据传输之前的等待时间。
以下以UE与卫星1的通信过程为例进行说明。
步骤1104,UE向AMF发送N1消息。相应地,AMF接收该N1消息。
具体的,UE确定卫星1或卫星1上的AMF对应的安全上下文1,基于该安全上下文1对N1消息进行安全保护,向AMF发送进行安全保护的N1消息。
该N1消息中包括SUCI或5G-GUTI。
AMF收到N1消息后,确定UE对应的安全上下文。如果AMF本地存储有UE的安全上下文1',则AMF根据安全上下文1',对N1消息进行解密和完整性校验。若AMF成功解密和完整性校验,则确定不需要对UE执行鉴权流程,也即UE与卫星1的AMF之间可以基于安全上下文1和安全上下文1'进行相互通信。可选的,该N1消息中还包括小数据,具体参考图10的实施例。
若AMF本地没有存储有UE的安全上下文,或者AMF本地存储有UE的安全上下文1'但AMF根据安全上下文1'对N1消息进行解密和完整性校验失败,则需要在步骤1104之后执行步骤1105。
步骤1105,UE完成鉴权流程。
该步骤1105的具体过程可以参考图9实施例中的步骤902至步骤911的描述,或者参考图10实施例中的步骤1002至步骤1011的描述,不再赘述。
上述方案,通过向UE以及卫星提前发送UE的安全上下文,可以避免不必要的鉴权,能够减少信令开销以及减少数据传输之前的等待时间,有助于提升通信效率。
图12为本申请实施例提供的一种鉴权方法的流程示意图。该实施例中,卫星上部署有基站,可选的还部署有UPF等。地面站连接的核心网部署有AUSF、UDM、AMF、SMF
等网元。该实施例与前述各个实施例的区别是:该实施例中AMF/SMF是部署在地面的,而前述各个实施中AMF/SMF是部署在卫星上的。
该方法包括以下步骤:
步骤1201,UE执行鉴权流程。
该鉴权流程包括鉴权发起流程和鉴权流程,具体包括前述图5和图6的实施例,或者包括图5和图7的实施例。
该鉴权流程可以基于地面通信完成,不需要卫星的参与。
步骤1202,PDU会话建立流程。
该流程用于建立传输控制面数据的PDU会话。
该流程是可选的。
步骤1203,UE向卫星的基站发送N1消息。相应地,基站接收该N1消息。
此时,卫星能够与UE通信,但不能与地面段的网元如AUSF、UDM、AMF、SMF等通信。
该N1消息中包含UE发送的数据。
该步骤中,UE基于鉴权流程获得的安全上下文,对N1消息进行安全保护,该N1消息包含在接入层消息中发送给卫星上的基站,该接入层消息没有进行安全保护。
步骤1204,基站确定无法连接到AMF,则缓存收到的N1消息。
步骤1205,基站确定能够连接到AMF之后,向AMF发送N2消息。相应地,AMF接收该N2消息。
该N2消息包含缓存的N1消息,该N1消息中包含数据。
AMF收到后N1消息后,对N1消息进行解密和完整性校验。
步骤1206,AMF将数据通过控制面发送数据,同时也接收需要发送给UE的数据。
比如AMF向地面核心网中的数据网络发送数据,该数据来自UE。
再比如,AMF接收来自地面核心网的数据网络的数据。
步骤1207,AMF向基站发送N2消息。相应地,基站接收该N2消息。
该N2消息包括N1消息,该N1消息包括AMF从地面核心网的数据网络中接收到的需要发送给UE的数据。该N1消息是基于安全上下文进行安全保护。
步骤1208,基站确定无法连接到UE,则缓存收到的N1消息。
步骤1209,基站确定能够连接到UE之后,向UE发送N1消息。相应地,UE接收该N1消息。
比如,基站向UE发送接入层消息,该接入层消息包括该N1消息,该N1消息包括网络需要发送给UE的数据。
上述方案,将卫星上部署的AMF更改为部署在地面,因此UE经由AMF与AUSF/UDM进行鉴权时,不需要等待与卫星建立通信连接,而是直接基于地面通信,即可经由AMF与AUSF/UDM进行鉴权,也即鉴权流程直接基于地面通信即可完成,不需要依赖于卫星通信,从而可以实现快速完成鉴权流程。在完成鉴权流程之后,后续只要UE能够与卫星建立通信,即可向卫星上的基站发送数据或者从卫星上的基站接收数据,可以实现数据的快速传输。
可以理解的是,为了实现上述实施例中功能,移动性管理网元、终端设备或鉴权网元包括了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,
