Information transmission method and device

By using the application layer authentication and key management AKMA anchor function AAnF in the computing power network, relevant keys are derived based on the first parameter and the AKMA key identifier, which solves the problem of insufficient confidentiality of information transmission in the computing power network and realizes the protection of user privacy and secure data transmission.

CN117014136BActive Publication Date: 2026-06-05CHINA MOBILE COMM LTD RES INST +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA MOBILE COMM LTD RES INST
Filing Date
2022-04-29
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing technologies cannot effectively guarantee the confidentiality of information transmission in computing networks, and privacy computing has limitations, failing to protect user privacy.

Method used

By deriving relevant keys between user equipment and nodes, and utilizing the AKMA anchor function AAnF for application layer authentication and key management, the AKMA application layer key KAF of the user equipment is derived based on the first parameter and the AKMA key identifier A-KID, thereby achieving confidentiality in the information transmission process.

Benefits of technology

It ensures the confidentiality of information transmission between terminals and nodes, protects user privacy, and prevents data leakage. It is suitable for scenarios where computing power nodes are dynamically allocated in computing power networks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN117014136B_ABST
    Figure CN117014136B_ABST
Patent Text Reader

Abstract

This invention provides an information transmission method and apparatus. The method, applied to the AKMA anchor function (AAnF) side of application layer authentication and key management, includes: receiving a first application key acquisition request sent by a receiving node, wherein the first application key acquisition request is generated by the node after receiving a message sent by a user equipment and sent to AAnF; the message carries an AKMA key identifier A-KID and a first parameter provided by the user equipment; the first application key acquisition request carries the A-KID and the first parameter; when the first parameter matches the node, the AKMA application layer key K of the user equipment is deduced based on the first parameter and the A-KID. AF The system sends a first application key to the node to obtain a response. The solution of this invention synchronizes the first parameter between the user equipment and the node to generate the same related key, ensuring the confidentiality of information transmission and protecting user privacy.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of communication technology, and in particular to an information transmission method and device. Background Technology

[0002] Computing networks should empower daily life and industry, enabling users to access high-performance computing networks through low-configuration terminals, enjoy rich cloud-based business applications, and meet the processing and communication needs of precise real-time interaction in various industries. Various smart terminals, including those connected to 5G networks, will become demanders of computing network services. On the other hand, computing networks should provide new shared service models, fully leveraging existing computing power to create ubiquitous computing power distribution, evolving from the cloud and central locations to the edge and endpoints. End-user computing should integrate the terminal's own computing power into unified management and scheduling, and smart terminals will also become providers of computing network services.

[0003] The demander of computing power network services sends necessary business data to the computing power service provider, which then performs calculations and analyses and sends the results back to the demander. The relevant data may have privacy protection requirements, and the data transmission process may require confidentiality and integrity protection.

[0004] Currently, we are considering applying privacy computing to computing networks, but privacy computing also has some limitations and cannot guarantee the confidentiality of information transmission. Summary of the Invention

[0005] This invention provides an information transmission method and device that derives relevant keys based on the same first parameter between the user device and the node, thereby ensuring the confidentiality of the information transmission process and protecting the user's privacy.

[0006] To solve the above-mentioned technical problems, the technical solution of the present invention is as follows:

[0007] A method for transmitting information, applied to the application layer authentication and key management AKMA anchor function AAnF, the method comprising:

[0008] The receiving node sends a first application key acquisition request, which is generated by the node after receiving a message from the user equipment and sent to AAnF; the message carries an AKMA key identifier A-KID and a first parameter provided by the user equipment; the first application key acquisition request carries the A-KID and the first parameter;

[0009] When the first parameter matches the node, the AKMA application layer key K of the user equipment is deduced based on the first parameter and A-KID. AF ;

[0010] Send the first application key to the node to obtain a response.

[0011] Optionally, based on the first parameter and A-KID, the K of the user equipment can be deduced. AF ,include:

[0012] According to the AKMA anchor key K stored locally in AAnF AKMA The first parameter, the length of the first parameter, and A-KID are used to deduce the K of the user equipment. AF .

[0013] Optionally, the first application key acquisition response carries the K of the user equipment. AF K AF The lifecycle and the user's permanent identifier SUPI.

[0014] Optional information transmission methods also include:

[0015] If the first parameter is not empty, and it does not exist in the locally stored relation table, the correspondence between the first parameter and the node is added to the relation table; if the first parameter does not match the node, the user device's K operation is rejected. AF The generation; or

[0016] If the first parameter is empty, the first first parameter corresponding to the node is used as the first parameter.

