Communication method and communication apparatus

Abstract

This application provides a communication method and a communication device. The method includes: a first core network device acquiring a target credential and its attribute information, and sending the target credential to a terminal device; the first core network device triggering the terminal device to execute the authentication process corresponding to the target credential based on the attribute information of the target credential. The communication method provided by this application enables the terminal device to know which authentication process should be executed using the acquired credential; in other words, this method enables the terminal device to execute the authentication process corresponding to the acquired credential.

Description

Technical Field

[0001] This application relates to the field of communications, and more specifically, to communication methods and communication apparatus in the field of communications. Background Technology

[0002] A non-public network (NPN) is a network that provides services to specific terminal devices, distinct from a public land mobile network (PLMN). Typically, NPN services can also be provided by the PLMN. For example, the PLMN can provide NPN services by offering special network slices and / or data networks. For a terminal device to access NPN services from a PLMN, it must complete at least two authentication processes. Only when both authentication processes are successful can the terminal device access the NPN services provided by the PLMN.

[0003] Since the terminal device needs to perform at least two authentication processes, it will obtain at least two types of credentials for authentication. If the terminal device uses the credentials corresponding to one authentication process to perform another authentication process, it will result in authentication failure. Summary of the Invention

[0004] This application provides a communication method and a communication device to enable terminal devices to perform a correct authentication process.

[0005] In a first aspect, a communication method is provided, comprising: a first core network device acquiring a target credential and attribute information of the target credential; the first core network device sending the target credential to a terminal device; and the first core network device triggering the terminal device to execute a corresponding authentication process using the target credential based on the attribute information of the target credential (i.e., executing the authentication process corresponding to the target credential using the target credential).

[0006] In the above technical solution, after the first core network device obtains the target credential and its attribute information, it sends the target credential to the terminal device and triggers the terminal device to execute the authentication process corresponding to the target credential based on the attribute information of the target credential. This enables the terminal device to know which authentication process should be executed using the obtained target credential.

[0007] Regarding the first core network device triggering the terminal device to execute the authentication process corresponding to the target credential using the target credential, the following two situations may be included:

[0008] Case 1

[0009] The first core network device sends the attribute information of the target credential to the terminal device, enabling the terminal device to execute the authentication process corresponding to the target credential based on the attribute information of the target credential.

[0010] Case 2

[0011] Based on the attribute information of the target credential, the first core network device initiates an authentication process or a related process that can trigger the authentication process, enabling the terminal device to execute the authentication process corresponding to the target credential. For example, if the authentication process corresponding to the target credential is a slice authentication process, the first core network device can initiate an authentication process or initiate a deregistration process. The deregistration process is a related process that can trigger the slice authentication process.

[0012] It is worth mentioning that in scenario 2, the first core network device can send the attribute information of the target credential to the terminal device, or it can choose not to send the attribute information of the target credential.

[0013] In conjunction with the first aspect, in some implementations of the first aspect, the attribute information of the target credential includes at least one of first attribute information and second attribute information, wherein the first attribute information indicates the type of the target credential, and the second attribute information indicates the authentication process corresponding to the target credential.

[0014] In combination with the first aspect and the above implementation methods, in some implementation methods of the first aspect, the first core network device triggers the terminal device to execute the corresponding authentication process using the target credential based on the attribute information of the target credential, including: the first core network device sends the attribute information corresponding to the target credential to the terminal device, so that the terminal device executes the corresponding authentication process using the target credential based on the attribute information corresponding to the target credential.

[0015] In the above technical solution, in order to trigger the terminal device to use the target credential to execute the authentication process corresponding to the target credential, the first core network device can send the attribute information of the target credential to the terminal device after obtaining the attribute information of the target credential. After obtaining the attribute information of the target credential, the terminal device can know at least one of the target credential type and the authentication process corresponding to the target credential based on the attribute information of the target credential, thereby enabling the terminal device to use the target credential to execute the authentication process corresponding to the target credential based on the target credential type and the authentication process corresponding to the target credential.

[0016] In conjunction with the first aspect and the above implementation methods, in some implementation methods of the first aspect, the attribute information of the target credential includes at least one of first attribute information and second attribute information. The first attribute information indicates that the type of the target credential is a credential used to perform a slice authentication process, and the second attribute information indicates that the authentication process corresponding to the target credential is a slice authentication process. The first core network device triggers the terminal device to perform the corresponding authentication process using the target credential based on the attribute information of the target credential, including: the first core network device triggers a deregistration process so that the terminal device performs the slice authentication process using the target credential after the deregistration process is completed.

[0017] In the above technical solution, after obtaining the attribute information of the target credential, the first core network device can know the type of the target credential and at least one of the authentication processes corresponding to the target credential. In order to trigger the terminal device to use the target credential to execute the authentication process corresponding to the target credential, the first core network device can initiate an authentication process or trigger a related process of the authentication process according to the type of the target credential and at least one of the authentication processes corresponding to the target credential, so that the terminal device can use the target credential to execute the authentication process corresponding to the target credential.

[0018] For example, if the first core network device learns that the authentication process corresponding to the target credential is a slice authentication process, in order to trigger the terminal device to use the target credential to execute the slice authentication process, the first core network device can trigger a deregistration process. The deregistration process can trigger the terminal device to execute the slice authentication process. For example, after the deregistration process is completed, the terminal device can initiate a registration process and use the target credential to execute the slice authentication process during the execution of the registration process.

[0019] In conjunction with the first aspect and the above implementation methods, in some implementation methods of the first aspect, the attribute information of the target credential includes at least one of first attribute information and second attribute information. The first attribute information indicates that the type of the target credential is a credential for performing a secondary authentication process, and the second attribute information indicates that the authentication process corresponding to the target credential is a secondary authentication process. The first core network device triggers the terminal device to perform the corresponding authentication process using the target credential based on the attribute information of the target credential, including: the first core network device triggers a session management process so that the terminal device performs the secondary authentication process using the target credential during the execution of the session management process.

[0020] In the above technical solution, after obtaining the attribute information of the target credential, the first core network device can know the type of the target credential and at least one of the authentication processes corresponding to the target credential. In order to trigger the terminal device to use the target credential to execute the authentication process corresponding to the target credential, the first core network device can initiate an authentication process or trigger a related process of the authentication process according to the type of the target credential and at least one of the authentication processes corresponding to the target credential, so that the terminal device can use the target credential to execute the authentication process corresponding to the target credential.

[0021] For example, if the first core network device learns that the authentication process corresponding to the target credential is a secondary authentication process, in order to trigger the terminal device to use the target credential to perform the secondary authentication process, the first core network device can trigger the session management process, so that the terminal device uses the target credential to perform the secondary authentication process during the execution of the session management process.

[0022] In combination with the first aspect and the above implementation methods, in some implementation methods of the first aspect, the session management process is a session establishment process or a session modification process.

[0023] In conjunction with the first aspect and the above implementation methods, in some implementation methods of the first aspect, the first core network device obtaining the target credential includes: the first core network device obtaining the target credential from a service activation server or a second core network device.

[0024] In conjunction with the first aspect and the above implementation methods, in some implementation methods of the first aspect, the attribute information of the target credential includes first attribute information, the first attribute information indicating the type of the target credential, and the first core network device obtaining the first attribute information includes: the first core network device obtaining the first attribute information from a service activation server or a second core network device.

[0025] In conjunction with the first aspect and the above implementation methods, in some implementation methods of the first aspect, the attribute information of the target credential includes second attribute information, the second attribute information indicating the authentication process corresponding to the target credential, and the first core network device obtaining the second attribute information includes: the first core network device obtaining the second attribute information from the second core network device, the second attribute information being generated by the second core network device based on the first attribute information after obtaining the first attribute information; or, the first core network device generating the second attribute information based on the first attribute information after obtaining the first attribute information.

[0026] In one implementation, after obtaining the first attribute information, the second core network device may not perform any processing on the first attribute information, but simply forward it. In other words, after obtaining the first attribute information, the second core network device forwards the first attribute information to the first core network device. After receiving the first attribute information, the first core network device can generate the second attribute information based on the first attribute information.

[0027] In another implementation, after obtaining the first attribute information, the second core network device can generate second attribute information based on the first attribute information and send at least one of the second attribute information and the first attribute information to the first core network device.

[0028] In this application, the first core network device can be one of the core network access and mobility management function (AMF) network element, unified data management (UDM) network element, and user plane function (UPF) network element, and the second core network device can be one of the access and mobility management function network element and unified data management network element.

[0029] When the first core network device is an access and mobility management function network element, the second core network device can be a unified data management network element.

[0030] Secondly, a communication method is provided, comprising: a terminal device receiving a target credential sent by a first core network device or a service activation server; the terminal device obtaining attribute information of the target credential; and the terminal device executing a corresponding authentication process using the target credential based on the attribute information of the target credential (i.e., executing the authentication process corresponding to the target credential using the target credential).

[0031] In the above technical solution, after obtaining the target credential, the terminal device further obtains the attribute information of the target credential, and based on the attribute information of the target credential, determines which authentication process should be executed using the target credential, thereby enabling the terminal device to execute the authentication process corresponding to the target credential.

[0032] The methods for obtaining attribute information about the target credential by the terminal device can include the following:

[0033] Method 1: The terminal device can obtain the attribute information of the target credential from the first core network device.

[0034] The attribute information of the target credential obtained by the terminal device from the first core network device may include at least one of the first attribute information and the second attribute information.

[0035] For example, the attribute information of the target credential sent by the service activation server to the first core network device includes first attribute information. After receiving the first attribute information, the first core network device generates second attribute information based on the first attribute information and sends the attribute information of the target credential containing at least one of the first attribute information and the second attribute information to the terminal device.

[0036] For example, the attribute information of the target credential sent by the service activation server to the second core network device includes first attribute information. After receiving the first attribute information, the second core network device generates second attribute information based on the first attribute information and sends the attribute information of the target credential containing at least one of the first attribute information and the second attribute information to the first core network device. Then, the first core network device sends the attribute information of the target credential containing at least one of the first attribute information and the second attribute information to the terminal device.

[0037] Method 2: The terminal device can obtain the attribute information of the target credential from the service activation server.

[0038] The attribute information of the target credential obtained by the terminal device from the service activation server may include first attribute information. For example, the attribute information of the target credential sent by the service activation server to the first core network device includes first attribute information. The first core network device does not process the attribute information of the target credential from the service activation server, but only forwards it. In other words, the first core network device sends the attribute information of the target credential containing first attribute information to the terminal device.

[0039] Method 3: The terminal device obtains the attribute information of the target credential based on the authentication process initiated by the first core network device.

[0040] After receiving the attribute information of the target credential from the service activation server, the first core network device can trigger the terminal device to execute the authentication process corresponding to the target credential based on the attribute information of the target credential. For example, if the attribute information of the target credential includes first attribute information, the first core network device can determine the type of the target credential based on the first attribute information, and then determine the authentication process corresponding to the target credential, and then trigger the relevant authentication process so that the terminal device can execute the authentication process corresponding to the target credential under the trigger of the relevant process.

[0041] For example, if the first attribute information indicates that the target credential is a credential used to perform a slice authentication process, then the first core network device can initiate a deregistration process (e.g., an example of a related process). Since the slice authentication process is executed after the deregistration process is completed—for instance, the slice authentication process is completed in the registration process initiated by the terminal after the deregistration process is completed—then when the terminal device senses the deregistration process, it can know that the type of the target credential it just received is a credential used to perform slice authentication, and it can also know that the authentication process corresponding to the target credential is a slice authentication process. In other words, after the terminal device senses the deregistration process, it can obtain the attribute information of the target credential.

[0042] In conjunction with the second aspect, in some implementations of the second aspect, the attribute information of the target credential includes at least one of first attribute information and second attribute information, wherein the first attribute information indicates the type of the target credential, and the second attribute information indicates the authentication process corresponding to the target credential.

[0043] In conjunction with the second aspect and the above implementation methods, in some implementation methods of the second aspect, the attribute information of the target credential includes at least one of first attribute information and second attribute information. The first attribute information indicates that the type of the target credential is a credential for performing a slice authentication process, and the second attribute information indicates that the authentication process corresponding to the target credential is a slice authentication process. The terminal device performs the corresponding authentication process using the target credential based on the attribute information of the target credential, including: the terminal device performs a registration process based on the attribute information of the target credential, and in the process of performing the registration process, performs the slice authentication process using the target credential.

[0044] In the above technical solution, after the terminal device learns that the type of the target credential is a credential used to perform the slice authentication process and that the authentication process corresponding to the target credential is at least one of the slice authentication processes, the terminal device can actively initiate a registration process and perform the slice authentication process during the registration process. Alternatively, the above registration process can also be passively initiated by the terminal device. For example, the first core network device first initiates a deregistration process, and the terminal device can initiate a registration process after the deregistration process is completed, and perform the slice authentication process using the target credential during the registration process.

[0045] In combination with the second aspect and the above implementation methods, in some implementation methods of the second aspect, the registration process is any one of the following: initial registration process, mobile registration update process, periodic registration update process, and emergency registration process.

[0046] In conjunction with the second aspect and the above implementation methods, in some implementation methods of the second aspect, the attribute information of the target credential includes at least one of first attribute information and second attribute information. The first attribute information indicates that the type of the target credential is a credential for performing a secondary authentication process, and the second attribute information indicates that the authentication process corresponding to the target credential is a secondary authentication process. The terminal device performs the corresponding authentication process using the target credential based on the attribute information of the target credential, including: the terminal device performs a session management process based on the attribute information of the target credential, and performs the secondary authentication process using the target credential during the execution of the session management process.

[0047] In the above technical solution, after the terminal device learns that the type of the target credential is a credential used to perform a secondary authentication process and that the authentication process corresponding to the target credential is at least one of the secondary authentication processes, the terminal device can actively initiate a session management process and perform the secondary authentication process during the execution of the session management process. Alternatively, the session management process can also be initiated by the first core network device, so that the terminal device uses the target credential to perform the secondary authentication process during the execution of the session management process.

[0048] In combination with the second aspect and the above implementation methods, in some implementation methods of the second aspect, the session management process is either a session establishment process or a session modification process.

[0049] Thirdly, a communication method is provided, comprising: a service activation server obtaining a target credential and attribute information of the target credential; the service activation server sending the target credential and attribute information of the target credential to a first core network device.

[0050] In the above technical solution, the service activation server sends the target credential and its attribute information to the first core network device, so that the first core network device can know the type of the target credential and at least one of the authentication processes corresponding to the target credential based on the attribute information of the target credential, and trigger the terminal device to use the target credential to execute the authentication process corresponding to the target credential based on the attribute information of the target credential, thereby achieving the purpose of the terminal device using the target credential to execute the authentication process corresponding to the target credential.