结合本申请中所公开的实施例描述的各示例的单元及方法步骤,本申请能够以硬件或硬件和计算机软件相结合的形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用场景和设计约束条件。
图13和图14为本申请的实施例提供的可能的通信装置的结构示意图。这些通信装置可以用于实现上述方法实施例中移动性管理网元、终端设备或鉴权网元的功能,因此也能实现上述方法实施例所具备的有益效果。在本申请的实施例中,该通信装置可以是移动性管理网元、终端设备或鉴权网元,也可以是应用于移动性管理网元、终端设备或鉴权网元的模块(如芯片)。
图13所示的通信装置1300包括处理单元1310和收发单元1320。通信装置1300用于实现上述图8(a)或图8(b)所示的方法实施例中移动性管理网元、终端设备或鉴权网元的功能。
当通信装置1300用于实现图8(a)所示的方法实施例中移动性管理网元(即AMF)的功能,处理单元1310,用于生成第一随机数;收发单元1320,用于向终端设备发送该第一随机数;元接收来自该终端设备的第一鉴权信息,该第一鉴权信息是根据该第一随机数和长期密钥生成的,该长期密钥是用于该终端设备与网络进行通信的根密钥;向鉴权网元发送该第一鉴权信息和该第一随机数,该第一鉴权信息和该第一随机数用于对该终端设备进行认证;接收来自该鉴权网元的鉴权结果;以及根据该鉴权结果,向该终端设备发送通知消息,该通知消息指示对该终端设备的鉴权结果。
一种可能的实现方法中,处理单元1310,还用于生成第二鉴权信息;收发单元1320,还用于向该终端设备发送该第二鉴权信息,该第二鉴权信息用于对该移动性管理网元进行鉴权。
一种可能的实现方法中,收发单元1320,还用于根据该鉴权结果,向该终端设备发送通知消息之前,通过控制面接收来自该终端设备的数据;其中,该数据与该第一鉴权信息携带于同一个消息或不同消息中。
一种可能的实现方法中,收发单元1320,还用于接收来自该终端设备的第一指示信息,该第一指示信息指示该终端设备在鉴权完成前传输数据。
一种可能的实现方法中,处理单元1310,还用于当该移动性管理网元不能与该鉴权网元通信,缓存该数据;当该移动性管理网元能够与该鉴权网元通信,获取缓存的该数据并通过收发单元1320向数据网络发送该数据。
一种可能的实现方法中,收发单元1320,还用于当该移动性管理网元不能与该鉴权网元通信,通知其它网元缓存该数据;当该移动性管理网元能够与该鉴权网元通信,通知该其它网元向数据网络发送缓存的该数据。
一种可能的实现方法中,处理单元1310,还用于生成第一鉴权信息和第一随机数之前,确定当前无法与该鉴权网元通信。
当通信装置1300用于实现图8(a)所示的方法实施例中终端设备(即UE)的功能,收发单元1320,用于接收来自卫星上的移动性管理网元的第一随机数;处理单元1310,用于根据该第一随机数和长期密钥,生成第一鉴权信息;收发单元1320,还用于向该移动性管理网元发送该第一鉴权信息,该第一鉴权信息用于对该终端设备进行鉴权,该长期密钥是用于该终端设备与网络进行通信的根密钥;以及接收来自该移动性管理网元的通知消息,该通知消息指示对该终端设备的鉴权结果。
一种可能的实现方法中,收发单元1320,还用于接收来自该移动性管理网元的第二鉴权信息;处理单元1310,还用于根据该第二鉴权信息,对该移动性管理网元进行鉴权;处理单元1310,用于根据该第一随机数和长期密钥,生成第一鉴权信息,具体包括:在对该移动性管理网元鉴权成功的情况下,根据该第一随机数和该长期密钥,生成该第一鉴权信息。
一种可能的实现方法中,该第二鉴权信息是根据该终端设备发送至该移动性管理网元的第二随机数生成的;处理单元1310,用于根据该第二鉴权信息,对该移动性管理网元进行鉴权,具体包括:用于根据该第二随机数生成第三鉴权信息;当该第二鉴权信息与该第三鉴权信息相同,确定对该移动性管理网元鉴权成功;或者,当该第二鉴权信息与该第三鉴权信息不同,确定对该移动性管理网元鉴权失败。
一种可能的实现方法中,该第二鉴权信息是对该移动性管理网元中的信息进行加密后得到的;处理单元1310,用于根据该第二鉴权信息,对该移动性管理网元进行鉴权,具体包括:用于使用公钥对该第二鉴权信息进行解密;当解密成功,确定对该移动性管理网元鉴权成功;或者,当解密失败,确定对该移动性管理网元鉴权失败。