[0017] Embodiments of the present invention also provide an information transmission method applied to a user equipment, the method comprising:

[0018] Provide the first parameter;

[0019] Send a message to the node, the message carrying the first parameter and the AKMA key identifier A-KID, so that the node sends a first application key acquisition request to the application layer authentication and key management AKMA anchor function AAnF according to the first parameter and A-KID. The first application key acquisition request carries the first parameter and the AKMA key identifier A-KID, and generates a message response after receiving the first application key acquisition response from AAnF.

[0020] Receive the message response sent by the node; the first application key acquisition response is that when the first parameter matches the node, the AAnF deduces the AKMA application layer key K of the user equipment based on the first parameter and A-KID. AF Then it is fed back to the node.

[0021] Optionally, based on the first parameter and A-KID, the K of the user equipment can be deduced. AF ,include:

[0022] According to the AKMA anchor key K stored locally in AAnF AKMA The first parameter, the length of the first parameter, and A-KID are used to deduce the K of the user equipment. AF .

[0023] Optionally, after receiving the message response sent by the node, the method further includes:

[0024] According to the K AF Securely transmit data packets with the node.

[0025] Embodiments of the present invention also provide an information transmission method applied to a node, the method comprising:

[0026] Receive a message sent by a user equipment, the message carrying an AKMA key identifier A-KID and a first parameter provided by the user equipment;

[0027] Based on the first parameter and A-KID, a first application key acquisition request is sent to the target application layer authentication and key management AKMA anchor function AAnF. The first application key acquisition request carries the first parameter and AKMA key identifier A-KID.

[0028] After receiving the first application key acquisition response from the AAnF, a message response is generated and sent to the user equipment. The first application key acquisition response is the result of the AAnF deducing the user equipment's AKMA application layer key K based on the first parameter and A-KID when the first parameter matches the node. AF Then it is fed back to the node.

[0029] Optionally, based on the first parameter and A-KID, the AKMA application layer key K of the user equipment is derived. AF ,include:

[0030] According to the AKMA anchor key K stored locally in AAnF AKMA The first parameter, the length of the first parameter, and A-KID are used to deduce the AKMA application layer key K of the user equipment. AF .

[0031] Optionally, after sending the message response to the user equipment, the method further includes:

[0032] According to the K AF Securely transmit data packets with the user equipment.

[0033] Embodiments of the present invention also provide an application layer authentication and key management anchor function device, comprising:

[0034] The transceiver module is used to receive a first application key acquisition request sent by a node. The first application key acquisition request is generated by the node after receiving a message sent by the user equipment and sent to AAnF. The message carries the application layer authentication and key management AKMA key identifier A-KID and a first parameter provided by the user equipment. The first application key acquisition request carries the A-KID and the first parameter.

[0035] The processing module is configured to, when the first parameter matches the node, deduce the AKMA application layer key K of the user equipment based on the first parameter and A-KID. AF ;

[0036] The transceiver module is also used to send the first application key to the node to obtain a response.

[0037] Embodiments of the present invention also provide a user equipment, comprising:

[0038] The processing module is used to provide the first parameter;

[0039] The transceiver module is used to send a message to a node, the message carrying the first parameter and the AKMA key identifier A-KID, causing the node to send a first application key acquisition request to the target application layer authentication and key management AKMA anchor function AAnF based on the first parameter and A-KID. The first application key acquisition request carries the first parameter and the AKMA key identifier A-KID. After receiving the first application key acquisition response from AAnF, the module generates a message response. The transceiver module also receives the message response sent by the node. The first application key acquisition response is the AAnF deducing the user equipment's AKMA application layer key K based on the first parameter and A-KID when the first parameter matches the node. AF Then it is fed back to the node.

[0040] Embodiments of the present invention also provide a node, comprising:

[0041] The transceiver module is used to receive messages sent by the user equipment, wherein the messages carry AKMA key identifier A-KID and a first parameter provided by the user equipment;

[0042] Based on the first parameter and A-KID, a first application key acquisition request is sent to the target application layer authentication and key management AKMA anchor function AAnF. The first application key acquisition request carries the first parameter and the AKMA key identifier A-KID; and

[0043] After receiving the first application key acquisition response from the AAnF, a message response is generated and sent to the user equipment. The first application key acquisition response is the result of the AAnF deducing the user equipment's AKMA application layer key K based on the first parameter and A-KID when the first parameter matches the node. AF Then it is fed back to the node.

[0044] Embodiments of the present invention also provide a communication device, including: a processor and a memory storing a computer program, wherein the computer program, when executed by the processor, performs the method described in any of the preceding embodiments.

[0045] Embodiments of the present invention also provide a computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform the method described in any of the preceding embodiments.