[0051] In conjunction with the third aspect, in some implementations of the third aspect, the attribute information of the target credential includes at least one of a first attribute information and a second attribute information, wherein the first attribute information indicates the type of the target credential, and the second attribute information indicates the authentication process corresponding to the target credential.

[0052] In conjunction with the third aspect and the above implementation methods, in some implementation methods of the third aspect, the method further includes: the service activation server obtaining the status information of the terminal device; the service activation server sending the target credential and the attribute information of the target credential to the first core network device, including: when the status information of the terminal device meets preset conditions, the service activation server sending the target credential and the attribute information of the target credential to the first core network device.

[0053] In the above technical solution, the service activation server obtains the status information of the terminal device. Only when the status information of the terminal device meets the preset conditions will the service activation server send the target credential and the attribute information of the target credential to the first core network device, thereby optimizing the mechanism by which the service activation server sends the target credential and the attribute information of the target credential.

[0054] In combination with the third aspect and the above implementation methods, in some implementation methods of the third aspect, the status information includes either registration status information or location information.

[0055] In combination with the third aspect and the above implementation methods, in some implementation methods of the third aspect, the preset condition is: the registration status information of the terminal device indicates that the terminal device is in a registered state; or, the location information of the terminal device indicates that the terminal device is in either a target tracking area or a target cell, wherein the target tracking area is a tracking area that can provide non-public network services, and the target cell is a cell that can provide non-public network services.

[0056] In combination with the third aspect and the above implementation methods, in some implementation methods of the third aspect, the target credential is either a credential used to perform the slice authentication process or a credential used to perform the secondary authentication process.

[0057] Fourthly, a communication method is provided, comprising: a service activation server obtaining a target credential; the service activation server sending the target credential to the terminal device, so that the terminal device, after obtaining the attribute information of the target credential, uses the target credential to execute the corresponding authentication process (i.e., using the target credential to execute the authentication process corresponding to the target credential).

[0058] In one implementation, the target credential can be modified so that the modified target credential carries first attribute information, wherein the first attribute information indicates the type of the target credential.

[0059] In conjunction with the fourth aspect, in some implementations of the fourth aspect, the attribute information of the target credential includes at least one of a first attribute information and a second attribute information, wherein the first attribute information indicates the type of the target credential, and the second attribute information indicates the authentication process corresponding to the target credential.

[0060] In conjunction with the fourth aspect and the above implementation methods, in some implementation methods of the fourth aspect, the method further includes: the service activation server sending the attribute information of the target credential to the terminal device.

[0061] In conjunction with the fourth aspect and the above implementation methods, in some implementation methods of the fourth aspect, the method further includes: the service activation server obtaining the status information of the terminal device; the service activation server sending the target credential to the terminal device, including: when the status information of the terminal device meets preset conditions, the service activation server sending the target credential to the terminal device.

[0062] In combination with the fourth aspect and the above implementation methods, in some implementation methods of the fourth aspect, the status information includes either registration status information or location information.

[0063] In combination with the fourth aspect and the above implementation methods, in some implementation methods of the fourth aspect, the preset condition is: the registration status information of the terminal device indicates that the terminal device is in a registered state; or, the location information of the terminal device indicates that the terminal device is in either a target tracking area or a target cell, wherein the target tracking area is a tracking area that can provide non-public network services, and the target cell is a cell that can provide non-public network services.

[0064] In combination with the fourth aspect and the above implementation methods, in some implementation methods of the fourth aspect, the target credential is either a credential used to perform the slice authentication process or a credential used to perform the secondary authentication process.

[0065] Fifthly, a communication apparatus is provided for executing the method in any of the possible implementations of the above aspects. Specifically, the apparatus includes a unit for executing the method in any of the possible implementations of the above aspects.

[0066] In a sixth aspect, a communication device is provided, including a processor coupled to a memory, which can be used to execute instructions in the memory to implement the method in the first aspect or any possible implementation of the first aspect, or the method in the second aspect or any possible implementation of the second aspect, or the method in the third aspect or any possible implementation of the third aspect, or the method in the fourth aspect or any possible implementation of the fourth aspect.

[0067] In one possible implementation, the device further includes a memory. In another possible implementation, the device further includes a communication interface, to which the processor is coupled.

[0068] In one implementation, the device is a first core network device. When the device is a first core network device, the communication interface can be a transceiver, or an input / output interface.

[0069] In another implementation, the device is a chip configured in the first core network device. When the device is a chip configured in the first core network device, the communication interface can be an input / output interface.

[0070] In one implementation, the device is a terminal device. When the device is a terminal device, the communication interface can be a transceiver, or an input / output interface.

[0071] In another implementation, the device is a chip configured in a terminal device. When the device is a chip configured in a terminal device, the communication interface can be an input / output interface.

[0072] In one implementation, the device is a service provisioning server. When the device is a service provisioning server, the communication interface can be a transceiver, or an input / output interface.

[0073] In another implementation, the device is a chip configured in a service provisioning server. When the device is a chip configured in a service provisioning server, the communication interface can be an input / output interface.

[0074] In a seventh aspect, a processor is provided, comprising: an input circuit, an output circuit, and a processing circuit. The processing circuit is configured to receive signals through the input circuit and transmit signals through the output circuit, causing the processor to execute the methods of any possible implementation of the above aspects.

[0075] In specific implementation, the processor can be a chip, the input circuit can be input pins, the output circuit can be output pins, and the processing circuit can be transistors, gate circuits, flip-flops, and various logic circuits. The input signal received by the input circuit can be received and input by, for example, but not limited to, a receiver, and the signal output by the output circuit can be, for example, but not limited to, output to and transmitted by a transmitter. Furthermore, the input circuit and the output circuit can be the same circuit, which is used as both the input circuit and the output circuit at different times. This application does not limit the specific implementation of the processor and various circuits.

[0076] Eighthly, an apparatus is provided, including a processor and a memory. The processor is configured to read instructions stored in the memory and to receive signals via a receiver and transmit signals via a transmitter to execute the methods in any of the possible implementations of the foregoing aspects.

[0077] In one possible implementation, there are one or more processors and one or more memories.

[0078] In one possible implementation, the memory can be integrated with the processor, or the memory can be set up separately from the processor.

[0079] In the specific implementation process, the memory can be a non-transitory memory, such as read-only memory (ROM), which can be integrated with the processor on the same chip or set on different chips. This application does not limit the type of memory or the way the memory and processor are set.

[0080] The aforementioned device can be a chip. The processor can be implemented in hardware or software. When implemented in hardware, the processor can be a logic circuit, integrated circuit, etc. When implemented in software, the processor can be a general-purpose processor that reads software code stored in memory. The memory can be integrated into the processor or located outside the processor and exist independently.

[0081] Ninthly, a communication system is provided, including one or more of the aforementioned first core network equipment, second core network equipment, terminal equipment, and service activation server.

[0082] In a tenth aspect, a computer program product is provided, comprising: a computer program (also referred to as code or instructions) that, when run, causes a computer to perform the method in any of the possible implementations of the foregoing aspects.

[0083] Eleventhly, a computer-readable storage medium is provided that stores a computer program (also referred to as code or instructions) that, when run on a computer, causes the computer to perform the methods of any possible implementation of the foregoing aspects. Attached Figure Description

[0084] Figure 1 This is a schematic diagram of the system architecture provided in the embodiments of this application.

[0085] Figure 2 This is a schematic diagram of an example communication method provided in an embodiment of this application.

[0086] Figure 3 This is a schematic diagram of another communication method provided in the embodiments of this application.

[0087] Figure 4 This is a schematic diagram of another communication method provided in the embodiments of this application.

[0088] Figure 5 This is a schematic diagram of another communication method provided in the embodiments of this application.

[0089] Figure 6 This is a schematic diagram of another communication method provided in the embodiments of this application.

[0090] Figure 7 This is a schematic diagram of another communication method provided in the embodiments of this application.

[0091] Figure 8 This is a schematic diagram of another communication method provided in the embodiments of this application.

[0092] Figure 9 This is a schematic diagram of another communication method provided in the embodiments of this application.

[0093] Figure 10 This is a schematic diagram of another communication method provided in the embodiments of this application.

[0094] Figure 11 This is a schematic diagram of another communication method provided in the embodiments of this application.

[0095] Figure 12 This is a schematic diagram of another communication method provided in the embodiments of this application.

[0096] Figure 13 This is a schematic diagram of another communication method provided in the embodiments of this application.

[0097] Figure 14 This is a schematic block diagram of a communication device provided in an embodiment of this application.

[0098] Figure 15 This is another schematic block diagram of the communication device provided in the embodiments of this application. Detailed Implementation

[0099] The technical solutions of the embodiments of this application will be described below with reference to the accompanying drawings. In the description of this application, unless otherwise stated, " / " indicates that the objects before and after are in an "or" relationship. For example, A / B can represent A or B. "And / or" in this application is merely a description of the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A alone, A and B simultaneously, and B alone, where A and B can be singular or plural. Furthermore, in the description of this application, unless otherwise stated, "multiple" refers to two or more. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one of a, b, or c can represent: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or multiple. Furthermore, to facilitate a clear description of the technical solutions in the embodiments of this application, the terms "first" and "second" are used in the embodiments of this application to distinguish identical or similar items with substantially the same function and effect. Those skilled in the art will understand that the terms "first" and "second" do not limit the quantity or execution order, and the terms "first" and "second" are not necessarily different.

[0100] The technical solutions of this application can be applied to various communication systems, such as New Radio (NR) in 5th Generation (5G) mobile communication systems and future mobile communication systems.

[0101] Figure 1 A schematic diagram of a network architecture applied to an embodiment of this application is shown. This network architecture is described from the perspective of service-oriented interfaces. The various network elements involved in this network architecture will be described below.

[0102] 1. Radio access network (RAN) element: Used to provide network access functionality for authorized terminal devices in a specific area, and can use transmission tunnels of different quality according to the level of the terminal device, service requirements, etc.

[0103] (R)AN network elements can manage wireless resources, provide access services for terminal devices, and then complete the forwarding of control signals and terminal device data between the terminal device and the core network. (R)AN network elements can also be understood as base stations in traditional networks.

[0104] 2. User plane network elements: used for packet routing and forwarding, as well as quality of service (QoS) processing of user plane data.

[0105] In 5G communication systems, this user plane network element can be a user plane function (UPF) network element. In future communication systems, the user plane network element can still be a UPF network element, or it can have other names; this application does not limit this.

[0106] 3. Data network: A network used to provide data transmission.

[0107] In 5G communication systems, the data network can be a data network (DN). In future communication systems, the data network can still be a DN, or it can have other names; this application does not limit this.

[0108] 4. Access Management Network Element: Mainly used for mobility management and access management, it can be used to implement other functions of the mobility management entity (MME) besides session management, such as lawful monitoring and access authorization / authentication.

[0109] In 5G communication systems, the access management network element can be an access and mobility management function (AMF) network element. In future communication systems, the access management network element can still be an AMF network element, or it can have other names; this application does not limit this.

[0110] 5. Session Management Network Element: Primarily used for session management, allocation and management of Internet Protocol (IP) addresses for terminal devices, selection of endpoints for manageable user plane functions, policy control and charging function interfaces, and downlink data notification, etc.

[0111] In 5G communication systems, this session management network element can be a session management function (SMF) network element. In future communication systems, the session management network element can still be an SMF network element, or it can have other names; this application does not limit this.

[0112] 6. Network Open Element: Used to securely expose services and capabilities provided by 3GPP network function elements to the outside world.

[0113] In 5G communication systems, this network open element can be a network exposure function (NEF) element. In future communication systems, the network open element can still be a NEF element, or it can have other names; this application does not limit this.

[0114] 7. Unified data management network element: used to handle user identification, access authentication, registration, and mobility management, etc.

[0115] In 5G communication systems, this unified data management network element can be a unified data management (UDM) network element. In future communication systems, the unified data management network element can still be a UDM network element, or it can have other names; this application does not limit this.

[0116] 8. Authentication Service Network Element: This element performs primary authentication, i.e., authentication between the terminal device and the operator's network. After receiving an authentication request from a subscribed user, the Authentication Service Network Element can authenticate and / or authorize the subscribed user using authentication and / or authorization information stored in the Unified Data Management Network Element, or generate the subscribed user's authentication and / or authorization information using the Unified Data Management Network Element. The Authentication Service Network Element can then send the authentication and / or authorization information back to the subscribed user. In one implementation, the Authentication Service Network Element can also be co-located with the Unified Data Management Network Element.

[0117] In 5G communication systems, this authentication service network element can be an authentication server function (AUSF) network element. In future communication systems, unified data management can still be an AUSF network element, or it can have other names; this application does not limit this.

[0118] 9. Application network elements: Used for data routing affected by applications, accessing network open function network elements, and interacting with the policy framework for policy control, etc.

[0119] In 5G communication systems, this application network element can be an application function (AF) network element. In future communication systems, the application network element can still be an AF network element, or it can have other names; this application does not limit this.

[0120] 10. Terminal equipment: This can include various handheld devices, vehicle-mounted devices, wearable devices, computing devices or other processing devices connected to a wireless modem with wireless communication capabilities, as well as various forms of terminals, such as mobile stations (MS), terminals, user equipment (UE), soft terminals, etc., such as water meters, electricity meters, sensors, etc.

[0121] In this network architecture, Namf is the service-based interface presented by AMF network element 105, Nsmf is the service-based interface presented by SMF106 network element, Nnef is the service-based interface presented by NEF network element 107, Nudm is the service-based interface presented by UDM network element 102, and Naf is the service-based interface presented by AF network element 104. N1 is the reference point between terminal device 111 and AMF network element 105; N2 is the reference point between (R)AN network element 110 and AMF network element 105, used for sending non-access stratum (NAS) messages, etc.; N3 is the reference point between (R)AN network element 110 and UPF network element 109, used for transmitting user plane data, etc.; N4 is the reference point between SMF network element 106 and UPF network element 109, used for transmitting information such as tunnel identification information of N3 connection, data cache attribute information, and downlink data notification messages, etc.; interface N6 is the reference point between UPF network element 109 and DN 108, used for transmitting user plane data, etc.

[0122] It should be noted that, Figure 1 The names of the various network elements included (such as UPF network element 109, UDM network element 102, etc.) are merely names and do not limit the function of the network element itself. In 5G networks and other future networks, the aforementioned network elements may also have other names, and this application embodiment does not specifically limit this. For example, in 6G networks, some or all of the aforementioned network elements may use the terminology from 5G, or they may have other names, etc. This is explained uniformly here and will not be repeated below. In addition, it is understood that the aforementioned network elements or functions can be network components in hardware devices, software functions running on dedicated hardware, or virtualized functions instantiated on a platform (e.g., cloud platform). The aforementioned network elements or functions can be divided into one or more services, and furthermore, services that exist independently of network functions may also appear. In this application, instances of the aforementioned functions, instances of services included in the aforementioned functions, or instances of services that exist independently of network functions can all be referred to as service instances.