一种可能的实现方法中,收发单元1320,还用于在接收来自该移动性管理网元的通知消息之前,通过用户面向接入网设备发送数据;或者,向该移动性管理网元发送数据,该数据与该第一鉴权信息携带于同一个消息或不同的消息中。
一种可能的实现方法中,收发单元1320,还用于向该移动性管理网元发送第一指示信息,该第一指示信息指示该终端设备在鉴权完成前传输数据。
当通信装置1300用于实现图8(b)所示的方法实施例中鉴权网元的功能,处理单元1310,用于确定完成该鉴权网元与终端设备之间的鉴权流程;收发单元1320,用于向第一卫星发送第一鉴权通知消息,该第一鉴权通知消息包括该终端设备的第一安全上下文;其中,该第一安全上下文用于该终端设备与该第一卫星之间的安全通信,该第一卫星是该终端设备在未来处于无法连接到该鉴权网元的地方时可能为该终端设备提供服务的卫星。
一种可能的实现方法中,收发单元1320,还用于向该终端设备发送该终端设备的第二安全上下文,该第二安全上下文用于该终端设备与该第一卫星之间的安全通信,该第二安全上下文与该第一安全上下文对应相同的安全密钥。
一种可能的实现方法中,收发单元1320,还用于向第二卫星发送第二鉴权通知消息,该第二鉴权通知消息包括该终端设备的第三安全上下文;其中,该第三安全上下文用于该终端设备与该第二卫星之间的安全通信,该第二卫星是该终端设备在未来处于无法连接到该鉴权网元的地方时可能为该终端设备提供服务的卫星,该第二卫星与该第一卫星不同,该第三安全上下文与该第一安全上下文不同。
一种可能的实现方法中,收发单元1320,还用于向该终端设备发送该终端设备的第四安全上下文,该第四安全上下文用于该终端设备与该第二卫星之间的安全通信,该第四安全上下文与该第三安全上下文对应相同的安全密钥,该第四安全上下文与该第三安全上下文不同。
当通信装置1300用于实现图8(b)所示的方法实施例中移动性管理网元(即AMF)的功能,收发单元1320,用于接收来自终端设备的第一消息,该第一消息包括该终端设备的标识信息和加密信息;处理单元1310,用于获取该终端设备的安全上下文,并根据该安全上下文对该加密信息进行解密;当解密成功,确定不执行鉴权流程;或者,当解密失败,
触发执行鉴权流程。
一种可能的实现方法中,收发单元1320,还用于接收来自鉴权网元的该安全上下文。
有关上述处理单元1310和收发单元1320更详细的描述可以直接参考图8(a)或图8(b)所示的方法实施例中相关描述直接得到,这里不加赘述。
图14所示的通信装置1400包括处理器1410和接口电路1420。处理器1410和接口电路1420之间相互耦合。可以理解的是,接口电路1420可以为收发器或输入输出接口。可选的,通信装置1400还可以包括存储器1430,用于存储处理器1410执行的指令或存储处理器1410运行指令所需要的输入数据或存储处理器1410运行指令后产生的数据。
当通信装置1400用于实现图8(a)或图8(b)所示的方法时,处理器1410用于实现上述处理单元1310的功能,接口电路1420用于实现上述收发单元1320的功能。
可以理解的是,本申请的实施例中的处理器可以是中央处理单元(Central Processing Unit,CPU),还可以是其它通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列(Field Programmable Gate Array,FPGA)或者其它可编程逻辑器件、晶体管逻辑器件,硬件部件或者其任意组合。通用处理器可以是微处理器,也可以是任何常规的处理器。
本申请的实施例中的方法步骤可以通过硬件的方式来实现,也可以由处理器执行软件指令的方式来实现。软件指令可以由相应的软件模块组成,软件模块可以被存放于随机存取存储器、闪存、只读存储器、可编程只读存储器、可擦除可编程只读存储器、电可擦除可编程只读存储器、寄存器、硬盘、移动硬盘、CD-ROM或者本领域熟知的任何其它形式的存储介质中。一种示例性的存储介质耦合至处理器,从而使处理器能够从该存储介质读取信息,且可向该存储介质写入信息。当然,存储介质也可以是处理器的组成部分。处理器和存储介质可以位于ASIC中。另外,该ASIC可以位于基站或终端设备中。当然,处理器和存储介质也可以作为分立组件存在于基站或终端设备中。
