Communication method, communication device, communication system, storage medium, and program product

By generating keys using parameters shared between the first core network and the terminal in cross-network routing scenarios, the PDU session security problem is solved, thereby improving security and saving signaling resources.

CN122162406APending Publication Date: 2026-06-05BEIJING XIAOMI MOBILE SOFTWARE CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING XIAOMI MOBILE SOFTWARE CO LTD
Filing Date
2025-11-10
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

In cross-network routing scenarios, existing technologies are insufficient to effectively protect the security of PDU sessions, posing security risks.

Method used

By generating keys using parameters shared between network elements and terminals in the first core network, the generation of the first key is avoided by the second core network, thereby improving the security of PDU sessions and optimizing signaling resource consumption.

Benefits of technology

It improves the security of PDU sessions in cross-network routing scenarios while saving signaling resources.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122162406A_ABST
    Figure CN122162406A_ABST
Patent Text Reader

Abstract

The present disclosure relates to a communication method, a communication device, a communication system, a storage medium and a program product. The method comprises: sending a key request to a second network element of a first core network; and receiving a key response sent by the second network element of the first core network, wherein the key response comprises a first key, and the first key is used to protect the security of a PDU session, and the PDU session is a session between a terminal and a third network element of the first core network. Through the scheme of the present disclosure, the security of the PDU session in the cross-network routing scenario can be improved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of wireless communication, and more particularly to a communication method, communication device, communication system, storage medium, and program product. Background Technology

[0002] With the continuous development of communication systems, terminals and networks can support access traffic steering, switching, splitting (ATSSS) functions.

[0003] The ATSSS function enables multi-access protocol data unit (MAPDU) connection services. MAPDU connection services are achieved by establishing MAPDU sessions, meaning each MAPDU session has user plane resources on multiple access networks. This allows the terminal and data network to simultaneously use multiple channels for data stream transmission. Summary of the Invention

[0004] This disclosure relates to a communication method, communication device, communication system, storage medium, and program product to improve the security of PDU sessions in cross-network routing scenarios.

[0005] According to a first aspect of the present disclosure, a communication method is provided. The method is executed by a first network element of a first core network. The method includes: sending a key request to a second network element of the first core network; and receiving a key response sent by the second network element of the first core network, wherein the key response includes a first key used to protect the security of a PDU session, the PDU session being a session between a terminal and a third network element of the first core network.

[0006] According to a second aspect of the present disclosure, a communication method is provided. The method is executed by a first network element of a first core network. The method includes: receiving a second key sent by a first network element of a second core network; generating a first key based on the second key and parameters; wherein the parameters are shared by the first core network and a terminal, and the first key is used to protect the security of a PDU session, the PDU session being a session between the terminal and a third network element of the first core network.

[0007] According to a third aspect of the present disclosure, a communication method is provided. The method is executed by a second network element of a first core network. The method includes: receiving a key request sent by a first network element of the first core network; sending a key response to the first network element of the first core network, the key response containing a first key used to protect the security of a PDU session, the PDU session being a session between a terminal and a third network element of the first core network.

[0008] According to a fourth aspect of the present disclosure, a communication method is provided. The method is executed by a first network element of a second core network. The method includes: sending a second key to the first network element of the first core network, the second key being used to generate a first key together with parameters; wherein the parameters are parameters shared by the first core network and a terminal, and the first key is used to protect the security of a PDU session, the PDU session being a session between the terminal and a third network element of the first core network.

[0009] According to a fifth aspect of the present disclosure, a communication method is provided. The method is performed by a second network element of a second core network. The method includes: sending a second key to a first network element of the second core network, the second key being used to generate a first key together with parameters; wherein the parameters are parameters shared by the first core network and a terminal, and the first key is used to protect the security of a PDU session, the PDU session being a session between the terminal and a third network element of the first core network.

[0010] According to a sixth aspect of the present disclosure, a communication method is provided. The method is performed by a terminal. The method includes: receiving indication information sent by a second network element of a second core network through an access network, the indication information being used by the terminal to determine a first key; wherein the first key is used to protect the security of a PDU session, the PDU session being a session between the terminal and a third network element of the first core network.