[0123] It should be noted that, Figure 1 The various network elements in the network do not necessarily have to exist at the same time; the required network elements can be determined based on the needs. Figure 1 The connection relationships between the various network elements are not uniquely determined and can be adjusted according to requirements.

[0124] To facilitate understanding of the embodiments of this application, a brief introduction to the network and related terms involved in this application will be given first.

[0125] Non-public network (NPN)

[0126] An NPN is a network that provides services to specific users, distinct from public networks. According to the 3GPP protocol TS23.501, based on whether the core network (CN) is independent, NPNs include the following two types:

[0127] 1. Standalone NPN (SNPN)

[0128] SNPN does not depend on PLMN, but is operated by the SNPN operator. This can be understood as the SNPN's core network being independent of the PLMN; in other words, the SNPN's core network is independently operated by the SNPN.

[0129] 2. Non-Standalone NPN (Public Network Integrated NPN, PNI-NPN): This network relies on a PLMN; in other words, PNI-NPN is operated by traditional carriers. It can be understood that PNI-NPN is essentially a PLMN, except that the PLMN provides special network slices and / or data networks to deliver NPN services. Simply put, PNI-NPN isolates public network services from NPN services through slicing, thereby providing NPN services to terminal devices within the NPN.

[0130] The network architecture of PNI-NPN is no different from that of PLMN; their network architectures can be similar. Figure 1 As shown.

[0131] To access NPN services, a terminal device first needs to connect to a network slice provided by the PLMN. This connection requires the terminal device to use slice authentication credentials to perform a slice authentication process. Only after successful authentication can the terminal device successfully connect to the network slice. After connecting, to access NPN services, the terminal device needs to establish a session. This session establishment process involves a secondary authentication process using credentials. Only after successful secondary authentication can the session be successfully established. Once established, the terminal device can modify the session. To modify the session, the terminal device initiates a session modification process. This modification process includes a secondary authentication step. Successful secondary authentication signifies successful modification of the session. In this application, the session establishment and modification processes are collectively referred to as the session management process.

[0132] The various credentials required to execute the above authentication process can be sent to the terminal device by the provision server (PVS). In other words, the provision server provides credentials to the terminal device. It is worth mentioning that this application does not specifically limit the name of the server that provides credentials to the terminal device; the server that provides credentials can also be called a credential provision server, service activation server, or certificate provision server.

[0133] The following is combined Figure 2 The method 200 for obtaining credentials for terminal devices provided in this application is described below. It is worth mentioning that the process of "obtaining credentials for terminal devices" in this application can also be called "online signing". For ease of description, the network element number is omitted below. For example, "UPF network element" in the following text means "UPF network element 109", and "UDM network element" means "UDM network element 102".

[0134] Step 201: Register the terminal device with PLMN.

[0135] The terminal device is registered with the PLMN, where the PLMN refers to the PLMN to which the PNI-NPN belongs.

[0136] Step 202: The terminal device obtains the slice information of the network slice used for online signing and / or the name information of the data network.

[0137] The slice information of a network slice can be either single network slice selection assistance information (S-NSSAI) or network slice selection assistance information (NSSAI), and the name information of a data network can be the data network name (DNN).

[0138] The information in step 202 can be pre-configured on the terminal device before the terminal device registers the PLMN, or it can be obtained by the terminal device from the network side. For example, the terminal device can obtain the above information from the network side before, during or after registering the PLMN.

[0139] Step 203: The terminal device establishes a session based on the network slice information and the data network name information.

[0140] The terminal device establishes a session based on the network slice information and data network name information in step 202. The session established here is used by the terminal device to obtain credentials from the PVS. This session can be, for example, a protocol data unit (PDU) session.

[0141] Step 204: The terminal device establishes an Internet Protocol (IP) connection with the PVS.

[0142] In steps 205 to 207, PVS sends credentials to the terminal equipment through the UPF network element and the RAN network element.

[0143] In steps 208 to 210, the PVS sends credentials to the terminal device through the UDM network element and the AMF network element. It is worth noting that if the PVS is a trusted device, it can directly send credentials to the UDM network element; if the PVS is an untrusted device, it can send credentials through the NEF network element (…). Figure 2 (Not shown in the image) Send credentials to the UDM network element.

[0144] It should be noted that when PVS issues credentials to terminal devices, it can issue credentials through the user plane channel or through the control plane channel. When issuing credentials through the user plane channel, steps 208 to 210 in the above method 200 may not be executed. In other words, only steps 201 to 204 and steps 205 to 207 are executed. When issuing credentials through the control plane channel, steps 202 to 204 and steps 205 to 207 in the above method 200 may not be executed. In other words, only steps 201 and steps 208 to 210 are executed.

[0145] In method 200, the type of credentials sent by the PVS to the terminal device through the control plane channel or the user plane channel may be more than one. For example, in the scenario where NPN services are provided by the PLMN, the PVS will issue credentials for slice authentication and credentials for secondary authentication in the session management process to the terminal device. The terminal device can only obtain NPN services when it passes slice authentication using slice credentials and / or passes secondary authentication in the session management process using secondary authentication credentials.

[0146] However, when PVS issues more than one type of credential to the terminal device, the terminal device needs to know which credential is used to perform the authentication process. Otherwise, even if the terminal device obtains the credential, it will not know which authentication process to perform with the obtained credential.

[0147] In view of this, this application provides a communication method that enables a terminal device to know which authentication process should be performed using the acquired credentials.

[0148] The communication method provided in this application will be described in detail below. Figure 2 Based on method 200, firstly combine Figure 3 The communication method 300 provided in this application is described.

[0149] Step 301: The first core network device obtains the target credential and the attribute information of the target credential.

[0150] The first core network device can obtain the target credential and its attribute information from the PVS. For example, after obtaining the target credential and its attribute information, the PVS sends the target credential and its attribute information to the first core network device. The target credential and its attribute information obtained by the PVS includes the attribute information of the target credential and its own generated by the PVS.

[0151] Specifically, the attribute information of the target credential can indicate at least one of the target credential type and the corresponding authentication process. In other words, the first core network device can determine at least one of the target credential type and the corresponding authentication process based on the target credential's attribute information. The target credential type can indicate which authentication process the target credential is used to perform. For example, the target credential type can indicate that the target credential is used to perform a slice authentication process, or the target credential type can indicate that the target credential is used to perform a secondary authentication process.

[0152] For example, the attribute information of the target credential includes at least one of a first attribute and a second attribute, wherein the first attribute indicates the type of the target credential and the second attribute indicates the authentication process corresponding to the target credential.

[0153] For example, in one implementation, the first attribute information may include several bits. For instance, the first attribute information may include one bit. When the value of the bit is 0, it indicates that the type of the target credential is a credential used to perform the slice authentication process. Or, when the value of the bit is 1, it indicates that the type of the target credential is a credential used to perform the secondary authentication process.

[0154] In another implementation, the first attribute information may include several strings. For example, when the first attribute information includes any one of "slice", "slice authentication", "slice-specific authentication", or "slice-specific authentication and authorization", it means that the type of the target credential is a credential used to perform the slice authentication process. Or, when the first attribute information includes any one of "secondary" or "secondary authorization or authentication", it means that the type of the target credential is a credential used to perform the secondary authentication process.

[0155] For example, in one implementation, the second attribute information may include several bits. For instance, the second attribute information may include one bit. When the value of the bit is 0, it indicates that the authentication process corresponding to the target credential is a slice authentication process. Or, when the value of the bit is 1, it indicates that the authentication process corresponding to the target credential is a secondary authentication process.

[0156] In another implementation, the second attribute information may include several strings. For example, when the second attribute information includes any one of the strings "slice authentication procedure", "slice-specific authentication procedure", or "slice-specific authentication and authorization procedure", it means that the authentication process corresponding to the target credential is a slice authentication procedure. Or, when the second attribute information includes any one of the strings "secondary procedure" or "secondary authorization or authentication procedure", it means that the authentication process corresponding to the target credential is a secondary authentication procedure.

[0157] In one implementation, PVS can directly send the target credential and its attribute information to the terminal device after obtaining or generating the target credential and its attribute information.

[0158] In another implementation, PVS can obtain the status information of the terminal device. Only when the status information of the terminal device meets the preset conditions will PVS send the target credential and the attribute information of the target credential to the terminal device.

[0159] PVS can obtain the status information of terminal devices in the following ways:

[0160] For example, PVS can subscribe to the status information of terminal devices from the first core network device. After obtaining the status information of the terminal devices, the first core network device will inform the PVS of the status information of the terminal devices.

[0161] For example, the status information of the terminal device may include at least one of registration status information and location information. In this case, the above-mentioned preset conditions may be: the registration status information of the terminal device indicates that the terminal device is in a registered state; or, the location information of the terminal device indicates that the terminal device is in either a target tracking area or a target cell, wherein the target tracking area is a tracking area that can provide non-public network services, and the target cell is a cell that can provide non-public network services.

[0162] Based on whether the obtained terminal device status information meets the above preset conditions, PVS determines whether to send the target credential and its attribute information to the terminal device.

[0163] For example, the status information of the terminal device obtained by PVS is the registration status information of the terminal device. Assuming that the registration status information of the terminal device indicates that the terminal device is registered, in this case, PVS can send the target credential and the attribute information of the target credential to the terminal device.

[0164] Step 302: The first core network device sends the target credential to the terminal device. Accordingly, the terminal device receives the target credential from the first core network device.

[0165] Step 303: The first core network device triggers the terminal device to execute the authentication process corresponding to the target credential based on the attribute information of the target credential.

[0166] For example, the attribute information of the target credential includes at least one of a first attribute information and a second attribute information. The first attribute information indicates the type of the target credential, and the second attribute information indicates the authentication process corresponding to the target credential. Therefore, after obtaining the attribute information of the target credential, the first core network device can determine at least one of the type of the target credential and the authentication process corresponding to the target credential based on the attribute information of the target credential. Then, the first core network device can trigger the terminal device to use the target credential to execute the authentication process corresponding to the target credential.

[0167] Regarding the first core network device triggering the terminal device to execute the authentication process corresponding to the target credential using the target credential, the following two situations may be included:

[0168] Case 1

[0169] The first core network device sends the attribute information of the target credential to the terminal device, enabling the terminal device to execute the authentication process corresponding to the target credential based on the attribute information of the target credential.

[0170] Case 2

[0171] Based on the attribute information of the target credential, the first core network device initiates an authentication process or a related process that can trigger the authentication process, enabling the terminal device to execute the authentication process corresponding to the target credential. For example, if the authentication process corresponding to the target credential is a slice authentication process, the first core network device can initiate an authentication process or initiate a deregistration process. The deregistration process is a related process that can trigger the slice authentication process.

[0172] It is worth mentioning that in scenario 2, the first core network device can send the attribute information of the target credential to the terminal device, or it can choose not to send the attribute information of the target credential.

[0173] Step 304: The terminal device obtains the attribute information of the target credential.

[0174] Terminal devices can obtain the attribute information of the target credential in the following ways:

[0175] Method 1

[0176] Terminal devices can obtain the attribute information of the target credential from the first core network device.

[0177] The attribute information of the target credential obtained by the terminal device from the first core network device may include at least one of the first attribute information and the second attribute information.

[0178] For example, the target credential sent by PVS to the first core network device includes first attribute information. After receiving the first attribute information, the first core network device generates second attribute information based on the first attribute information and sends the target credential attribute information containing at least one of the first attribute information and the second attribute information to the terminal device.

[0179] For example, the attribute information of the target credential sent by PVS to the second core network device includes first attribute information. After receiving the first attribute information, the second core network device generates second attribute information based on the first attribute information and sends the attribute information of the target credential containing at least one of the first attribute information and the second attribute information to the first core network device. Then, the first core network device sends the attribute information of the target credential containing at least one of the first attribute information and the second attribute information to the terminal device.

[0180] Method 2

[0181] Terminal devices can obtain the attribute information of the target credential from PVS.

[0182] The attribute information of the target credential obtained by the terminal device from the PVS may include first attribute information. For example, the attribute information of the target credential sent by the PVS to the first core network device includes first attribute information. The first core network device does not process the attribute information of the target credential from the PVS, but only forwards it. In other words, the first core network device sends the attribute information of the target credential containing first attribute information to the terminal device.

[0183] Method 3

[0184] The terminal device obtains the attribute information of the target credential based on the authentication process initiated by the first core network device.

[0185] After receiving the attribute information of the target credential from the PVS, the first core network device can trigger the terminal device to execute the authentication process corresponding to the target credential based on the attribute information of the target credential. For example, if the attribute information of the target credential includes first attribute information, the first core network device can determine the type of the target credential based on the first attribute information, and then determine the authentication process corresponding to the target credential, and then trigger the relevant authentication process so that the terminal device can execute the authentication process corresponding to the target credential under the trigger of the relevant process.

[0186] For example, if the first attribute information indicates that the target credential is a credential used to perform a slice authentication process, then the first core network device can initiate a deregistration process (e.g., an example of a related process). Since the slice authentication process is executed after the deregistration process is completed—for instance, the slice authentication process is completed in the registration process initiated by the terminal after the deregistration process is completed—then when the terminal device senses the deregistration process, it can know that the type of the target credential it just received is a credential used to perform slice authentication, and it can also know that the authentication process corresponding to the target credential is a slice authentication process. In other words, after the terminal device senses the deregistration process, it can obtain the attribute information of the target credential.

[0187] Step 305: The terminal device executes the authentication process corresponding to the target credential based on the attribute information of the target credential. It is worth noting that step 305 can also be replaced with: The terminal device executes the corresponding authentication process based on the attribute information of the target credential.

[0188] Once the terminal device obtains the attribute information of the target credential through any of the methods 1 to 3 described above, the terminal device can use the target credential to execute the authentication process corresponding to the target credential.

[0189] For example, the attribute information of the target credential obtained by the terminal device includes at least one of a first attribute and a second attribute. The first attribute indicates that the target credential is a credential used to perform a slice authentication process, and the second attribute indicates that the corresponding authentication process for the target credential is a slice authentication process. The terminal device can use the target credential to perform the slice authentication process. In this case, the following two situations exist:

[0190] Case 1

[0191] The terminal device can perform the slice authentication process during the registration process. For example, the terminal device can initiate one of the registration processes, such as the initial registration process, the mobile registration update process, the periodic registration update process, and the emergency registration process. Assuming that the terminal device initiates the mobile registration process, the terminal device can perform the slice authentication process during the execution of the mobile registration process.

[0192] Case 2

[0193] The first core network device initiates a deregistration process. After the deregistration process is completed, the terminal device can use the target credential to perform the slice authentication process. For example, after the deregistration process is completed, the terminal device initiates a registration process and uses the target credential to perform the slice authentication process during the registration process; or, the first core network device initiates a slice authentication process, causing the terminal device to use the target credential to perform the slice authentication process.