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机程序或指令。在计算机上加载和执行所述计算机程序或指令时,全部或部分地执行本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、基站、用户设备或者其它可编程装置。所述计算机程序或指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机程序或指令可以从一个网站站点、计算机、服务器或数据中心通过有线或无线方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是集成一个或多个可用介质的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,例如,软盘、硬盘、磁带;也可以是光介质,例如,数字视频光盘;还可以是半导体介质,例如,固态硬盘。该计算机可读存储介质可以是易失性或非易失性存储介质,或可包括易失性和非易失性两种类型的存储介质。
在本申请的各个实施例中,如果没有特殊说明以及逻辑冲突,不同的实施例之间的术语和/或描述具有一致性、且可以相互引用,不同的实施例中的技术特征根据其内在的逻辑关系可以组合形成新的实施例。
本申请中,“至少一个”是指一个或者多个,“多个”是指两个或两个以上。“和/或”,描
述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B的情况,其中A,B可以是单数或者复数。在本申请的文字描述中,字符“/”,一般表示前后关联对象是一种“或”的关系;在本申请的公式中,字符“/”,表示前后关联对象是一种“相除”的关系。
可以理解的是,在本申请的实施例中涉及的各种数字编号仅为描述方便进行的区分,并不用来限制本申请的实施例的范围。上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定。
Claims (23)
- 一种鉴权方法,其特征在于,包括:卫星上的移动性管理网元生成第一随机数;所述移动性管理网元向终端设备发送所述第一随机数;所述移动性管理网元接收来自所述终端设备的第一鉴权信息,所述第一鉴权信息是根据所述第一随机数和长期密钥生成的,所述长期密钥是用于所述终端设备与网络进行通信的根密钥;所述移动性管理网元向鉴权网元发送所述第一鉴权信息和所述第一随机数,所述第一鉴权信息和所述第一随机数用于对所述终端设备进行鉴权;所述移动性管理网元接收来自所述鉴权网元的鉴权结果;所述移动性管理网元根据所述鉴权结果,向所述终端设备发送通知消息,所述通知消息指示对所述终端设备的鉴权结果。
- 如权利要求1所述的方法,其特征在于,所述方法还包括:所述移动性管理网元生成第二鉴权信息;所述移动性管理网元向所述终端设备发送所述第二鉴权信息,所述第二鉴权信息用于对所述移动性管理网元进行鉴权。
- 如权利要求2所述的方法,其特征在于,所述移动性管理网元生成第二鉴权信息,包括:所述移动性管理网元接收来自所述终端设备的第二随机数;所述移动性管理网元根据所述第二随机数,生成所述第二鉴权信息。
- 如权利要求2所述的方法,其特征在于,所述移动性管理网元生成第二鉴权信息,包括:所述移动性管理网元对所述移动性管理网元中的信息进行加密,得到所述第二鉴权信息。
- 如权利要求1至4中任一项所述的方法,其特征在于,所述移动性管理网元根据所述鉴权结果,向所述终端设备发送通知消息之前,还包括:所述移动性管理网元通过控制面接收来自所述终端设备的数据;其中,所述数据与所述第一鉴权信息携带于同一个消息或不同消息中。
- 如权利要求5所述的方法,其特征在于,所述方法还包括:所述移动性管理网元接收来自所述终端设备的第一指示信息,所述第一指示信息指示所述终端设备在鉴权完成前传输数据。
- 如权利要求5或6所述的方法,其特征在于,所述方法还包括:所述移动性管理网元向所述终端设备发送第二指示信息,所述第二指示信息指示以下信息中的一项或多项:支持所述终端设备在鉴权完成前传输数据、允许所述终端设备在鉴权完成前传输数据、允许传输的数据大小或速率限制信息。
- 如权利要求5至7中任一项所述的方法,其特征在于,所述方法还包括:所述移动性管理网元向所述终端设备发送临时安全信息,所述临时安全信息是所述移动性管理网元选择的用于对鉴权完成前通过控制面传输的数据进行保护的安全信息。