[0046] The above-described solution of the present invention has at least the following beneficial effects:

[0047] The above-described solution of the present invention involves receiving a first application key acquisition request from an AAnF receiving node. This first application key acquisition request is generated by the node after receiving a message from a user equipment and sent to AAnF. The message carries an AKMA key identifier A-KID and a first parameter provided by the user equipment. The first application key acquisition request carries the A-KID and the first parameter. When the first parameter matches the node, the AKMA application layer key K of the user equipment is deduced based on the first parameter and the A-KID. AF The terminal sends a first application key to the node to obtain a response. This allows the terminal and the node (such as AF or AAnF) to deduce relevant keys based on the same first parameter, ensuring the confidentiality of information transmission and protecting user privacy. Attached Figure Description

[0048] Figure 1 This is a flowchart illustrating the information transmission method provided in an embodiment of the present invention;

[0049] Figure 2 This is a schematic diagram of the specific process of the information transmission method for generating the first parameter by the UE provided in an embodiment of the present invention;

[0050] Figure 3 This is a flowchart illustrating the information transmission method applied to AAnF provided in an embodiment of the present invention;

[0051] Figure 4 This is a flowchart illustrating the information transmission method applied to nodes provided in an embodiment of the present invention;

[0052] Figure 5This is a block diagram of a user equipment provided in an embodiment of the present invention. Detailed Implementation

[0053] Exemplary embodiments of the present disclosure will now be described in more detail with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention may be implemented in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this invention will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.

[0054] like Figure 1 As shown, an embodiment of the present invention provides an information transmission method applied to a user equipment (UE), the method comprising:

[0055] Step 11, provide a first parameter; here, the first parameter may be a preset service identifier generated by the user device or generated by other target objects and built into the application of the user device;

[0056] Step 12: Send a message to the node requested by the user equipment. The message carries the first parameter and the AKMA key identifier A-KID. This causes the node to send a first application key acquisition request to the target application layer authentication and key management AKMA anchor function AAnF based on the first parameter and A-KID. The first application key acquisition request carries the first parameter and the AKMA key identifier A-KID. After receiving the first application key acquisition response from AAnF, the node generates a message response.

[0057] Step 13: Receive the message response sent by the node.

[0058] In this embodiment of the present invention, after the user equipment generates the first parameter (Service Number, preset service identifier), it sends a message to the node. In a specific implementation scenario, the message may be an application session establishment request, and the aforementioned message response may be an application session establishment response. The message carries the first parameter and the AKMA key identifier (A-KID), application layer authentication and key management AKMA (authentication and key management for applications), and receives the message response sent by the target application function. This ensures that the terminal and the node (such as AF or AAnF) have the same preset service identifier during information transmission, and can further deduce related keys, thereby achieving data security protection and preventing the leakage of user privacy.

[0059] Here, the message carrying A-KID is contained in the first data packet generated by the user equipment. The user equipment sends the data packet carrying the first parameter and A-KID to the router entry point. After the router finds the corresponding node, it sends the message carrying the first parameter and A-KID to the node. In the embodiments of the present invention, the node can be the target application function AF.

[0060] It should be noted that before the user equipment sends the data packet carrying the first parameter and A-KID to the router entry point, the main authentication process and the AKMA anchor key K need to be executed. AKMA The setup process.

[0061] In an optional embodiment of the present invention, in step 12, the first application key acquisition response is that when the first parameter matches the node, AAnF deduces the K of the user equipment based on the first parameter and A-KID. AF Then it is fed back to the node.

[0062] In this embodiment, when the first parameter matches the node, AAnF deduces the AKMA application layer key K of the user equipment based on the first parameter and A-KID. AF Then, a first application key response is generated and fed back to the node.

[0063] In another optional embodiment of the present invention, the AKMA application layer key K of the user equipment is derived based on the first parameter and A-KID. AF It can include:

[0064] Step 1211, based on the K stored locally in AAnF AKMA The first parameter, the length of the first parameter, and A-KID are used to deduce the K of the user equipment. AF .

[0065] It should be noted that during the process of user equipment generating the first parameter, it is necessary to ensure that the first parameter is not repeated as much as possible to avoid key generation failure and wasting time, and at the same time, it is necessary to consider that when different user equipment use the same node for information transmission, the first parameter can reduce the storage overhead of the corresponding table.

[0066] In actual implementation, when a user equipment generates the first parameter, it can generate a strategy based on the node allocation of the subsequent computing power network. For example, if different user equipments mostly route the same computing power service to the same node or node, and there is an agreement with the operator requiring the computing power service to be routed to a specific node, then the user equipment (UE) can generate a specific first parameter for a specific node.

[0067] In another optional embodiment of the present invention, in step 12, the first application key acquisition response carries the K of the user equipment. AF K AF The lifecycle and the user's permanent identifier SUPI.

[0068] In this embodiment, the node can obtain the AKMA application layer key K of the user equipment carried in the response based on the first application key. AF K AF The system generates a message response based on the user's lifecycle and the user's permanent identifier SUPI, and sends it to the user equipment.