[0011] According to a seventh aspect of the present disclosure, a communication method is provided. The method is executed by a communication system. The method includes: a first network element of a first core network sending a key request to a second network element of the first core network; and the second network element of the first core network sending a key response to the first network element of the first core network, the key response containing a first key used to protect the security of a PDU session, the PDU session being a session between a terminal and a third network element of the first core network.

[0012] According to an eighth aspect of the present disclosure, a communication method is provided. The method is executed by a communication system. The method includes: a first network element of a second core network sending a second key to a first network element of a first core network; the first network element of the first core network generating a first key based on the second key and parameters; wherein the parameters are parameters shared by the first core network and a terminal, and the first key is used to protect the security of a PDU session, the PDU session being a session between the terminal and a third network element of the first core network.

[0013] According to a ninth aspect of the present disclosure, a communication device is provided. This communication device is used to perform the communication method as described in any one of the first to sixth aspects.

[0014] According to a tenth aspect of this disclosure, a communication system is provided. The communication system includes a first network element of a first core network and a second network element of the first core network. The first network element of the first core network is configured to perform a communication method as described in any one of the first or second aspects. The second network element of the first core network is configured to perform a communication method as described in any one of the third aspects.

[0015] According to an eleventh aspect of the present disclosure, a communication system is provided. The communication system includes a first network element of a first core network and a first network element of a second core network. The first network element of the first core network is configured to perform the communication method as described in any one of the second aspects, and the first network element of the second core network is configured to perform the communication method as described in any one of the fourth aspects.

[0016] According to a twelfth aspect of the present disclosure, a storage medium is provided. The storage medium stores instructions. When executed on a communication device, the instructions cause the communication device to perform the communication method as described in any one of the first to sixth aspects.

[0017] According to a thirteenth aspect of the present disclosure, a program product is provided. The program product includes at least one of a program and instructions. When the program and instructions are executed by a communication device, they implement the communication method as described in any one of the first to sixth aspects.

[0018] According to a fourteenth aspect of the present disclosure, a computer program is provided. When the computer program is run on a computer, it causes the computer to perform the communication method as described in any one of the first to sixth aspects.

[0019] According to a fifteenth aspect of the present disclosure, a chip or chip system is provided. The chip or chip system includes processing circuitry. The processing circuitry is configured to perform the communication method as described in any one of the first to sixth aspects.

[0020] According to embodiments of this disclosure, the security of PDU sessions in cross-network routing scenarios can be improved.

[0021] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and do not constitute a limitation on the embodiments of this disclosure. Attached Figure Description

[0022] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this disclosure and, together with the description, serve to explain the principles of embodiments of this disclosure.

[0023] Figure 1 This is a schematic diagram of the architecture of a communication system provided according to an embodiment of the present disclosure.

[0024] Figure 2a This is an interactive schematic diagram of the communication method provided according to an embodiment of the present disclosure.

[0025] Figure 2b This is an interactive schematic diagram of the communication method provided according to an embodiment of the present disclosure.

[0026] Figure 3a This is an interactive schematic diagram of the communication method provided according to an embodiment of the present disclosure.

[0027] Figure 3b This is an interactive schematic diagram of the communication method provided according to an embodiment of the present disclosure.

[0028] Figure 4a This is an interactive schematic diagram of the communication method provided according to an embodiment of the present disclosure.

[0029] Figure 4b This is an interactive schematic diagram of the communication method provided according to an embodiment of the present disclosure.

[0030] Figure 4c This is an interactive schematic diagram of the communication method provided according to an embodiment of the present disclosure.

[0031] Figure 5a This is a schematic diagram of the structure of the first network element of the first core network provided according to an embodiment of the present disclosure.

[0032] Figure 5b This is a schematic diagram of the structure of the second network element of the first core network provided according to an embodiment of the present disclosure.