- 如权利要求5至8中任一项所述的方法,其特征在于,所述方法还包括:当所述移动性管理网元不能与所述鉴权网元通信,所述移动性管理网元缓存所述数据;当所述移动性管理网元能够与所述鉴权网元通信,所述移动性管理网元获取缓存的所述数据并向数据网络发送所述数据。
- 如权利要求5至8中任一项所述的方法,其特征在于,所述方法还包括:当所述移动性管理网元不能与所述鉴权网元通信,所述移动性管理网元通知其它网元缓存所述数据;当所述移动性管理网元能够与所述鉴权网元通信,所述移动性管理网元通知所述其它网元向数据网络发送缓存的所述数据。
- 如权利要求1至10中任一项所述的方法,其特征在于,所述移动性管理网元生成第一鉴权信息和第一随机数之前,还包括:所述移动性管理网元确定当前无法与所述鉴权网元通信。
- 一种鉴权方法,其特征在于,包括:终端设备接收来自卫星上的移动性管理网元的第一随机数;所述终端设备根据所述第一随机数和长期密钥,生成第一鉴权信息,并向所述移动性管理网元发送所述第一鉴权信息,所述第一鉴权信息用于对所述终端设备进行鉴权,所述长期密钥是用于所述终端设备与网络进行通信的根密钥;所述终端设备接收来自所述移动性管理网元的通知消息,所述通知消息指示对所述终端设备的鉴权结果。
- 如权利要求12所述的方法,其特征在于,所述方法还包括:所述终端设备接收来自所述移动性管理网元的第二鉴权信息;所述终端设备根据所述第二鉴权信息,对所述移动性管理网元进行鉴权;所述终端设备根据所述第一随机数和长期密钥,生成第一鉴权信息,包括:在对所述移动性管理网元鉴权成功的情况下,所述终端设备根据所述第一随机数和所述长期密钥,生成所述第一鉴权信息。
- 如权利要求13所述的方法,其特征在于,所述第二鉴权信息是由所述移动性管理网元生成的或是预配置在所述移动性管理网元上的,所述第一随机数是由所述移动性管理网元生成的。
- 如权利要求13或14所述的方法,其特征在于,所述第二鉴权信息是根据所述终端设备发送至所述移动性管理网元的第二随机数生成的;所述终端设备根据所述第二鉴权信息,对所述移动性管理网元进行鉴权,包括:所述终端设备根据所述第二随机数生成第三鉴权信息;当所述第二鉴权信息与所述第三鉴权信息相同,所述终端设备确定对所述移动性管理网元鉴权成功;或者,当所述第二鉴权信息与所述第三鉴权信息不同,所述终端设备确定对所述移动性管理网元鉴权失败。
- 如权利要求13或14所述的方法,其特征在于,所述第二鉴权信息是对所述移动性管理网元中的信息进行加密后得到的;所述终端设备根据所述第二鉴权信息,对所述移动性管理网元进行鉴权,包括:所述终端设备使用公钥对所述第二鉴权信息进行解密;当解密成功,所述终端设备确定对所述移动性管理网元鉴权成功;或者,当解密失败,所述终端设备确定对所述移动性管理网元鉴权失败。
- 如权利要求12至16中任一项所述的方法,其特征在于,所述终端设备接收来自所述移动性管理网元的通知消息之前,还包括:所述终端设备通过用户面向接入网设备发送数据;或者,所述终端设备向所述移动性管理网元发送数据,所述数据与所述第一鉴权信息携带于同一个消息或不同的消息中。
- 如权利要求17所述的方法,其特征在于,所述方法还包括:所述终端设备向所述移动性管理网元发送第一指示信息,所述第一指示信息指示所述终端设备在鉴权完成前传输数据。
- 如权利要求17或18所述的方法,其特征在于,所述方法还包括:所述终端设备接收来自所述移动性管理网元的第二指示信息,所述第二指示信息指示以下信息中的一项或多项:支持所述终端设备在鉴权完成前传输数据、允许所述终端设备在鉴权完成前传输数据、允许传输的数据大小或速率限制信息。
- 如权利要求17至19中任一项所述的方法,其特征在于,所述方法还包括:所述终端设备接收临时安全信息;其中,所述临时安全信息是所述移动性管理网元选择的用于对鉴权完成前通过控制面传输的数据进行保护的安全信息;或者,所述临时安全信息是接入网设备选择的用于对鉴权完成前通过用户面传输的数据进行保护的安全信息。
- 一种通信装置,其特征在于,包括:处理器,用于调用并运行计算机程序,以执行如权利要求1至11中任一项所述方法,或执行如权利要求12至20中任一项所述方法。
- 一种计算机可读存储介质,其特征在于,所述存储介质中存储有计算机程序或指令,当所述计算机程序或指令被通信装置执行时,实现如权利要求1至11中任一项所述方法,或实现如权利要求12至20中任一项所述方法。