[0069] In another optional embodiment of the present invention, in step 1211, when deducing the K of the user equipment... AF At that time, AAnF checks whether the first parameter in the first application key acquisition request matches the node, that is, checks whether the first parameter exists in the corresponding table. If it does not exist, it appends a record to record the correspondence between the first parameter and the node.

[0070] If the first parameter in the first application key acquisition request exists in the corresponding table, then check whether the node authentication identity is consistent with the identity of the corresponding node in the corresponding table.

[0071] As shown in Table 1, whether the first parameter exists in Table 1 can be determined by considering the first parameter as the primary key. The process for determining whether the first parameter matches the node is as follows:

[0072] Query whether the identity of the node corresponding to the first parameter is consistent with the identity of the node that initiated the first application key acquisition request, provided that the first parameter in Table 1 cannot be empty;

[0073] If the first parameter does not exist in Table 1, then record the correspondence between the first parameter and the node;

[0074] If the first parameter exists in Table 1, and the node's authentication identity matches the corresponding node in Table 1, then AAnF is determined by K. AKMA Derivation of K AF AAnF sends a first application key retrieval response to the node, the first application key retrieval response carrying the user equipment's K. AF K AF The lifecycle and the user's permanent identifier SUPI.

[0075] The first parameter is the Service Number (primary key). Node identity S1 AF1 S2 AF2 S3 AF3

[0076] Table 1

[0077] As shown in Table 2, the process of determining whether the first parameter exists in Table 2, where the node identity is the primary key, and whether the first parameter matches the node is as follows:

[0078] Query whether the identity of the node corresponding to the first parameter is consistent with the identity of the node that initiated the first application key acquisition request, provided that the first parameter in Table 2 can be empty.

[0079] If the first parameter is empty and a node exists, the first parameter of the node can be set to the first parameter by default.

[0080] If the first parameter is not empty, then continue with the following judgment:

[0081] Decision 1: If the first parameter does not exist in Table 2, then record the correspondence between the first parameter and the node authentication identity;

[0082] Judgment 2: If the first parameter exists in Table 2, and the node's authentication identity matches the corresponding node in Table 2, then AAnF is determined by K. AKMA Derivation of K AF And send the first application key acquisition response to the node, the first application key acquisition response carrying the user equipment's K AF K AF The lifecycle and the user's permanent identifier SUPI.

[0083] Node identity (primary key) First parameter: Service Number AF1 S1, S2, S3 AF2 S4, S5 AF3 S7

[0084] Table 2

[0085] In another optional embodiment of the present invention, step 13, after receiving the message response sent by the node, may further include:

[0086] Step 13-1, according to the K AF Secure data packet transmission with the node; specifically, the data packet can use the K... AF Encrypt it.

[0087] In this embodiment, the user equipment and the node are connected via K. AF Encrypted data packets are used for data transmission to ensure data security.

[0088] In another optional embodiment of the present invention, according to the local policy configured by the target AAnF, or the K provided by the network storage function NRF. AKMA The first parameter, the length of the first parameter, and A-KID are used to check whether the target AAnF can provide services to the node. If it can, the first parameter is generated for the node.

[0089] If the target AAnF cannot provide services to the node, then the target AAnF should reject the following process:

[0090] The target AAnF can be determined by whether it can find its corresponding K through A-KID. AKMA Determine whether a user is authorized to use AKMA application authentication and key management services;

[0091] If a valid K exists in the target AAnF AKMA Then the target AAnF sends the first application key acquisition request to the node;

[0092] If there is no valid K in the target AAnF AKMA If the node rejects the message sent by the user equipment (UE), it will send a message response to the UE. The message response carries: K AKMA Reason for request failure;

[0093] If the target AAnF does not have a user device K AF Then the target AAnF is determined by K AKMA Derivation of K for user equipment AF .

[0094] When using the authentication service function key K AUSF Derivation of K AKMA The following parameters can be used to construct the input S of the key derivation function KDF:

[0095] -FC = 0x82;

[0096] -P0 = the first parameter (service number);

[0097] -L0 = the length of the first parameter (service number).

[0098] The key should be K. AKMA .

[0099] like Figure 2 As shown, in an optional specific embodiment of the present invention, the process of the information transmission method for generating the first parameter by the user equipment (UE) may include:

[0100] Step 21: Perform the main authentication process and K AKMA Establishment process;

[0101] Step 22: The User Equipment (UE) generates the first parameter and sends a data packet carrying the first parameter and A-KID to the router entry point;

[0102] Step 23: After the router finds the computing power node, it sends a message carrying the first parameter and A-KID to the node;

[0103] Step 24: The node generates a first application key acquisition request based on the first parameter and A-KID carried in the message. The first application key request carries the first parameter and A-KID.