[0194] For example, the attribute information of the target credential obtained by the terminal device includes at least one of a first attribute and a second attribute. The first attribute indicates that the target credential is a credential used to perform a secondary authentication process, and the second attribute indicates that the corresponding authentication process for the target credential is a secondary authentication process. The terminal device can use the target credential to perform the secondary authentication process. In this case, the following two situations exist:

[0195] Case 1

[0196] Terminal devices can perform secondary authentication processes during the execution of session management processes. For example, a terminal device can initiate one of the session management processes, such as a session establishment process or a session modification process. If the terminal device initiates a session establishment process, it can perform secondary authentication processes during the execution of the session establishment process.

[0197] Case 2

[0198] The first core network device initiates a session management process, such as a session establishment process or a session modification process, which enables the terminal device to perform a secondary authentication process during the execution of the session management process.

[0199] Based on the technical solution of method 300, after the first core network device obtains the target credential and the attribute information of the target credential, it sends the target credential to the terminal device and triggers the terminal device to execute the authentication process corresponding to the target credential using the obtained target credential according to the attribute information of the target credential. This enables the terminal device to know which authentication process should be executed using the obtained target credential.

[0200] The following is combined Figures 4 to 13 This paper provides a detailed introduction to the communication device 300 provided in this application. Firstly, taking the first core network device as a UDM network element as an example, it combines... Figure 4 Method 400 will be introduced here.

[0201] Step 401: The terminal device registers with the PLMN. For a detailed description of step 401, please refer to the relevant description in step 201. For the sake of brevity, it will not be repeated here.

[0202] Step 402: PVS sends the target credential and its attribute information to the UDM network element.

[0203] The attribute information of the target credential sent by PVS to the UDM network element may include first attribute information, wherein the first attribute information may indicate the type of the target credential.

[0204] For example, PVS can send Nudm_ParameterProvision_Create or Nudm_ParameterProvision_Update messages to UDM network elements. The Nudm_ParameterProvision_Create or Nudm_ParameterProvision_Update messages may include the target credential and the attribute information of the target credential.

[0205] It is worth mentioning that, in addition to sending the target credential and its attribute information, PVS can also send the subscription permanent identifier (SUPI) and / or the generic public subscription identifier (GPSI) to the UDM network element. The SUPI can be obtained by mapping the GPSI.

[0206] For example, PVS sends a Nudm_ParameterProvision_Create message or a Nudm_ParameterProvision_Update message to the UDM network element. The Nudm_ParameterProvision_Create message or Nudm_ParameterProvision_Update message may include the target credential, the attribute information of the target credential, and (SUPI and / or GPSI).

[0207] Step 403: The UDM network element sends the target credential and its attribute information to the AMF network element.

[0208] After obtaining the target credential and its attribute information from the PVS, the UDM network element does not process the attribute information of the target credential in any way, but only forwards it. In other words, after obtaining the target credential and its attribute information from the PVS, the UDM network element sends the target credential and its attribute information to the AMF network element. For example, the UDM network element sends a Nudm_SDM_Notification message to the AMF network element, which may include the target credential and its attribute information.

[0209] It is worth mentioning that, in addition to sending the target credential and its attribute information, the UDM network element can also send SUPI and / or GPSI to the AMF network element.

[0210] For example, a UDM network element sends a Nudm_SDM_Notification message to an AMF network element. The Nudm_SDM_Notification message may include the target credential, the attribute information of the target credential, and (SUPI and / or GPSI).

[0211] Step 404: The AMF network element sends the target credential and its attribute information to the terminal device.

[0212] After obtaining the target credential and its attribute information from the UDM network element, the AMF network element can send the target credential and its attribute information to the terminal device. For example, the AMF network element can send a NAS message to the terminal device, which may include the target credential and its attribute information.

[0213] Step 405: The terminal device obtains the attribute information of the target credential.

[0214] After receiving the target credential and its attribute information from the AMF network element, the terminal device can obtain the attribute information of the target credential, which includes the first attribute information.

[0215] Step 406: The terminal device executes the authentication process corresponding to the target credential based on the attribute information of the target credential.

[0216] The terminal device can determine the type of the target credential based on the first attribute information in the target credential's attribute information. Based on the type of the target credential, it can determine the corresponding authentication process and then execute the authentication process using the target credential. For a detailed description of how the terminal device executes the authentication process using the target credential, please refer to the relevant description in step 305 of method 300. For the sake of brevity, it will not be repeated here.

[0217] Based on the technical solution in Method 400, after obtaining the target credential and the first attribute information, PVS forwards the target credential and the first attribute information to the terminal device through the UDM network element and the AMF network element in sequence. The terminal device determines the type of the target credential based on the first attribute information, and then determines the authentication process corresponding to the target credential. Finally, it uses the target credential to execute the authentication process corresponding to the target credential.

[0218] The following example continues to use the first core network device as the UDM network element, combined with... Figure 5 Method 500 will be introduced here.

[0219] Step 501: The terminal device registers with the PLMN. For a detailed description of step 401, please refer to the relevant description in step 201; for brevity, it will not be repeated here.

[0220] Step 502: PVS sends the target credential and its attribute information to the UDM network element. For a detailed description of step 502, please refer to the relevant description in step 402 of method 400; for brevity, it will not be repeated here.

[0221] Step 503: The UDM network element generates the second attribute information based on the first attribute information in the attribute information of the target credential.

[0222] After obtaining the target credential from PVS and the attribute information of the target credential containing the first attribute information, the UDM network element can determine the type of the target credential based on the first attribute information, and then determine the authentication process corresponding to the target credential based on the type of the target credential. In this case, the UDM network element can generate the second attribute information, which can indicate the authentication process corresponding to the target credential.

[0223] Step 504: The UDM network element sends the target credential and its attribute information to the AMF network element.

[0224] The attribute information of the target credential sent by the UDM network element to the AMF network element may include at least one of the first attribute information and the second attribute information. For example, when the UDM network element sends a Nudm_SDM_Notification message to the AMF network element, the message may include the target credential and the attribute information of the target credential.

[0225] It is worth mentioning that, in addition to sending the target credential and its attribute information, the UDM network element can also send SUPI and / or GPSI to the AMF network element.

[0226] For example, a UDM network element sends a Nudm_SDM_Notification message to an AMF network element. The Nudm_SDM_Notification message may include the target credential, the attribute information of the target credential, and (SUPI and / or GPSI).

[0227] Step 505: The AMF network element sends the target credential and its attribute information to the terminal device.

[0228] After receiving the target credential and its attribute information from the UDM network element, the AMF network element can send the target credential and its attribute information to the terminal device. For example, the AMF network element sends a NAS message to the terminal device. The NAS message may include the target credential and its attribute information, wherein the attribute information of the target credential includes at least one of the first attribute information and the second attribute information.

[0229] Step 506: The terminal device obtains the attribute information of the target credential.

[0230] After receiving the target credential and its attribute information from the AMF network element, the terminal device can obtain the attribute information of the target credential, which includes at least one of the first attribute information and the second attribute information.

[0231] Step 507: The terminal device executes the authentication process corresponding to the target credential based on the attribute information of the target credential.

[0232] After obtaining the target credential and its attribute information from the AMF network element, the terminal device can determine at least one of the following based on the target credential's attribute information: its type and the corresponding authentication process. Based on this, it determines the authentication process corresponding to the target credential and then executes it. For a detailed description of how the terminal device executes the authentication process using the target credential, please refer to step 305 of method 300. For brevity, it will not be repeated here.

[0233] Based on the technical solution in Method 500, after receiving the target credential and first attribute information from the PVS, the UDM network element generates second attribute information according to the first attribute information. The UDM network element forwards the target credential and target attribute information, including at least one of the first attribute information and the second attribute information, to the terminal device through the AMF network element. The terminal device determines at least one of the target credential type and the authentication process corresponding to the target credential based on the attribute information of the target credential. Based on the target credential type and the authentication process corresponding to the target credential, the terminal device determines the authentication process corresponding to the target credential and then uses the target credential to execute the authentication process corresponding to the target credential.

[0234] The following example uses the first core network device as the AMF network element and the second core network device as the UDM network element, combined with... Figure 6 Method 600 will be introduced here.

[0235] Step 601: Register the terminal device with the PLMN. For a detailed description of step 601, please refer to the relevant description in step 201. For the sake of brevity, it will not be repeated here.

[0236] Step 602: PVS sends the target credential and its attribute information to the UDM network element. For a detailed description of step 602, please refer to the relevant description in step 402 of method 400; for brevity, it will not be repeated here.

[0237] Step 603: The UDM network element sends the target credential and its attribute information to the AMF network element.

[0238] The attribute information of the target credential sent by the UDM network element to the AMF network element may include the first attribute information. For example, when the UDM network element sends a Nudm_SDM_Notification message to the AMF network element, the message may include the target credential and the attribute information of the target credential.

[0239] It is worth mentioning that the UDM network element can also generate second attribute information based on the first attribute information and send the target credential and the attribute information of the target credential to the AMF network element. The attribute information of the target credential includes at least one of the first attribute information and the second attribute information.

[0240] It is worth mentioning that, in addition to sending the target credential and its attribute information, the UDM network element can also send SUPI and / or GPSI to the AMF network element.

[0241] For example, a UDM network element sends a Nudm_SDM_Notification message to an AMF network element. The Nudm_SDM_Notification message may include the target credential, the attribute information of the target credential, and (SUPI and / or GPSI).

[0242] Step 604: The AMF network element generates the second attribute information based on the first attribute information in the attribute information of the target credential.

[0243] After obtaining the target credential from the UDM network element and the attribute information of the target credential containing the first attribute information, the AMF network element can determine the type of the target credential based on the first attribute information, and then determine the authentication process corresponding to the target credential based on the type of the target credential. In this case, the AMF network element can generate the second attribute information, which can indicate the authentication process corresponding to the target credential.

[0244] It is worth mentioning that after receiving the target credential and the attribute information of the target credential containing the first attribute information from the UDM network element, the AMF network element can also perform no processing on the attribute information of the target credential and only perform forwarding processing. In other words, after receiving the target credential and the attribute information of the target credential from the UDM, the AMF network element forwards the target credential and the attribute information of the target credential to the terminal device.

[0245] Step 605: The AMF network element sends the target credential and its attribute information to the terminal device.

[0246] After generating the second attribute information, the AMF network element can send the target credential and its attribute information to the terminal device. For example, the AMF network element sends a NAS message to the terminal device. The NAS message may include the target credential and its attribute information. The attribute information of the target credential includes at least one of the first attribute information and the second attribute information.

[0247] Step 606: The terminal device obtains the attribute information of the target credential.

[0248] After obtaining the target credential and its attribute information from the AMF network element, the terminal device can obtain the attribute information of the target credential, which includes at least one of the first attribute information and the second attribute information.

[0249] Step 607: The terminal device executes the authentication process corresponding to the target credential based on the attribute information of the target credential.

[0250] After obtaining the target credential and its attribute information from the AMF network element, the terminal device can determine at least one of the following based on the target credential's attribute information: its type and the corresponding authentication process. Based on this, it determines the authentication process corresponding to the target credential and then executes it. For a detailed description of how the terminal device executes the authentication process using the target credential, please refer to step 305 of method 300. For brevity, it will not be repeated here.

[0251] Based on the technical solution in method 600, after receiving the target credential and first attribute information from the PVS, the UDM network element forwards the target credential and first attribute information to the AMF network element. The AMF network element generates second attribute information based on the first attribute information. The AMF network element forwards the target credential and target attribute information including at least one of the first attribute information and the second attribute information to the terminal device. The terminal device determines the type of the target credential and at least one of the authentication processes corresponding to the target credential based on the attribute information of the target credential. Based on the type of the target credential and at least one of the authentication processes corresponding to the target credential, the terminal device determines the authentication process corresponding to the target credential and then uses the target credential to execute the authentication process corresponding to the target credential.

[0252] The following example continues, using the first core network device as the AMF network element and the second core network device as the UDM network element. Figure 7 The 700 will be introduced.

[0253] Step 701: The terminal device registers with the PLMN. For a detailed description of step 701, please refer to the relevant description in step 201. For the sake of brevity, it will not be repeated here.

[0254] Step 702: PVS sends the target credential and its attribute information to the UDM network element. For a detailed description of step 702, please refer to the relevant description in step 402 of method 400; for brevity, it will not be repeated here.

[0255] Step 703: The UDM network element sends the target credential and its attribute information to the AMF network element.

[0256] The attribute information of the target credential sent by the UDM network element to the AMF network element may include the first attribute information. For example, when the UDM network element sends a Nudm_SDM_Notification message to the AMF network element, the message may include the target credential and the attribute information of the target credential.

[0257] It is worth mentioning that the UDM network element can also generate second attribute information based on the first attribute information and send the target credential and attribute information of the target credential to the terminal device. The attribute information of the target credential includes at least one of the first attribute information and the second attribute information.

[0258] It is worth mentioning that, in addition to sending the target credential and its attribute information, the UDM network element can also send SUPI to the AMF network element.

[0259] For example, a UDM network element sends a Nudm_SDM_Notification message to an AMF network element. The Nudm_SDM_Notification message may include the target credential, the attribute information of the target credential, and (SUPI and / or GPSI).

[0260] Step 704: The AMF network element sends the target credential to the terminal device.

[0261] After receiving the target credential from the UDM and the attribute information of the target credential containing the first attribute information, the AMF network element can determine the type of the target credential based on the first attribute information, and then determine the authentication process corresponding to the target credential based on the type of the target credential. In this case, the AMF network element can send the target credential to the terminal device.

[0262] It is worth mentioning that, in addition to sending the target credential to the terminal device, the AMF network element can also send the target credential's attribute information containing the first attribute information to the terminal device. Furthermore, the AMF network element can generate second attribute information based on the first attribute information and send the target credential and its attribute information to the terminal device. The target credential's attribute information includes at least one of the first attribute information and the second attribute information.

[0263] Step 705: The AMF network element initiates an authentication process or a related process that can trigger the authentication process based on the attribute information of the target credential. For a detailed description of step 705, please refer to the relevant description in step 303 of method 300; for the sake of brevity, it will not be repeated here.

[0264] Step 706: The terminal device obtains the attribute information of the target credential. For a detailed description of step 706, please refer to the relevant description in step 304 of method 300. For the sake of brevity, it will not be repeated here.

[0265] Step 707: The terminal device executes the authentication process corresponding to the target credential based on the attribute information of the target credential.

[0266] After obtaining the target credential and its attribute information from the AMF network element, the terminal device can determine at least one of the following based on the target credential's attribute information: its type and the corresponding authentication process. Based on this, it determines the authentication process corresponding to the target credential and then executes it. For a detailed description of how the terminal device executes the authentication process using the target credential, please refer to step 305 of method 300. For brevity, it will not be repeated here.