- 一种通信系统,其特征在于,包括鉴权网元,和用于执行如权利要求1至11中任一项所述方法的移动性管理网元;所述鉴权网元,用于接收来自所述移动性管理网元的第一鉴权信息和第一随机数;根据所述第一鉴权信息和所述第一随机数,对终端设备进行鉴权;以及向所述移动性管理网元发送鉴权结果。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211154133.5 | 2022-09-21 | ||
CN202211154133.5A CN117793710A (zh) | 2022-09-21 | 2022-09-21 | 鉴权方法、通信装置及通信系统 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2024060626A1 true WO2024060626A1 (zh) | 2024-03-28 |
Family
ID=90384010
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2023/091346 WO2024060626A1 (zh) | 2022-09-21 | 2023-04-27 | 鉴权方法、通信装置及通信系统 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN117793710A (zh) |
WO (1) | WO2024060626A1 (zh) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109041057A (zh) * | 2018-08-08 | 2018-12-18 | 兴唐通信科技有限公司 | 一种基于5g aka的核心网网元间鉴权流程安全性增强方法 |
CN110087338A (zh) * | 2019-04-23 | 2019-08-02 | 海信集团有限公司 | 一种窄带物联网进行鉴权的方法及设备 |
CN111757311A (zh) * | 2019-03-29 | 2020-10-09 | 华为技术有限公司 | 一种鉴权方法及通信装置 |
CN114024594A (zh) * | 2021-11-09 | 2022-02-08 | 北京中科晶上科技股份有限公司 | 卫星通信系统的通信方法和装置 |
-
2022
- 2022-09-21 CN CN202211154133.5A patent/CN117793710A/zh active Pending
-
2023
- 2023-04-27 WO PCT/CN2023/091346 patent/WO2024060626A1/zh unknown
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109041057A (zh) * | 2018-08-08 | 2018-12-18 | 兴唐通信科技有限公司 | 一种基于5g aka的核心网网元间鉴权流程安全性增强方法 |
CN111757311A (zh) * | 2019-03-29 | 2020-10-09 | 华为技术有限公司 | 一种鉴权方法及通信装置 |
CN110087338A (zh) * | 2019-04-23 | 2019-08-02 | 海信集团有限公司 | 一种窄带物联网进行鉴权的方法及设备 |
CN114024594A (zh) * | 2021-11-09 | 2022-02-08 | 北京中科晶上科技股份有限公司 | 卫星通信系统的通信方法和装置 |
Non-Patent Citations (1)
Title |
---|
VODAFONE: "pCR to 33.501 - DH procedure with SEAF for protection against passive eavesdropping", 3GPP DRAFT; S3-173263 - PCR TO 33.501 - DH PROCEDURE WITH SEAF FOR PROTECTION AGAINST PASSIVE EAVESDROPPING, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. Reno, USA; 20171127 - 20171201, 20 November 2017 (2017-11-20), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , pages 1 - 6, XP051380513 * |