[0104] Step 25: AAnF checks whether the first parameter carried in the first application key acquisition request exists in the corresponding table. If it does not exist, it appends a record of the correspondence between the first parameter and the node authentication identity. If it exists, it checks whether the node authentication identity is consistent with the corresponding node identity in the corresponding table.

[0105] Step 26: AAnF according to K AKMA And the first parameter to derive the user equipment K AF ;

[0106] Step 27: AAnF sends a first application key acquisition response to the node, the first application key acquisition response carrying the user equipment's K. AF K AF The lifecycle and the user's permanent identifier SUPI;

[0107] Step 28: The node obtains the K of the user equipment carried in the response based on the first application key. AF K AF The lifecycle of the user and the permanent identifier SUPI are used to generate an application session and establish a response, which is then sent to the user equipment (UE).

[0108] Step 29: Subsequent data packets are transmitted between the user equipment (UE) and the node using K... AF Encryption and decryption are used to protect user privacy and security.

[0109] In the above embodiments of the present invention, the node can be a computing power node. In scenarios where the computing power service only requires that the third party not be able to see it and does not require that the computing party not be able to see it, the method described in the above embodiments is highly efficient and has low requirements on the end side.

[0110] The above embodiments of the present invention are more suitable for the dynamic allocation of computing power nodes in computing power networks. They do not require the UE to establish an additional secure key acquisition channel, and can avoid the risk of AF a sending AF_ID of AF b to illegally obtain the KAF of the UE to access AF b. The UE can update K by generating different first parameters without re-initiating authentication. AF This system enables the derivation of relevant keys based on the shared first parameter between user devices and nodes, ensuring the confidentiality of information transmission and protecting user privacy.

[0111] like Figure 3As shown, the present invention also provides an information transmission method applied to the AKMA anchor point function AAnF, the method comprising:

[0112] Step 31: Receive a first application key acquisition request sent by the receiving node. The first application key acquisition request is generated by the node after receiving a message from the user equipment and sent to AAnF. The message carries an AKMA key identifier A-KID and a first parameter provided by the user equipment. The first application key acquisition request carries the A-KID and the first parameter. When the first parameter matches the node, the AKMA application layer key K of the user equipment is deduced based on the first parameter and the A-KID. AF ;

[0113] Step 32: Send the first application key to the node to obtain a response, so that the node sends a message response to the user equipment.

[0114] In this embodiment, ANF receives a first application key acquisition request from a receiving node, sends a first application key acquisition response to the receiving node, and causes the receiving node to send a message response to the user equipment. This achieves secure data protection during information transmission and prevents the leakage of user privacy.

[0115] Optionally, based on the first parameter and A-KID, the AKMA application layer key K of the user equipment is derived. AF ,include:

[0116] According to the AKMA anchor key K stored locally in AAnF AKMA The first parameter, the length of the first parameter, and A-KID are used to deduce the AKMA application layer key K of the user equipment. AF .

[0117] Optionally, the first application key acquisition response carries the K of the user equipment. AF K AF The lifecycle and the user's permanent identifier SUPI.

[0118] Optionally, the information transmission method further includes: when the first parameter is not empty, if the first parameter does not exist in the locally stored relation table, adding the correspondence between the first parameter and the node to the relation table; and when the first parameter does not match the node, refusing to execute the user device's K. AF The generation; or

[0119] If the first parameter is empty, the first first parameter corresponding to the node is used as the first parameter.

[0120] It should be noted that the embodiment of this method is the AAnF-side method corresponding to the above-described user equipment-side method. All implementation methods in the above-described method embodiments are applicable to this embodiment and can achieve the same technical effect.

[0121] like Figure 4 As shown, the present invention also provides an information transmission method applied to a node, the method comprising:

[0122] Step 41: Receive a message sent by the user equipment, the message carrying the AKMA key identifier A-KID and the first parameter provided by the user equipment;

[0123] Step 42: Based on the first parameter and A-KID, send a first application key acquisition request to the target application layer authentication and key management AKMA anchor function AAnF. The first application key acquisition request carries the first parameter and AKMA key identifier A-KID.

[0124] Step 43: After receiving the first application key acquisition response from the AAnF, generate a message response and send the message response to the user equipment.

[0125] In this embodiment, the node receives a message sent by the user equipment, sends a first application key acquisition request to the target AAnF based on the first parameter and A-KID carried in the message, generates a message response based on the first application key acquisition request, and sends the message response to the user equipment. This protects user privacy and prevents privacy leaks during data transmission.

[0126] Optionally, the first application key acquisition response is that when the first parameter matches the node, AAnF deduces the user equipment's AKMA application layer key K based on the first parameter and A-KID. AF Then it is fed back to the node.