[0267] Based on the technical solution in Method 700, after receiving the target credential and first attribute information from the PVS, the UDM network element forwards the target credential and first attribute information to the AMF network element. The AMF network element determines the type of the target credential based on the first attribute information, and then determines the authentication process corresponding to the target credential. In this case, the AMF network element can simply send the target credential to the terminal device and initiate the authentication process or a related process that can trigger the authentication process. When the terminal device senses the authentication process or a related process that can trigger the authentication process, the terminal device can learn about the authentication process corresponding to the received target credential and finally use the target credential to execute the authentication process corresponding to the target credential.

[0268] For example, the AMF network element initiates a deregistration process that can trigger the slice authentication process. When the terminal device senses the deregistration process, it can know that the type of the target credential just received is a credential used to perform slice authentication. Then, the terminal device can use the target credential to perform the slice authentication process during the registration process.

[0269] The following example uses the first core network device as a UPF network element, combined with... Figure 8 Method 800 will be introduced here.

[0270] Step 801: The terminal device registers with the PLMN. For a detailed description of step 801, please refer to the relevant description in step 201. For the sake of brevity, it will not be repeated here.

[0271] Step 802: The terminal device obtains the slice information of the network slice used for online contract signing and / or the name information of the data network. For a detailed description of step 801, please refer to the relevant description in step 202; for brevity, it will not be repeated here.

[0272] Step 803: The terminal device establishes a session based on the network slice information and the data network name information. For a detailed description of step 803, please refer to the relevant description in step 203; for brevity, it will not be repeated here.

[0273] Step 804: The terminal device establishes an IP connection with the PVS. For a detailed description of step 804, please refer to the relevant description in step 204; for brevity, it will not be repeated here.

[0274] Step 805: PVS sends the target credential and its attribute information to the UPF network element.

[0275] For example, PVS sends user plane data to UPF network elements. The user plane data includes the target credential and the attribute information of the target credential. The attribute information of the target credential includes the first attribute information.

[0276] Step 806: The UPF network element sends the target credential and its attribute information to the RAN.

[0277] For example, PVS sends user plane data to UPF network elements. The user plane data includes the target credential and the attribute information of the target credential.

[0278] Step 807: The RAN sends the target credential and its attribute information to the terminal device.

[0279] Step 808: The terminal device obtains the attribute information of the target credential.

[0280] After receiving the target credential and its attribute information, the terminal device can obtain the attribute information of the target credential.

[0281] Step 809: The terminal device executes the authentication process corresponding to the target credential based on the attribute information of the target credential.

[0282] The terminal device can determine the type of the target credential based on the first attribute information in the target credential's attribute information. Based on the type of the target credential, it can determine the corresponding authentication process and then execute the authentication process using the target credential. For a detailed description of how the terminal device executes the authentication process using the target credential, please refer to the relevant description in step 305 of method 300. For the sake of brevity, it will not be repeated here.

[0283] Based on the technical solution in Method 800, after obtaining the target credential and the first attribute information, PVS forwards the target credential and the first attribute information to the terminal device through the UPF network element and RAN in sequence. The terminal device determines the type of the target credential based on the first attribute information, and then determines the authentication process corresponding to the target credential. Finally, it uses the target credential to execute the authentication process corresponding to the target credential.

[0284] In this application, the relationship between the first attribute information and the target credential can exist in the following two ways:

[0285] Case 1

[0286] The first attribute information in the attribute information of the target document is a separate piece of information from the target document itself.

[0287] Case 2

[0288] The first attribute information in the attribute information of the target voucher is carried in the target voucher. In other words, the target voucher is modified so that the modified target voucher carries the first attribute information.

[0289] Methods 300 to 800 are based on the following two assumptions:

[0290] Assumption 1: The first attribute information in the attribute information of the target voucher can be a piece of information independent of the target voucher.

[0291] Assumption 2: PVS can directly send the target credential and its attribute information after obtaining or generating the target credential and its attribute information.

[0292] The communication method provided in this application will be further described below based on the following two additional assumptions.

[0293] Assumption 1: The first attribute information in the attribute information of the target voucher is carried in the target voucher.

[0294] Assumption 2: PVS will only send the target credential and its attribute information when the status information of the terminal device meets the preset conditions.

[0295] First, taking the first core network device as an UDM network element as an example, combined with Figure 9 Method 900 will be introduced here.

[0296] Step 901: PVS sends a subscription request message to the NEF network element.

[0297] For example, PVS sends an Nnef_EventExposure_Subscribe Request message to the NEF network element. The Nnef_EventExposure_Subscribe Request message includes GPSI and an event identifier. The event identifier indicates the event corresponding to the registration status information or location information of the terminal device. This message represents PVS requesting the NEF network element to subscribe to the registration status information or location information of the terminal device corresponding to the GPSI.

[0298] Step 902: The NEF network element sends a subscription request message to the UDM network element.

[0299] For example, the NEF network element sends a Nudm_EventExposure_Subscribe Request message to the UDM network element. This message includes SUPI and the aforementioned event identifier, representing that the NEF network element requests the UDM network element to subscribe to the registration status information or location information of the terminal device corresponding to the SUPI. Here, the SUPI is obtained by the NEF network element after mapping the GPSI.

[0300] Step 903: The UDM network element sends a subscription request message to the AMF network element.

[0301] For example, the UDM network element sends a Namf_EventExposure_Subscribe Request message to the AMF network element. This message includes SUPI and the aforementioned event identifier, representing that the UDM network element requests the AMF network element to subscribe to the registration status information or location information of the terminal device corresponding to the SUPI.

[0302] Step 904: The AMF network element sends a response message to the UDM network element.

[0303] For example, when an AMF network element sends a Namf_EventExposure_Subscribe Response message to a UDM network element, the message indicates that the AMF network element has accepted the UDM network element's subscription.

[0304] Step 905: The UDM network element sends a response message to the NEF network element.

[0305] For example, a UDM network element sends a Nudm_EventExposure_Subscribe Response message to a NEF network element, which indicates that the UDM network element has accepted the NEF network element's subscription.

[0306] Step 906: The NEF network element sends a response message to the PVS.

[0307] For example, when a NEF network element sends an Nnef_EventExposure_Subscribe Response message to a PVS, it indicates that the NEF network element has accepted the PVS network element's subscription.

[0308] Step 907: When the current location of the terminal device or the registration status of the terminal device changes, the AMF network element sends a notification message to the UDM network element.

[0309] For example, when a terminal device registers with a PLMN, re-registers with a PLMN, or goes to register with a PLMN, it indicates a change in the terminal device's registration status. At this time, the AMF network element can send a notification message to the UDM network element. For example, the AMF network element can send a Namf_EventExposure_Notify message to the UDM network element. This message includes the AMF network element's identifier, the event identifier, event-related information, and the terminal device's identifier. The event identifier indicates the event corresponding to the terminal device's registration status information. The event-related information can be the terminal device's registration status information. For example, the registration status information can indicate that the terminal device is in the state of registering with a PLMN, re-registering with a PLMN, or going to register with a PLMN. The terminal device's identifier can be either SUPI or GPSI.

[0310] For example, when the current location of the terminal device changes, the AMF network element can send a notification message to the UDM network element. For instance, the AMF network element can send a Namf_EventExposure_Notify message to the UDM network element. This message includes the identifier of the AMF network element, the event identifier, event-related information, and the identifier of the terminal device. The event identifier indicates the event corresponding to the terminal device's location information. The event-related information can be the terminal device's location information. For example, the location information can indicate the current location of the terminal device or whether the terminal device is currently in a tracking area (e.g., target tracking area) or cell (e.g., target cell) that can provide NPN services. The identifier of the terminal device can be either SUPI or GPSI.

[0311] It is worth mentioning that the UDM network element itself can also know whether the registration status of the terminal device has changed. In this case, the UDM network element can determine whether the registration status of the terminal device has changed without relying on the notification message from the AMF network element.

[0312] Step 908: The UDM network element sends a notification message to the NEF network element.

[0313] For example, a UDM network element sends a Nudm_EventExposure_Notify message to a NEF network element. This message includes the aforementioned event identifier and the aforementioned event-related information.

[0314] Step 909: The NEF network element sends a notification message to the PVS.

[0315] For example, the NEF network element sends an Nnef_EventExposure_Notify message to the PVS, which includes the aforementioned event identifier and the aforementioned event-related information.

[0316] Step 910: When the terminal device registration status information or the terminal device location information meets the preset conditions, the PVS sends the target credential to the NEF network element. It is worth noting that this application does not limit the time at which the terminal device registers with the PLMN. In other words, the terminal device can register with the PLMN at any time after it intends to obtain NPN services. Before the terminal device completes the PLMN registration, the target credential will be temporarily cached. After the terminal device completes the PLMN registration, the target credential will be sent to the terminal device.

[0317] For example, a notification message from a NEF network element indicates that the terminal device is currently located in a tracking area that can provide NPN services. In this case, the PVS sends a target credential to the NEF network element, wherein the target credential carries first attribute information.

[0318] For example, PVS sends an Nnef_ParameterProvision_Create message or an Nnef_ParameterProvision_Update message to the NEF network element. The Nnef_ParameterProvision_Create message or the Nnef_ParameterProvision_Update message may include the target credentials and GPSI.

[0319] Step 911: The NEF network element sends the target credential to the UDM network element.

[0320] After obtaining the target credential and GPSI from the PVS, the NEF network element can map the GPSI, generate SUPI, and send the target credential and SUPI to the UDM network element.

[0321] For example, the NEF network element sends a Nudm_ParameterProvision_Create message or a Nudm_ParameterProvision_Update message to the UDM network element. The Nudm_ParameterProvision_Create message or Nudm_ParameterProvision_Update message may include the target credential and SUPI. It is worth noting that in step 910, if the PVS sends an Nnef_ParameterProvision_Create message to the NEF network element, then the NEF network element sends a Nudm_ParameterProvision_Create message to the UDM network element; if the PVS sends an Nnef_ParameterProvision_Update message to the NEF network element, then the NEF network element sends a Nudm_ParameterProvision_Update message to the UDM network element.

[0322] Step 912: The UDM network element sends the target credential to the AMF network element.

[0323] After obtaining the target credential from the PVS, the UDM network element does not process the first attribute information and only performs forwarding. In other words, after obtaining the target credential from the PVS, the UDM network element sends the target credential to the AMF network element. For example, the UDM network element sends a Nudm_SDM_Notification message to the AMF network element, which may include the target credential and SUPI.

[0324] Step 913: The AMF network element sends the target credential to the terminal device.

[0325] When an AMF network element receives a target credential from a UDM network element, it can send the target credential to the terminal device. For example, the AMF network element can send a NAS message to the terminal device, and the NAS message may include the target credential.

[0326] Step 914: The terminal device obtains the first attribute information.

[0327] After receiving the target credential from the AMF network element, the terminal device can obtain the first attribute information from the target credential.

[0328] Step 915: The terminal device executes the authentication process corresponding to the target credential based on the first attribute information and the target credential.

[0329] Based on the first attribute information, the terminal device can determine the type of the target credential, determine the corresponding authentication process based on the target credential type, and then execute the corresponding authentication process using the target credential. For a detailed description of how the terminal device executes the corresponding authentication process using the target credential, please refer to the relevant description in step 305 of method 300; for brevity, it will not be repeated here.

[0330] Based on the technical solution in Method 900, PVS obtains the status information of the terminal device. Only when the status information of the terminal device meets the preset conditions will PVS forward the target credential carrying the first attribute information to the terminal device in sequence through the UDM network element and the AMF network element, thereby optimizing the mechanism for the service activation server to issue the target credential and the attribute information of the target credential.

[0331] In addition, the terminal device determines the type of the target credential based on the first attribute information, then determines the authentication process corresponding to the target credential, and finally uses the target credential to execute the authentication process corresponding to the target credential.

[0332] The following example continues to use the first core network device as the UDM network element, combined with... Figure 10 Method 1000 will be introduced here.

[0333] Step 1001: PVS sends a subscription request message to the NEF network element. For a detailed description of step 1001, please refer to the relevant description in step 901 of method 900. For the sake of brevity, it will not be repeated here.

[0334] Step 1002: The NEF network element sends a subscription request message to the UDM network element. For a detailed description of step 1002, please refer to the relevant description in step 902 of method 900. For the sake of brevity, it will not be repeated here.

[0335] Step 1003: The UDM network element sends a subscription request message to the AMF network element. For a detailed description of step 1003, please refer to the relevant description in step 903 of method 900. For the sake of brevity, it will not be repeated here.

[0336] Step 1004: The AMF network element sends a response message to the UDM network element. For a detailed description of step 1004, please refer to the relevant description in step 904 of method 900. For the sake of brevity, it will not be repeated here.

[0337] Step 1005: The UDM network element sends a response message to the NEF network element. For a detailed description of step 1005, please refer to the relevant description in step 905 of method 900. For the sake of brevity, it will not be repeated here.

[0338] Step 1006: The NEF network element sends a response message to the PVS. For a detailed description of step 1006, please refer to the relevant description in step 906 of method 900. For the sake of brevity, it will not be repeated here.

[0339] Step 1007: When the current location or registration status of the terminal device changes, the AMF network element sends a notification message to the UDM network element. For a detailed description of step 1007, please refer to the relevant description in step 907 of method 900; for brevity, it will not be repeated here.

[0340] Step 1008: The UDM network element sends a notification message to the NEF network element. For a detailed description of step 1008, please refer to the relevant description in step 908 of method 900. For the sake of brevity, it will not be repeated here.

[0341] Step 1009: The NEF network element sends a notification message to the PVS. For a detailed description of step 10010, please refer to the relevant description in step 909 of method 900; for brevity, it will not be repeated here.

[0342] Step 1010: When the terminal device's registration status information or location information meets preset conditions, after the terminal device registers with the PLMN, the PVS sends the target credential to the NEF network element. It is worth noting that this application does not limit the timing of the terminal device's PLMN registration. In other words, the terminal device can register with the PLMN at any time after it intends to obtain NPN services. Before the terminal device completes PLMN registration, the target credential is temporarily cached; after the terminal device completes PLMN registration, the target credential is sent to the terminal device. For a detailed description of step 1010, please refer to the relevant description in step 910 of method 900; for brevity, it will not be repeated here.

[0343] Step 1011: The NEF network element sends the target credential to the UDM network element. For a detailed description of step 1011, please refer to the relevant description in step 911 of method 900. For the sake of brevity, it will not be repeated here.

[0344] Step 1012: The UDM network element generates second attribute information based on the first attribute information carried in the target credential.

[0345] After receiving the target credential from the NEF network element, the UDM network element can determine the type of the target credential based on the first attribute information carried in the target credential, and then determine the authentication process corresponding to the target credential based on the type of the target credential. In this case, the UDM network element can generate second attribute information, which can indicate the authentication process corresponding to the target credential.