Also Published As
Publication number | Publication date |
---|---|
CN117793710A (zh) | 2024-03-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR102428262B1 (ko) | 이종 액세스 네트워크를 통한 연결의 보안 실현을 위한 방법 및 장치 | |
US11805409B2 (en) | System and method for deriving a profile for a target endpoint device | |
KR101961301B1 (ko) | 통합된 스몰 셀 및 wi-fi 네트워크를 위한 통합 인증 | |
US10798082B2 (en) | Network authentication triggering method and related device | |
WO2019019736A1 (zh) | 安全实现方法、相关装置以及系统 | |
JP2022502908A (ja) | Nasメッセージのセキュリティ保護のためのシステム及び方法 | |
WO2018170617A1 (zh) | 一种基于非3gpp网络的入网认证方法、相关设备及系统 | |
WO2020029729A1 (zh) | 一种通信方法和装置 | |
US20060128362A1 (en) | UMTS-WLAN interworking system and authentication method therefor | |
WO2019096075A1 (zh) | 一种消息保护的方法及装置 | |
KR101002799B1 (ko) | 이동통신 네트워크 및 상기 이동통신 네트워크에서 이동 노드의 인증을 수행하는 방법 및 장치 | |
US20230319556A1 (en) | Key obtaining method and communication apparatus | |
JP2017538345A (ja) | 方法、装置およびシステム | |
US20220303763A1 (en) | Communication method, apparatus, and system | |
WO2011116713A2 (zh) | Mtc终端通过网关与网络通信的方法、设备及系统 | |
US20240305983A1 (en) | Communication method and apparatus | |
WO2023185880A9 (zh) | 一种接入网设备的确定方法 | |
US20240179525A1 (en) | Secure communication method and apparatus | |
CN115699834A (zh) | 支持远程单元重新认证 | |
Kunz et al. | New 3GPP security features in 5G phase 1 | |
US20240276213A1 (en) | Security for store and forward service via satellite access | |
WO2024067619A1 (zh) | 通信方法和通信装置 | |
WO2023213301A1 (zh) | 鉴权方法、通信装置和计算机可读存储介质 | |
US20230336992A1 (en) | Method and apparatus for authenticating user equipment in wireless communication system | |
WO2023071885A1 (zh) | 一种通信方法及通信装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 23866923 Country of ref document: EP Kind code of ref document: A1 |