[0127] Optionally, based on the first parameter and A-KID, the AKMA application layer key K of the user equipment is derived. AF ,include:

[0128] According to the AKMA anchor key K stored locally in AAnF AKMA The first parameter, the length of the first parameter, and A-KID are used to deduce the AKMA application layer key K of the user equipment. AF .

[0129] Optionally, the first application key acquisition response carries the user equipment's AKMA application layer key K. AF K AF The lifecycle and the user's permanent identifier SUPI.

[0130] Optionally, after sending the message response to the user equipment, the information transmission method further includes: according to the K AF Securely transmit data packets with the user equipment.

[0131] It should be noted that the embodiment of this method is a node-side method corresponding to the user equipment-side method described above. Here, the node can be an application function (AF). All implementation methods in the above method embodiments are applicable to this embodiment and can achieve the same technical effect.

[0132] like Figure 5 As shown, the present invention also provides a user equipment 50, the user equipment 50 comprising:

[0133] Processing module 51 is used to provide the first parameter;

[0134] The transceiver module 52 is used to send a message to the node requested by the user equipment. The message carries the first parameter and the AKMA key identifier A-KID, so that the node sends a first application key acquisition request to the application layer authentication and key management AKMA anchor function AAnF according to the first parameter and A-KID. The first application key acquisition request carries the first parameter and the AKMA key identifier A-KID, and generates a message response after receiving the first application key acquisition response from AAnF.

[0135] Optionally, the first application key acquisition response is that when the first parameter matches the node, AAnF deduces the user equipment's AKMA application layer key K based on the first parameter and A-KID. AF Then it is fed back to the node.

[0136] Optionally, based on the first parameter and A-KID, the AKMA application layer key K of the user equipment is derived. AF ,include:

[0137] According to the AKMA anchor key K stored locally in AAnF AKMA The first parameter, the length of the first parameter, and A-KID are used to deduce the AKMA application layer key K of the user equipment. AF .

[0138] Optionally, the first application key acquisition response carries the K of the user equipment. AF K AF The lifecycle and the user's permanent identifier SUPI.

[0139] Optionally, after receiving the message response sent by the node, the transceiver module 52 can also be used to: according to the K AFSecurely transmit data packets with the node.

[0140] It should be noted that the user equipment is the user equipment corresponding to the method applied to the user equipment described above. All implementation methods in the embodiments of the method applied to the user equipment described above are applicable to the embodiments of the user equipment and can achieve the same technical effect.

[0141] The present invention also provides an application layer authentication and key management anchor function device, comprising:

[0142] The transceiver module is configured to receive a first application key acquisition request sent by a node. This first application key acquisition request is generated by the node after receiving a message from the user equipment and sent to AAnF. The message carries an AKMA key identifier (A-KID) for application layer authentication and key management, and a first parameter provided by the user equipment. The first application key acquisition request carries the A-KID and the first parameter. When the first parameter matches the node, the AKMA application layer key K of the user equipment is deduced based on the first parameter and the A-KID. AF Send the first application key to the node to obtain a response, so that the node sends a message response to the user equipment.

[0143] Optionally, based on the first parameter and A-KID, the AKMA application layer key K of the user equipment is derived. AF ,include:

[0144] According to the AKMA anchor key K stored locally in AAnF AKMA The first parameter, the length of the first parameter, and A-KID are used to deduce the AKMA application layer key K of the user equipment. AF .

[0145] Optionally, the first application key acquisition response carries the K of the user equipment. AF K AF The lifecycle and the user's permanent identifier SUPI.

[0146] Optionally, the transceiver module can also be used to: add the correspondence between the first parameter and the node to the relationship table when the first parameter is not empty and the first parameter does not exist in the locally stored relationship table; and refuse to execute the user equipment's K when the first parameter does not match the node. AF The generation of the first parameter; or if the first parameter is empty, the first parameter corresponding to the node is used as the first parameter.

[0147] It should be noted that this AAnF is the AAnF corresponding to the method applied to AAnF described above. All implementation methods in the above-described method implementations for AAnF are applicable to the implementations of this AAnF and can achieve the same technical effect.

[0148] The present invention also provides a node, comprising:

[0149] The transceiver module is used to receive messages sent by the user equipment, wherein the messages carry AKMA key identifier A-KID and a first parameter provided by the user equipment;

[0150] Based on the first parameter and A-KID, a first application key acquisition request is sent to the target application layer authentication and key management AKMA anchor function AAnF. The first application key acquisition request carries the first parameter and the AKMA key identifier A-KID; and

[0151] After receiving the first application key acquisition response from the AAnF, a message response is generated and sent to the user equipment.

[0152] Optionally, the first application key acquisition response is that when the first parameter matches the node, AAnF deduces the user equipment's AKMA application layer key K based on the first parameter and A-KID. AF Then it is fed back to the node.