[0346] Step 1013: The UDM network element sends the target credential and its attribute information to the AMF network element.

[0347] The attribute information of the target credential sent by the UDM network element to the AMF network element may include at least one of the first attribute information and the second attribute information. For example, when the UDM network element sends a Nudm_SDM_Notification message to the AMF network element, the message may include the target credential, the attribute information of the target credential, and SUPI.

[0348] Step 1014: The AMF network element sends the target credential and its attribute information to the terminal device.

[0349] After receiving the target credential and its attribute information from the UDM network element, the AMF network element can send the target credential and its attribute information to the terminal device. For example, the AMF network element sends a NAS message to the terminal device. The NAS message may include the target credential and its attribute information, wherein the attribute information of the target credential includes at least one of the first attribute information and the second attribute information.

[0350] Step 1015: The terminal device obtains the attribute information of the target credential.

[0351] After receiving the target credential and its attribute information from the AMF network element, the terminal device can obtain the attribute information of the target credential, which includes at least one of the first attribute information and the second attribute information.

[0352] Step 1016: The terminal device executes the authentication process corresponding to the target credential based on the attribute information of the target credential.

[0353] After receiving the target credential and its attribute information from the AMF network element, the terminal device can determine at least one of the following based on the target credential's attribute information: its type and the corresponding authentication process. Based on this, it determines the authentication process corresponding to the target credential and then executes it. For a detailed description of how the terminal device executes the authentication process using the target credential, please refer to step 305 of method 300. For brevity, it will not be repeated here.

[0354] Based on the technical solution in Method 1000, PVS obtains the status information of the terminal device. Only when the status information of the terminal device meets the preset conditions will PVS forward the target credential carrying the first attribute information to the terminal device in sequence through the UDM network element and the AMF network element, thereby optimizing the mechanism for the service activation server to issue the target credential and the attribute information of the target credential.

[0355] Furthermore, after receiving the target credential and first attribute information from the PVS, the UDM network element generates second attribute information based on the first attribute information. The UDM network element forwards the target credential and target attribute information, including at least one of the first and second attribute information, to the terminal device through the AMF network element. The terminal device determines the type of the target credential and at least one of the authentication processes corresponding to the target credential based on the attribute information of the target credential. Based on the type of the target credential and at least one of the authentication processes corresponding to the target credential, the terminal device determines the authentication process corresponding to the target credential and then executes the authentication process corresponding to the target credential using the target credential.

[0356] The following example uses the first core network device as the AMF network element and the second core network device as the UDM network element, combined with... Figure 11 Method 1100 will be introduced here.

[0357] Step 1101: PVS sends a subscription request message to the NEF network element. For a detailed description of step 1101, please refer to the relevant description in step 901 of method 900. For the sake of brevity, it will not be repeated here.

[0358] Step 1102: The NEF network element sends a subscription request message to the UDM network element. For a detailed description of step 1102, please refer to the relevant description in step 902 of method 900. For the sake of brevity, it will not be repeated here.

[0359] Step 1103: The UDM network element sends a subscription request message to the AMF network element. For a detailed description of step 1103, please refer to the relevant description in step 903 of method 900. For the sake of brevity, it will not be repeated here.

[0360] Step 1104: The AMF network element sends a response message to the UDM network element. For a detailed description of step 1104, please refer to the relevant description in step 904 of method 900. For the sake of brevity, it will not be repeated here.

[0361] Step 1105: The UDM network element sends a response message to the NEF network element. For a detailed description of step 1105, please refer to the relevant description in step 905 of method 900. For the sake of brevity, it will not be repeated here.

[0362] Step 1106: The NEF network element sends a response message to the PVS. For a detailed description of step 1106, please refer to the relevant description in step 906 of method 900. For the sake of brevity, it will not be repeated here.

[0363] Step 1107: When the current location or registration status of the terminal device changes, the AMF network element sends a notification message to the UDM network element. For a detailed description of step 1107, please refer to the relevant description in step 907 of method 900; for brevity, it will not be repeated here.

[0364] Step 1108: The UDM network element sends a notification message to the NEF network element. For a detailed description of step 1108, please refer to the relevant description in step 908 of method 900. For the sake of brevity, it will not be repeated here.

[0365] Step 1109: The NEF network element sends a notification message to the PVS. For a detailed description of step 1109, please refer to the relevant description in step 909 of method 900. For the sake of brevity, it will not be repeated here.

[0366] Step 1110: When the terminal device's registration status information or location information meets preset conditions, after the terminal device registers with the PLMN, the PVS sends the target credential to the NEF network element. It is worth noting that this application does not limit the timing of the terminal device's PLMN registration. In other words, the terminal device can register with the PLMN at any time after it intends to obtain NPN services. Before the terminal device completes PLMN registration, the target credential will be temporarily cached. After the terminal device completes PLMN registration, the target credential will be sent to the terminal device. For a detailed description of step 1110, please refer to the relevant description in step 910 of method 900. For brevity, it will not be repeated here.

[0367] Step 1111: The NEF network element sends the target credential to the UDM network element. For a detailed description of step 1111, please refer to the relevant description in step 911 of method 900. For the sake of brevity, it will not be repeated here.

[0368] Step 1112: The UDM network element sends the target credential to the AMF network element.

[0369] For example, a UDM network element sends a Nudm_SDM_Notification message to an AMF network element, which may include the target credential and SUPI.

[0370] It is worth mentioning that the UDM network element can also generate second attribute information based on the first attribute information carried in the target credential, and send the target credential and its attribute information to the AMF network element. The attribute information of the target credential includes at least one of the first attribute information and the second attribute information.

[0371] Step 1113: The AMF network element generates the second attribute information based on the first attribute information carried in the target credential.

[0372] After receiving the target credential from the UDM network element, the AMF network element can determine the type of the target credential based on the first attribute information, and then determine the authentication process corresponding to the target credential based on the type of the target credential. In this case, the AMF network element can generate second attribute information, which can indicate the authentication process corresponding to the target credential.

[0373] It is worth mentioning that after receiving the target credential from the UDM network element, the AMF network element can also perform no processing on the attribute information of the target credential and only forward it. In other words, after obtaining the target credential from the UDM, the AMF network element forwards the target credential to the terminal device.

[0374] Step 1114: The AMF network element sends the target credential and its attribute information to the terminal device.

[0375] After generating the second attribute information, the AMF network element can send the target credential and its attribute information to the terminal device. For example, the AMF network element sends a NAS message to the terminal device. The NAS message may include the target credential and its attribute information. The attribute information of the target credential includes at least one of the first attribute information and the second attribute information.

[0376] Step 1115: The terminal device obtains the attribute information of the target credential.

[0377] After receiving the target credential and its attribute information from the AMF network element, the terminal device can obtain the attribute information of the target credential, which includes at least one of the first attribute information and the second attribute information.

[0378] Step 1116: The terminal device executes the authentication process corresponding to the target credential based on the attribute information of the target credential.

[0379] After receiving the target credential and its attribute information from the AMF network element, the terminal device can determine at least one of the following based on the target credential's attribute information: its type and the corresponding authentication process. Based on this, it determines the authentication process corresponding to the target credential and then executes it. For a detailed description of how the terminal device executes the authentication process using the target credential, please refer to step 305 of method 300. For brevity, it will not be repeated here.

[0380] Based on the technical solution in method 1100, PVS obtains the status information of the terminal device. Only when the status information of the terminal device meets the preset conditions will PVS forward the target credential carrying the first attribute information to the terminal device in sequence through the UDM network element and the AMF network element, thereby optimizing the mechanism for the service activation server to issue the target credential and the attribute information of the target credential.

[0381] Furthermore, after receiving the target credential and first attribute information from the PVS, the UDM network element forwards the target credential and first attribute information to the AMF network element. The AMF network element generates second attribute information based on the first attribute information. The AMF network element then forwards the target credential and target attribute information, including at least one of the first and second attribute information, to the terminal device. Based on the attribute information of the target credential, the terminal device determines at least one of the target credential type and the corresponding authentication process. Based on the target credential type and the corresponding authentication process, the terminal device determines the authentication process corresponding to the target credential and then executes the authentication process corresponding to the target credential using the target credential.

[0382] The following example continues, using the first core network device as the AMF network element and the second core network device as the UDM network element. Figure 12 Method 1200 will be introduced here.

[0383] Step 1201: PVS sends a subscription request message to the NEF network element. For a detailed description of step 1201, please refer to the relevant description in step 901 of method 900. For the sake of brevity, it will not be repeated here.

[0384] Step 1202: The NEF network element sends a subscription request message to the UDM network element. For a detailed description of step 1202, please refer to the relevant description in step 902 of method 900. For the sake of brevity, it will not be repeated here.

[0385] Step 1203: The UDM network element sends a subscription request message to the AMF network element. For a detailed description of step 1203, please refer to the relevant description in step 903 of method 900. For the sake of brevity, it will not be repeated here.

[0386] Step 1204: The AMF network element sends a response message to the UDM network element. For a detailed description of step 1204, please refer to the relevant description in step 904 of method 900. For the sake of brevity, it will not be repeated here.

[0387] Step 1205: The UDM network element sends a response message to the NEF network element. For a detailed description of step 1205, please refer to the relevant description in step 905 of method 900. For the sake of brevity, it will not be repeated here.

[0388] Step 1206: The NEF network element sends a response message to the PVS. For a detailed description of step 1206, please refer to the relevant description in step 906 of method 900. For the sake of brevity, it will not be repeated here.

[0389] Step 1207: When the current location or registration status of the terminal device changes, the AMF network element sends a notification message to the UDM network element. For a detailed description of step 1207, please refer to the relevant description in step 907 of method 900; for brevity, it will not be repeated here.

[0390] Step 1208: The UDM network element sends a notification message to the NEF network element. For a detailed description of step 1208, please refer to the relevant description in step 908 of method 900. For the sake of brevity, it will not be repeated here.

[0391] Step 1209: The NEF network element sends a notification message to the PVS. For a detailed description of step 1209, please refer to the relevant description in step 909 of method 900. For the sake of brevity, it will not be repeated here.

[0392] Step 1210: When the terminal device's registration status information or location information meets preset conditions, after the terminal device registers with the PLMN, the PVS sends the target credential to the NEF network element. It is worth noting that this application does not limit the timing of the terminal device's PLMN registration. In other words, the terminal device can register with the PLMN at any time after it intends to obtain NPN services. Before the terminal device completes PLMN registration, the target credential is temporarily cached; after the terminal device completes PLMN registration, the target credential is sent to the terminal device. For a detailed description of step 1210, please refer to the relevant description in step 910 of method 900; for brevity, it will not be repeated here.

[0393] Step 1211: The NEF network element sends the target credential to the UDM network element. For a detailed description of step 1211, please refer to the relevant description in step 911 of method 900. For the sake of brevity, it will not be repeated here.

[0394] Step 1212: The UDM network element sends the target credential to the AMF network element.

[0395] For example, a UDM network element sends a Nudm_SDM_Notification message to an AMF network element, which may include the target credential and SUPI.

[0396] It is worth mentioning that the UDM network element can also generate second attribute information based on the first attribute information carried in the target credential, and send the target credential and its attribute information to the terminal device. The attribute information of the target credential includes at least one of the first attribute information and the second attribute information.

[0397] For example, a UDM network element sends a Nudm_SDM_Notification message to an AMF network element. The Nudm_SDM_Notification message may include the target credential, the attribute information of the target credential, and SUPI.

[0398] Step 1213: The AMF network element sends the target credential to the terminal device.

[0399] After receiving the target credential from the UDM, the AMF network element can determine the type of the target credential based on the first attribute information carried in the target credential, and then determine the authentication process corresponding to the target credential based on the type of the target credential. In this case, the AMF network element can send the target credential to the terminal device.

[0400] It is worth mentioning that, in addition to sending the target credential to the terminal device, the AMF network element can also send the target credential's attribute information containing the first attribute information to the terminal device. Furthermore, the AMF network element can generate second attribute information based on the first attribute information and send the target credential and its attribute information to the terminal device. The target credential's attribute information includes at least one of the first attribute information and the second attribute information.

[0401] In step 1214, the AMF network element initiates an authentication process or a related process that can trigger an authentication process based on the first attribute information. For a detailed description of step 1214, please refer to the relevant description in step 303 of method 300. For the sake of brevity, it will not be repeated here.

[0402] Step 1215: The terminal device obtains the first attribute information carried in the target credential.

[0403] It is worth mentioning that in step 1215, in addition to obtaining the first attribute information from the target credential, the terminal device can also obtain the attribute information of the target credential through any one of the methods 1 to 3 in step 304 of method 300. The attribute information of the target credential includes the attribute information of the target credential of at least one of the first attribute information and the second attribute information. This application does not limit this.

[0404] Step 1216: The terminal device executes the authentication process corresponding to the target credential based on the first attribute information and the target credential.

[0405] After receiving the target credential from the AMF network element, the terminal device can determine at least one of the following based on the first attribute information carried in the target credential: its type and the corresponding authentication process. Based on this information, the terminal device determines the authentication process corresponding to the target credential and then executes it. For a detailed description of how the terminal device executes the authentication process using the target credential, please refer to step 305 of method 300. For brevity, this description will not be repeated here.

[0406] Based on the technical solution in Method 1200, PVS obtains the status information of the terminal device. Only when the status information of the terminal device meets the preset conditions will PVS forward the target credential carrying the first attribute information to the terminal device in sequence through the UDM network element and the AMF network element, thereby optimizing the mechanism for the service activation server to issue the target credential and the attribute information of the target credential.

[0407] Furthermore, after receiving the target credential and first attribute information from the PVS, the UDM network element forwards the target credential and first attribute information to the AMF network element. The AMF network element determines the type of the target credential based on the first attribute information, and then determines the authentication process corresponding to the target credential. In this case, the AMF network element can simply send the target credential to the terminal device and initiate the authentication process or a related process that can trigger the authentication process. When the terminal device senses the authentication process or a related process that can trigger the authentication process, the terminal device can learn about the authentication process corresponding to the received target credential and finally use the target credential to execute the authentication process corresponding to the target credential.

[0408] For example, the AMF network element initiates a deregistration process that can trigger the slice authentication process. When the terminal device senses the deregistration process, it can know that the type of the target credential just received is a credential used to perform slice authentication. Then, the terminal device can use the target credential to perform the slice authentication process during the registration process.

[0409] The following example uses the first core network device as a UPF network element, combined with... Figure 13 Method 1300 will be introduced here.

[0410] Step 1301: PVS sends a subscription request message to the NEF network element. For a detailed description of step 1301, please refer to the relevant description in step 901 of method 900. For the sake of brevity, it will not be repeated here.

[0411] Step 1302: The NEF network element sends a subscription request message to the UDM network element. For a detailed description of step 1302, please refer to the relevant description in step 902 of method 900. For the sake of brevity, it will not be repeated here.

[0412] Step 1303: The UDM network element sends a subscription request message to the AMF network element. For a detailed description of step 1303, please refer to the relevant description in step 903 of method 900. For the sake of brevity, it will not be repeated here.

[0413] Step 1304: The AMF network element sends a response message to the UDM network element. For a detailed description of step 1304, please refer to the relevant description in step 904 of method 900. For the sake of brevity, it will not be repeated here.

[0414] Step 1305: The UDM network element sends a response message to the NEF network element. For a detailed description of step 1305, please refer to the relevant description in step 905 of method 900. For the sake of brevity, it will not be repeated here.

[0415] Step 1306: The NEF network element sends a response message to the PVS. For a detailed description of step 1306, please refer to the relevant description in step 906 of method 900. For the sake of brevity, it will not be repeated here.

[0416] Step 1307: When the current location or registration status of the terminal device changes, the AMF network element sends a notification message to the UDM network element. For a detailed description of step 1307, please refer to the relevant description in step 907 of method 900; for brevity, it will not be repeated here.

[0417] Step 1308: The UDM network element sends a notification message to the NEF network element. For a detailed description of step 1308, please refer to the relevant description in step 908 of method 900. For the sake of brevity, it will not be repeated here.

[0418] Step 1309: The NEF network element sends a notification message to the PVS. For a detailed description of step 1309, please refer to the relevant description in step 909 of method 900. For the sake of brevity, it will not be repeated here.

[0419] Step 1310: When the registration status information or location information of the terminal device meets preset conditions, the PVS sends the target credential to the UPF network element. It is worth noting that this application does not limit the timing of the terminal device's PLMN registration, session establishment, or IP connection establishment between the terminal device and the PVS. In other words, the terminal device can register the PLMN, establish a session, and establish an IP connection with the PVS at any time after it intends to obtain NPN services. Before the terminal device completes the PLMN registration, session establishment, and IP connection establishment, the target credential will be temporarily cached. After the terminal device completes the PLMN registration, session establishment, and IP connection establishment, the target credential will be sent to the terminal device. For a detailed description of step 1110, please refer to the relevant description in step 910 of method 900; for brevity, it will not be repeated here.

[0420] For example, PVS sends user plane data to UPF network elements, and the user plane data includes the target credentials.

[0421] Step 1311: The UPF network element sends the target credential to the RAN network element.

[0422] For example, the UPF network element sends user plane data to the RAN network element, and the user plane data includes the target credentials.

[0423] Step 1312: The RAN network element sends the target credential and its attribute information to the terminal device.

[0424] Step 1313: The terminal device obtains the first attribute information.

[0425] After receiving the target credential, the terminal device can obtain the first attribute information carried in the target credential.

[0426] Step 1314: The terminal device executes the authentication process corresponding to the target credential based on the first attribute information and the target credential.

[0427] Based on the first attribute information, the terminal device can determine the type of the target credential, determine the corresponding authentication process based on the target credential type, and then execute the corresponding authentication process using the target credential. For a detailed description of how the terminal device executes the corresponding authentication process using the target credential, please refer to the relevant description in step 305 of method 300; for brevity, it will not be repeated here.

[0428] Based on the technical solution in Method 1300, PVS obtains the status information of the terminal device. Only when the status information of the terminal device meets the preset conditions will PVS forward the target credential carrying the first attribute information to the terminal device in sequence through the UDM network element and the AMF network element, thereby optimizing the mechanism for the service activation server to issue the target credential and the attribute information of the target credential.

[0429] Furthermore, after obtaining the target credential and the first attribute information, the PVS forwards the target credential and the first attribute information sequentially to the terminal device through the UPF network element and the RAN. The terminal device determines the type of the target credential based on the first attribute information, and then determines the authentication process corresponding to the target credential. Finally, it executes the authentication process corresponding to the target credential using the target credential. It is worth mentioning that the premise mentioned in methods 900 to 1300 above—that the PVS will only issue the target credential carrying the first attribute information when the status information of the terminal device meets the preset conditions—also applies to methods 400 to 800. That is to say, in methods 400 to 800, the PVS can also issue the obtained target credential and the attribute information of the target credential only when the status information of the terminal device meets the preset conditions.

[0430] In this application, PVS can also send instruction information to the network element receiving the target credential after sending the target credential. The instruction information can instruct the terminal device to initiate a registration process or a session management process. The network element receiving the target credential forwards the instruction information and the target credential to the terminal device, so that the terminal device can know the type of the target credential from PVS according to the instruction information and initiate the registration process or session management process indicated by the instruction information. During the execution of the registration process or session management process, the target credential is used to perform a slice authentication process or a secondary authentication process.

[0431] For example, if the instruction information instructs the terminal device to initiate a registration process, the terminal device can know that the type of the target credential from PVS is a credential used to perform the slice authentication process. Then, the terminal device will initiate the registration process and use the target credential from PVS to perform the slice authentication process during the registration process.

[0432] For example, if the instruction information instructs the terminal device to initiate a session management process, the terminal device can know that the type of the target credential from PVS is a credential used to perform a secondary authentication process. Then, the terminal device will initiate a session management process and use the target credential from PVS to perform the secondary authentication process during the execution of the session management process.

[0433] It should be noted that in this application, the PVS can be trusted or untrusted. If the PVS is trusted, it can directly send messages to the UDM network element. Conversely, if the PVS is untrusted, it needs to send messages to the NEF network element first, and then the NEF network element forwards the messages to the UDM network element.

[0434] It should be noted that the communication methods provided in this application are merely illustrative examples and do not constitute a limitation on this application. Any method obtained by replacing or recombining the above steps falls within the protection scope of this application.

[0435] The above, combined with Figures 3 to 13 The communication method provided in the embodiments of this application is described in detail below. Figures 14 to 15 The communication device provided in the embodiments of this application is described in detail.

[0436] Figure 14 This is a schematic block diagram of a communication device provided in an embodiment of this application. Figure 14 As shown, the device 1400 may include a processing unit 1410 and a transceiver unit 1420.

[0437] In one possible design, the device 1400 may be the first core network device in the above method embodiments, or it may be a module (such as a chip) applied to the first core network device. The device 1400 may be used to execute the various steps or processes corresponding to the UPF network element, AMF network element, or UPF network element in methods 200-1300 described above.

[0438] Specifically, the processing unit 1410 is used to: obtain the target credential and the attribute information of the target credential;

[0439] The transceiver unit 1420 is used to: send the target credential to the terminal device;

[0440] The processing unit 1410 is further configured to: trigger the terminal device to execute the corresponding authentication process using the target credential based on the attribute information of the target credential (i.e., execute the authentication process corresponding to the target credential using the target credential).

[0441] Optionally, the attribute information of the target credential includes at least one of a first attribute information and a second attribute information, wherein the first attribute information indicates the type of the target credential, and the second attribute information indicates the authentication process corresponding to the target credential.

[0442] Optionally, the processing unit 1410 is specifically used to: obtain the target credential from the service activation server or the second core network device.

[0443] Optionally, the attribute information of the target credential includes first attribute information, which indicates the type of the target credential. The processing unit 1410 is specifically used to obtain the first attribute information from the service activation server or the second core network device.

[0444] Optionally, the attribute information of the target credential includes second attribute information, which indicates the authentication process corresponding to the target credential. The processing unit 1410 is specifically used to: obtain the second attribute information from the second core network device, which is generated by the second core network device based on the first attribute information after obtaining the first attribute information; or, generate the second attribute information based on the first attribute information after obtaining the first attribute information.

[0445] Optionally, the first core network device, based on the attribute information of the target credential, the processing unit 1410 is specifically configured to: send the attribute information corresponding to the target credential to the terminal device, so that the terminal device, based on the attribute information corresponding to the target credential, uses the target credential to execute the corresponding authentication process (i.e., uses the target credential to execute the authentication process corresponding to the target credential).

[0446] Optionally, the attribute information of the target credential includes at least one of a first attribute information and a second attribute information. The first attribute information indicates that the type of the target credential is a credential used to perform a slice authentication process, and the second attribute information indicates that the authentication process corresponding to the target credential is a slice authentication process. The processing unit 1410 is specifically used to: trigger a deregistration process so that the terminal device performs the slice authentication process using the target credential after the deregistration process is completed.

[0447] Optionally, the attribute information of the target credential includes at least one of a first attribute information and a second attribute information. The first attribute information indicates that the type of the target credential is a credential used to perform a secondary authentication process, and the second attribute information indicates that the authentication process corresponding to the target credential is a secondary authentication process. The processing unit 1410 is specifically used to: trigger a session management process so that the terminal device uses the target credential to perform the secondary authentication process during the execution of the session management process.

[0448] Optionally, the session management process is either a session establishment process or a session modification process.

[0449] Optionally, the first core network device is one of the Unified Data Management (UDM) network element and the Mobility Management Function (AMF) network element.

[0450] Optionally, the second core network device is either a UDM network element or an AMF network element, and if the first core network device is an AMF network element, the second core network device is a UDM network element.

[0451] In another possible design, the device 1400 can be the terminal device in the above method embodiments, or it can be a module (such as a chip) applied to the terminal device. The device 1400 can be used to execute the various steps or processes corresponding to the terminal device in methods 200-1300 described above.

[0452] Specifically, the transceiver unit 1420 is used to: receive the target credentials sent by the first core network device or the service activation server;

[0453] Processing unit 1410 is used to: obtain attribute information of the target credential;

[0454] The processing unit 1410 is further configured to: execute the corresponding authentication process using the target credential based on the attribute information of the target credential (i.e., execute the authentication process corresponding to the target credential using the target credential).

[0455] Optionally, the attribute information of the target credential includes at least one of a first attribute information and a second attribute information, wherein the first attribute information indicates the type of the target credential, and the second attribute information indicates the authentication process corresponding to the target credential.

[0456] Optionally, the attribute information of the target credential includes at least one of a first attribute information and a second attribute information. The first attribute information indicates that the type of the target credential is a credential used to perform a slice authentication process, and the second attribute information indicates that the authentication process corresponding to the target credential is a slice authentication process. The processing unit 1410 is specifically used to: perform a registration process according to the attribute information of the target credential, and in the process of performing the registration process, use the target credential to perform the slice authentication process.

[0457] Optionally, the registration process can be any one of the following: initial registration process, mobile registration update process, periodic registration update process, and emergency registration process.

[0458] Optionally, the attribute information of the target credential includes at least one of a first attribute information and a second attribute information. The first attribute information indicates that the type of the target credential is a credential used to perform a secondary authentication process, and the second attribute information indicates that the authentication process corresponding to the target credential is a secondary authentication process. The processing unit 1410 is specifically used to: perform a session management process according to the attribute information of the target credential, and in the process of performing the session management process, use the target credential to perform the secondary authentication process.

[0459] Optionally, the session management process can be either a session establishment process or a session modification process.

[0460] In another possible design, the device 1400 may be the PVS in the above method embodiments, or it may be a module (such as a chip) applied to the PVS. The device 1400 may be used to perform the various steps or processes corresponding to the PVS in methods 200-1300 described above.

[0461] Specifically, the processing unit 1410 is used to: obtain the target credential and the attribute information of the target credential;

[0462] The transceiver unit 1420 is used to send the target credential and the attribute information of the target credential to the first core network device.

[0463] Optionally, the attribute information of the target credential includes at least one of a first attribute information and a second attribute information, wherein the first attribute information indicates the type of the target credential, and the second attribute information indicates the authentication process corresponding to the target credential.

[0464] Optionally, the processing unit 1410 is further configured to: acquire status information of the terminal device;

[0465] The transceiver unit 1420 is specifically used to: send the target credential and the attribute information of the target credential to the first core network device when the status information of the terminal device meets the preset conditions.

[0466] Optionally, the status information includes either registration status information or location information.

[0467] Optionally, the preset condition is: the registration status information of the terminal device indicates that the terminal device is in a registered state; or, the location information of the terminal device indicates that the terminal device is in either a target tracking area or a target cell, wherein the target tracking area is a tracking area that can provide non-public network services, and the target cell is a cell that can provide non-public network services.

[0468] Optionally, the target credential can be either a credential used to perform the slice authentication process or a credential used to perform the secondary authentication process.

[0469] In another possible design, the device 1400 may be the PVS in the above method embodiments, or it may be a module (such as a chip) applied to the PVS. The device 1400 may be used to perform the various steps or processes corresponding to the PVS in methods 200-1300 described above.

[0470] Specifically, the processing unit 1410 is used to: obtain the target credential;

[0471] The transceiver unit 1420 is configured to: send a target credential to the terminal device so that the terminal device, after obtaining the attribute information of the target credential, uses the target credential to execute the corresponding authentication process (i.e., uses the target credential to execute the authentication process corresponding to the target credential).

[0472] In one implementation, the target credential can be modified so that the modified target credential carries first attribute information, wherein the first attribute information indicates the type of the target credential.

[0473] Optionally, the attribute information of the target credential includes at least one of a first attribute information and a second attribute information, wherein the first attribute information indicates the type of the target credential, and the second attribute information indicates the authentication process corresponding to the target credential.

[0474] Optionally, the transceiver unit 1420 is further configured to: send the attribute information of the target credential to the terminal device.

[0475] Optionally, the processing unit 1410 is further configured to: acquire the status information of the terminal device;

[0476] The transceiver unit 1420 is specifically used to: send the target credential to the terminal device when the status information of the terminal device meets the preset conditions.

[0477] Optionally, the status information includes either registration status information or location information.

[0478] Optionally, the preset condition is: the registration status information of the terminal device indicates that the terminal device is in a registered state; or, the location information of the terminal device indicates that the terminal device is in either a target tracking area or a target cell, wherein the target tracking area is a tracking area that can provide non-public network services, and the target cell is a cell that can provide non-public network services.

[0479] Optionally, the target credential can be either a credential used to perform the slice authentication process or a credential used to perform the secondary authentication process.

[0480] It should be understood that device 1400 here is embodied in the form of a functional unit. The term "unit" here can refer to application-specific integrated circuits (ASICs), electronic circuits, processors (e.g., shared processors, proprietary processors, or group processors, etc.) and memories for executing one or more software or firmware programs, combined logic circuits, and / or other suitable components supporting the described functions. In an alternative example, those skilled in the art will understand that device 1400 can be specifically a first core network device in the above embodiments, used to execute the various processes and / or steps corresponding to the first core network device in the above method embodiments; or, device 1400 can be specifically a terminal device in the above embodiments, used to execute the various processes and / or steps corresponding to the terminal device in the above method embodiments; or, device 1400 can be specifically a PVS in the above embodiments, used to execute the various processes and / or steps corresponding to the PVS in the above method embodiments. To avoid repetition, further details are omitted here.