[0153] Optionally, based on the first parameter and A-KID, the AKMA application layer key K of the user equipment is derived. AF ,include:

[0154] According to the AKMA anchor key K stored locally in AAnF AKMA The first parameter, the length of the first parameter, and A-KID are used to deduce the AKMA application layer key K of the user equipment. AF .

[0155] Optionally, the first application key acquisition response carries the user equipment's AKMA application layer key K. AF K AF The lifecycle and the user's permanent identifier SUPI.

[0156] Optionally, after sending the message response to the user equipment, the transceiver module can also be used to: according to the K AF Securely transmit data packets with the user equipment.

[0157] It should be noted that this node is the node corresponding to the method applied to the node side described above. All implementation methods in the above-described method embodiments applied to the node are applicable to the embodiments of this node and can achieve the same technical effect.

[0158] Embodiments of the present invention also provide a communication device, including: a processor and a memory storing a computer program, wherein the computer program, when executed by the processor, performs the method described above. All implementations in the above method embodiments are applicable to this embodiment and can achieve the same technical effects.

[0159] Embodiments of the present invention also provide a computer-readable storage medium including storage instructions that, when executed on a computer, cause the computer to perform the method described above. All implementations in the above method embodiments are applicable to this embodiment and can achieve the same technical effects.

[0160] Those skilled in the art will recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementations should not be considered beyond the scope of this invention.

[0161] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.

[0162] In the embodiments provided by this invention, it should be understood that the disclosed apparatus and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative. For instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between devices or units may be electrical, mechanical, or other forms.

[0163] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0164] In addition, the functional units in the various embodiments of the present invention can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit.

[0165] If the aforementioned functions are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this invention, essentially, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, ROM, RAM, magnetic disks, or optical disks.

[0166] Furthermore, it should be noted that in the apparatus and method of the present invention, it is obvious that the components or steps can be decomposed and / or recombined. These decompositions and / or recombinations should be considered equivalent solutions of the present invention. Moreover, the steps performing the above-described series of processes can naturally be executed in the order described, but are not necessarily required to be executed in chronological order; some steps can be executed in parallel or independently of each other. Those skilled in the art will understand that all or any step or component of the method and apparatus of the present invention can be implemented in any computing device (including processors, storage media, etc.) or network of computing devices, in hardware, firmware, software, or a combination thereof. This is something that those skilled in the art can achieve by using their basic programming skills after reading the description of the present invention.

[0167] Therefore, the object of the present invention can also be achieved by running a program or a set of programs on any computing device. The computing device can be a known general-purpose device. Therefore, the object of the present invention can also be achieved simply by providing a program product containing program code implementing the method or apparatus. That is, such a program product also constitutes the present invention, and the storage medium storing such a program product also constitutes the present invention. Obviously, the storage medium can be any known storage medium or any storage medium developed in the future. It should also be noted that in the apparatus and method of the present invention, it is obvious that the components or steps can be decomposed and / or recombined. These decompositions and / or recombinations should be considered equivalent to the present invention. Furthermore, the steps performing the above series of processes can naturally be performed in the order described, but are not necessarily required to be performed in chronological order. Some steps can be performed in parallel or independently of each other.

[0168] The above description represents the preferred embodiments of the present invention. It should be noted that those skilled in the art can make various improvements and modifications without departing from the principles of the present invention, and these improvements and modifications should also be considered within the scope of protection of the present invention.

Claims

1. An information transmission method, characterized in that, The method, applied to the AKMA anchor function AAnF for application-layer authentication and key management, includes: The receiving node sends a first application key acquisition request, which is generated by the node after receiving a message from the user equipment and sent to AAnF; the message carries an AKMA key identifier A-KID and a first parameter provided by the user equipment; the first application key acquisition request carries the A-KID and the first parameter; When the first parameter matches the node, the AKMA application layer key K of the user equipment is deduced based on the first parameter and A-KID. AF ; Send the first application key to the node to obtain a response.

2. The information transmission method according to claim 1, characterized in that, Based on the first parameter and A-KID, the K of the user equipment is deduced. AF ,include: According to the AKMA anchor key K stored locally in AAnF AKMA The first parameter, the length of the first parameter, and A-KID are used to deduce the K of the user equipment. AF .

3. The information transmission method according to claim 1, characterized in that, The first application key acquisition response carries the user equipment's K AF K AF The lifecycle and the user's permanent identifier SUPI.

4. The information transmission method according to claim 1, characterized in that, Also includes: If the first parameter is not empty, and it does not exist in the locally stored relation table, the correspondence between the first parameter and the node is added to the relation table; if the first parameter does not match the node, the user device's K operation is rejected. AF The generation of; or If the first parameter is empty, the first first parameter corresponding to the node is used as the first parameter.