[0481] The apparatus 1400 of each of the above-described schemes has the function of implementing the corresponding steps performed by the first core network device in the above-described method; or, the apparatus 1400 of each of the above-described schemes has the function of implementing the corresponding steps performed by the terminal device in the above-described method; or, the apparatus 1400 of each of the above-described schemes has the function of implementing the corresponding steps performed by the PVS in the above-described method. The functions can be implemented by hardware or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above functions; for example, a communication unit can be replaced by a transceiver (e.g., the sending unit in the communication unit can be replaced by a transmitter, and the receiving unit in the communication unit can be replaced by a receiver), and other units, such as processing units, can be replaced by a processor, respectively executing the transmission and reception operations and related processing operations in each method embodiment.

[0482] In addition, the aforementioned communication unit can also be a transceiver circuit (for example, it may include a receiving circuit and a transmitting circuit), and the processing unit can be a processing circuit.

[0483] Figure 15 A communication device 1500 provided in an embodiment of this application is shown. The device 1500 includes a processor 1510 and a transceiver 1520. The processor 1510 and the transceiver 1520 communicate with each other through an internal connection path. The processor 1510 is used to execute instructions to control the transceiver 1520 to transmit and / or receive signals.

[0484] Optionally, the device 1500 may further include a memory 1530, which communicates with the processor 1510 and the transceiver 1520 via an internal connection path. The memory 1530 stores instructions, and the processor 1510 can execute the instructions stored in the memory 1530. In one possible implementation, the device 1500 is used to implement the various processes and steps corresponding to the first core network device in the above method embodiments. In another possible implementation, the device 1500 is used to implement the various processes and steps corresponding to the terminal device in the above method embodiments. In yet another possible implementation, the device 1500 is used to implement the various processes and steps corresponding to the PVS in the above method embodiments.

[0485] It should be understood that the device 1500 can specifically be the first core network device, terminal device, or PVS in the above embodiments, or it can be a chip or chip system. Correspondingly, the transceiver 1520 can be the transceiver circuit of the chip, which is not limited here. Specifically, the device 1500 can be used to execute the various steps and / or processes corresponding to the first core network device, terminal device, or PVS in the above method embodiments. Optionally, the memory 1530 can include read-only memory and random access memory, and provide instructions and data to the processor. A portion of the memory can also include non-volatile random access memory. For example, the memory can also store device type information. The processor 1510 can be used to execute the instructions stored in the memory, and when the processor 1510 executes the instructions stored in the memory, the processor 1510 is used to execute the various steps and / or processes of the above method embodiments corresponding to the first core network device, terminal device, or PVS. In the implementation process, the various steps of the above method can be completed by the integrated logic circuits in the processor or by instructions in the form of software. The steps of the method disclosed in the embodiments of this application can be directly manifested as being executed by a hardware processor, or executed by a combination of hardware and software modules in the processor. The software modules can reside in random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, or other mature storage media in the art. This storage medium is located in memory, and the processor reads information from the memory and, in conjunction with its hardware, completes the steps of the above method. To avoid repetition, detailed descriptions are not provided here.

[0486] It should be noted that the processor in the embodiments of this application can be an integrated circuit chip with signal processing capabilities. During implementation, each step of the above method embodiments can be completed by the integrated logic circuitry in the processor's hardware or by instructions in software form. The processor can be a general-purpose processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. It can implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of this application. The general-purpose processor can be a microprocessor or any conventional processor. The steps of the methods disclosed in the embodiments of this application can be directly embodied as being executed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software modules can be located in random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, or other mature storage media in the art. This storage medium is located in memory, and the processor reads the information in the memory and, in conjunction with its hardware, completes the steps of the above methods.

[0487] It is understood that the memory in the embodiments of this application can be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. The non-volatile memory can be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), or flash memory. The volatile memory can be random access memory (RAM), which is used as an external cache. By way of example, but not limitation, many forms of RAM are available, such as static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), double data rate synchronous dynamic random access memory (DDR SDRAM), enhanced synchronous dynamic random access memory (ESDRAM), synchronous linked dynamic random access memory (SLDRAM), and direct rambus RAM (DR RAM). It should be noted that the memory used in the systems and methods described herein is intended to include, but is not limited to, these and any other suitable types of memory.

[0488] According to the method provided in the embodiments of this application, this application also provides a computer program product, which includes: computer program code, which, when run on a computer, causes the computer to execute... Figures 3 to 13 The illustrated embodiments show the various steps or processes performed by the first core network device, terminal device, or PVS.

[0489] According to the method provided in the embodiments of this application, this application also provides a computer-readable storage medium storing program code, which, when executed on a computer, causes the computer to perform... Figures 3 to 13 The illustrated embodiments show the various steps or processes performed by the first core network device, terminal device, or PVS.

[0490] According to the method provided in the embodiments of this application, this application also provides a communication system, which may include a terminal device, a PVS, and... Figures 3 to 13 The network element in the illustrated embodiment.

[0491] In the above-described embodiments of the apparatus and methods Figures 3 to 13 The illustrated embodiments are completely corresponding, with each module or unit performing its respective steps. For example, the communication unit (transceiver) performs the receiving or sending steps in the method embodiments, while other steps besides sending and receiving can be performed by the processing unit (processor). The function of a specific unit can be based on the corresponding method embodiments. There can be one or more processors.

[0492] In the embodiments of this application, the terms and English abbreviations are exemplary examples given for ease of description and should not be construed as limiting the application in any way. This application does not preclude the possibility of defining other terms that can achieve the same or similar functions in existing or future agreements.

[0493] In the embodiments of this application, the terms "first," "second," and various numerical designations are merely for descriptive convenience and are not intended to limit the scope of the embodiments of this application. For example, they may be used to distinguish different core network devices or different attribute information.

[0494] As used in this specification, the terms "component," "module," "system," etc., are used to refer to computer-related entities, hardware, firmware, combinations of hardware and software, software, or software in execution. For example, a component can be, but is not limited to, a process running on a processor, a processor, an object, an executable file, an execution thread, a program, and / or a computer. As illustrated, applications running on computing devices and computing devices can both be components. One or more components may reside in a process and / or an execution thread, and components may be located on a single computer and / or distributed among two or more computers. Furthermore, these components can be executed from various computer-readable storage media on which various data structures are stored. Components can communicate, for example, via local and / or remote processes based on signals having one or more data packets (e.g., data from two components interacting with another component between a local system, a distributed system, and / or a network, such as the Internet interacting with other systems via signals).

[0495] It should be understood that "at least one" in this article refers to one or more, and "more than one" refers to two or more. "And / or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can mean: A alone, A and B simultaneously, or B alone, where A and B can be singular or plural. The character " / " generally indicates that the preceding and following related objects are in an "or" relationship. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one of a, b, and c can mean: a, or b, or c, or a and b, or a and c, or b and c, or a, b, and c, where a, b, and c can be single or multiple.

[0496] Those skilled in the art will recognize that the various illustrative logical blocks and steps described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementations should not be considered beyond the scope of this application.

[0497] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be based on the corresponding processes in the foregoing method embodiments, and will not be repeated here.

[0498] In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between apparatuses or units may be electrical, mechanical, or other forms.

[0499] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0500] In addition, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit.

[0501] In the above embodiments, the functions of each functional unit can be implemented entirely or partially through software, hardware, firmware, or any combination thereof. When implemented using software, it can be implemented entirely or partially in the form of a computer program product. The computer program product includes one or more computer instructions (programs). When the computer program instructions (programs) are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of this application are generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, the computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that integrates one or more available media. The available media may be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., DVDs), or semiconductor media (e.g., solid-state disks, SSDs), etc.

[0502] If the aforementioned functions are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0503] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

Claims

1. A communication method, characterized in that, include: The first core network device acquires the target credential and the attribute information of the target credential; the attribute information of the target credential includes at least one of first attribute information and second attribute information, the first attribute information indicating the type of the target credential, and the second attribute information indicating the authentication process corresponding to the target credential; wherein, the type of the target credential indicates which authentication process the target credential is used to perform. The first core network device sends the target credential to the terminal device; The first core network device triggers the terminal device to execute the corresponding authentication process using the target credential based on the attribute information of the target credential, including: The first core network device sends the attribute information corresponding to the target credential to the terminal device, so that the terminal device can use the target credential to perform the corresponding authentication process based on the attribute information corresponding to the target credential.

2. The method according to claim 1, characterized in that, The first core network device obtains the target credentials, including: The first core network device obtains the target credential from the service activation server or the second core network device.

3. The method according to claim 1 or 2, characterized in that, The attribute information of the target credential includes first attribute information, which indicates the type of the target credential. The first core network device obtains the first attribute information, including: The first core network device obtains the first attribute information from the service activation server or the second core network device.

4. The method according to any one of claims 1 to 3, characterized in that, The attribute information of the target credential includes second attribute information, which indicates the authentication process corresponding to the target credential. The first core network device obtains the second attribute information, including: The first core network device obtains the second attribute information from the second core network device. The second attribute information is generated by the second core network device based on the first attribute information after obtaining it; or, After obtaining the first attribute information, the first core network device generates the second attribute information based on the first attribute information.

5. The method according to any one of claims 1 to 4, characterized in that, The attribute information of the target credential includes at least one of a first attribute and a second attribute. The first attribute indicates that the target credential is a credential used to perform a slice authentication process, and the second attribute indicates that the authentication process corresponding to the target credential is a slice authentication process. The first core network device triggers the terminal device to perform the corresponding authentication process using the target credential based on the attribute information of the target credential, including: The first core network device triggers a deregistration process so that after the deregistration process is completed, the terminal device uses the target credential to execute the slice authentication process.

6. The method according to any one of claims 1 to 4, characterized in that, The attribute information of the target credential includes at least one of a first attribute and a second attribute. The first attribute indicates that the target credential is a credential used for performing a secondary authentication process, and the second attribute indicates that the authentication process corresponding to the target credential is a secondary authentication process. The first core network device triggers the terminal device to perform the corresponding authentication process using the target credential based on the attribute information of the target credential, including: The first core network device triggers a session management process, so that the terminal device uses the target credential to perform the secondary authentication process during the execution of the session management process.

7. The method according to claim 6, characterized in that, The session management process is either a session establishment process or a session modification process.

8. The method according to any one of claims 1 to 7, characterized in that, The first core network device is one of the Unified Data Management (UDM) network element and the Mobility Management Function (AMF) network element.

9. The method according to any one of claims 1 to 8, characterized in that, The second core network device is either a UDM network element or an AMF network element, and if the first core network device is an AMF network element, the second core network device is a UDM network element.

10. A communication method, characterized in that, include: The terminal device receives the target credentials sent by the first core network device or the service activation server. The terminal device obtains the attribute information of the target credential sent by the first core network device; The attribute information of the target credential includes at least one of a first attribute information and a second attribute information, wherein the first attribute information indicates the type of the target credential, and the second attribute information indicates the authentication process corresponding to the target credential; wherein, the type of the target credential indicates which authentication process the target credential is used to perform. The terminal device executes the corresponding authentication process using the target credential based on the attribute information of the target credential.

11. The method according to claim 10, characterized in that, The attribute information of the target credential includes at least one of a first attribute and a second attribute. The first attribute indicates that the target credential is a credential used for performing a slice authentication process, and the second attribute indicates that the authentication process corresponding to the target credential is a slice authentication process. The terminal device performs the corresponding authentication process using the target credential based on its attribute information, including: The terminal device executes a registration process based on the attribute information of the target credential, and in the process of executing the registration process, it uses the target credential to execute the slice authentication process.

12. The method according to claim 11, characterized in that, The registration process can be any one of the following: initial registration process, mobile registration update process, periodic registration update process, and emergency registration process.

13. The method according to claim 10, characterized in that, The attribute information of the target credential includes at least one of a first attribute and a second attribute. The first attribute indicates that the target credential is a credential used for performing a secondary authentication process, and the second attribute indicates that the authentication process corresponding to the target credential is a secondary authentication process. The terminal device performs the corresponding authentication process using the target credential based on its attribute information, including: The terminal device executes a session management process based on the attribute information of the target credential, and in the process of executing the session management process, it uses the target credential to execute the secondary authentication process.

14. The method according to claim 13, characterized in that, The session management process can be either a session establishment process or a session modification process.

15. A communication method, characterized in that, include: The service activation server obtains the target credential and its attribute information. The attribute information of the target credential includes at least one of a first attribute information and a second attribute information, wherein the first attribute information indicates the type of the target credential, and the second attribute information indicates the authentication process corresponding to the target credential; wherein, the type of the target credential indicates which authentication process the target credential is used to perform. The service activation server sends a target credential and its attribute information to a first core network device; wherein, the first core network device sends the target credential to a terminal device; the first core network device sends attribute information corresponding to the target credential to the terminal device, so that the terminal device executes the corresponding authentication process using the target credential based on the attribute information corresponding to the target credential.

16. The method according to claim 15, characterized in that, The method further includes: the service activation server obtaining the status information of the terminal device; The service activation server sends the target credential and its attribute information to the first core network device, including: When the status information of the terminal device meets the preset conditions, the service activation server sends the target credential and the attribute information of the target credential to the first core network device.

17. The method according to claim 16, characterized in that, The status information includes either registration status information or location information.

18. The method according to claim 17, characterized in that, The preset conditions are: The registration status information of the terminal device indicates that the terminal device is in a registered state; or... The location information of the terminal device indicates that the terminal device is in either a target tracking area or a target cell. The target tracking area is a tracking area that can provide non-public network services, and the target cell is a cell that can provide non-public network services.

19. The method according to any one of claims 15 to 18, characterized in that, The target credential is either the credential used to perform the slice authentication process or the credential used to perform the secondary authentication process.

20. A communication device comprising a module for performing the method as claimed in any one of claims 1 to 9.

21. A communication device comprising a module for performing the method as claimed in any one of claims 10 to 14.

22. A communication device comprising a module for performing the method as claimed in any one of claims 15 to 19.

23. A communication device, characterized in that, The device includes a processor and an interface circuit, wherein the interface circuit is used to receive signals from other communication devices besides the communication device and transmit them to the processor, or to send signals from the processor to other communication devices besides the communication device, and the processor is used to implement the method as described in any one of claims 1 to 9 through logic circuits or execution code instructions.

24. A communication device, characterized in that, The device includes a processor and an interface circuit, wherein the interface circuit is used to receive signals from other communication devices besides the communication device and transmit them to the processor, or to send signals from the processor to other communication devices besides the communication device, and the processor is used to implement the method as described in any one of claims 10 to 14 through logic circuits or execution code instructions.

25. A communication device, characterized in that, The device includes a processor and an interface circuit, wherein the interface circuit is used to receive signals from other communication devices besides the communication device and transmit them to the processor, or to send signals from the processor to other communication devices besides the communication device, and the processor is used to implement the method as described in any one of claims 17 to 19 through logic circuits or execution code instructions.

Images