5. An information transmission method, characterized in that, Applied to user equipment, the method includes: Provide the first parameter; Send a message to the node, the message carrying the first parameter and the AKMA key identifier A-KID, so that the node sends a first application key acquisition request to the application layer authentication and key management AKMA anchor function AAnF according to the first parameter and A-KID. The first application key acquisition request carries the first parameter and the AKMA key identifier A-KID, and generates a message response after receiving the first application key acquisition response from AAnF. Receive the message response sent by the node; the first application key acquisition response is that when the first parameter matches the node, the AAnF deduces the AKMA application layer key K of the user equipment based on the first parameter and A-KID. AF Then it is fed back to the node.

6. The information transmission method according to claim 5, characterized in that, Based on the first parameter and A-KID, the K of the user equipment is deduced. AF ,include: According to the AKMA anchor key K stored locally in AAnF AKMA The first parameter, the length of the first parameter, and A-KID are used to deduce the K of the user equipment. AF .

7. The information transmission method according to claim 5, characterized in that, After receiving the message response sent by the node, the method further includes: According to the K AF Securely transmit data packets with the node.

8. An information transmission method, characterized in that, Applied to nodes, the method includes: Receive a message sent by a user equipment, the message carrying an AKMA key identifier A-KID and a first parameter provided by the user equipment; Based on the first parameter and A-KID, a first application key acquisition request is sent to the target application layer authentication and key management AKMA anchor function AAnF. The first application key acquisition request carries the first parameter and AKMA key identifier A-KID. After receiving the first application key acquisition response from the AAnF, a message response is generated and sent to the user equipment. The first application key acquisition response is the result of the AAnF deducing the user equipment's AKMA application layer key K based on the first parameter and A-KID when the first parameter matches the node. AF Then it is fed back to the node.

9. The information transmission method according to claim 8, characterized in that, Based on the first parameter and A-KID, the K of the user equipment is deduced. AF ,include: According to the AKMA anchor key K stored locally in AAnF AKMA The first parameter, the length of the first parameter, and A-KID are used to deduce the K of the user equipment. AF .

10. The information transmission method according to claim 9, characterized in that, After sending the message response to the user equipment, the method further includes: According to the K AF Securely transmit data packets with the user equipment.

11. An application-layer authentication and key management anchor point function device, characterized in that, include: The transceiver module is used to receive a first application key acquisition request sent by a node. The first application key acquisition request is generated by the node after receiving a message sent by the user equipment and sent to the application layer authentication and key management AKMA anchor function AAnF device. The message carries the AKMA key identifier A-KID and the first parameter provided by the user equipment. The first application key acquisition request carries the A-KID and the first parameter; The processing module is configured to, when the first parameter matches the node, deduce the AKMA application layer key K of the user equipment based on the first parameter and A-KID. AF ; The transceiver module is also used to send the first application key to the node to obtain a response.

12. A user equipment, characterized in that, include: The processing module is used to provide the first parameter; The transceiver module is used to send a message to a node, the message carrying the first parameter and the AKMA key identifier A-KID, causing the node to send a first application key acquisition request to the target application layer authentication and key management AKMA anchor function AAnF based on the first parameter and A-KID. The first application key acquisition request carries the first parameter and the AKMA key identifier A-KID. After receiving the first application key acquisition response from AAnF, the module generates a message response. The transceiver module also receives the message response sent by the node. The first application key acquisition response is the AAnF deducing the user equipment's AKMA application layer key K based on the first parameter and A-KID when the first parameter matches the node. AF Then it is fed back to the node.

13. A node, characterized in that, include: The transceiver module is used to receive messages sent by the user equipment, wherein the messages carry AKMA key identifier A-KID and a first parameter provided by the user equipment; Based on the first parameter and A-KID, a first application key acquisition request is sent to the target application layer authentication and key management AKMA anchor function AAnF. The first application key acquisition request carries the first parameter and AKMA key identifier A-KID. as well as After receiving the first application key acquisition response from the AAnF, a message response is generated and sent to the user equipment. The first application key acquisition response is the result of the AAnF deducing the user equipment's AKMA application layer key K based on the first parameter and A-KID when the first parameter matches the node. AF Then it is fed back to the node.

14. A communication device, characterized in that, include: A processor, a memory storing a computer program, wherein the computer program, when executed by the processor, performs the method as described in any one of claims 1 to 4, or the method as described in any one of claims 5 to 7, or the method as described in any one of claims 8 to 10.

15. A computer-readable storage medium, characterized in that, Store instructions that, when executed on a computer, cause the computer to perform the method as described in any one of claims 1 to 4, or the method as described in any one of claims 5 to 7, or the method as described in any one of claims 8 to 10.