[0033] Figure 5c This is a schematic diagram of the structure of the first network element of the second core network provided according to an embodiment of the present disclosure.

[0034] Figure 5d This is a schematic diagram of the structure of the second network element of the second core network provided according to an embodiment of the present disclosure.

[0035] Figure 5e This is a schematic diagram of the structure of a terminal provided according to an embodiment of this disclosure.

[0036] Figure 6a This is a schematic diagram of the structure of a communication device provided according to an embodiment of the present disclosure.

[0037] Figure 6b This is a schematic diagram of the chip structure provided according to an embodiment of the present disclosure. Detailed Implementation

[0038] This disclosure provides a communication method, communication device, communication system, storage medium, and program product.

[0039] In a first aspect, embodiments of this disclosure provide a communication method. The method is executed by a first network element of a first core network. The method includes: sending a key request to a second network element of the first core network; and receiving a key response from the second network element of the first core network, wherein the key response contains a first key used to protect the security of a PDU session, the PDU session being between a terminal and a third network element of the first core network.

[0040] In this embodiment, the first network element of the first core network requests a first key from the second network element of the first core network to protect the security of the PDU session between the terminal and the third network element of the first core network. Compared to the first network element of the first core network receiving the root key from the first network element of the second core network and then generating the first key, this avoids the security risk that the second core network could also generate the first key, thereby decrypting or manipulating the user plane data (UP traffic) of the terminal routed to the first core network. This improves the security of the PDU session in cross-network routing scenarios.

[0041] In conjunction with some embodiments of the first aspect, in some embodiments, the first core network is the home network of the terminal.

[0042] In conjunction with some embodiments of the first aspect, in some embodiments, the first key is generated based on a second key, where the second key is the native key of the second network element of the first core network, or the second key is a derived key of the second network element of the first core network.

[0043] In some embodiments, in conjunction with the first aspect, the method further includes sending the first key to a third network element of the first core network.

[0044] In conjunction with some embodiments of the first aspect, in some embodiments, the first key is sent based on at least one of the following: a session establishment request message; a session modification request message.

[0045] In some embodiments, in conjunction with the first aspect, the method further includes: sending indication information to a first network element of the second core network, the indication information being used by the terminal to determine the first key.

[0046] In conjunction with some embodiments of the first aspect, in some embodiments, the indication information includes at least one of the following: the PDU session is a home network routing PDU session; and the derivation method of the first key.

[0047] In conjunction with some embodiments of the first aspect, in some embodiments, the key request is sent before sending the session establishment request message; the key request includes at least one of the following: the identifier of the terminal; the identifier of the PDU session.

[0048] In conjunction with some embodiments of the first aspect, in some embodiments, the key request is sent after receiving the session establishment request acceptance message; the key request includes at least one of the following: the identifier of the terminal; the identifier of the PDU session; and parameters of the access traffic routing, switching, and offloading ATSSS rules.

[0049] In a second aspect, embodiments of this disclosure provide a communication method. This method is executed by a first network element of a first core network. The method includes: receiving a second key sent by a first network element of a second core network; generating a first key based on the second key and parameters; wherein the parameters are shared by the first core network and the terminal, and the first key is used to protect the security of a PDU session, the PDU session being a session between the terminal and a third network element of the first core network.

[0050] In this embodiment, the first key is generated based on the second key and parameters. The second key is sent from the first network element of the second core network to the first network element of the first core network, and the parameters are shared by the first core network and the terminal. These parameters are unknown to the second core network, thus ensuring that the first key can protect the security of the PDU session between the terminal and the third network element of the first core network, while also preventing it from being generated by the second core network. Since the first network element of the second core network already needs to send a PDU session establishment request message to the first network element of the first core network, the second key is included in this message, eliminating the need to create a new message and saving signaling resources.

[0051] In other words, in this embodiment, the security of PDU sessions across networks can be improved while minimizing the consumption of signaling resources.

[0052] In conjunction with some embodiments of the second aspect, in some embodiments, the first core network is the home network of the terminal.

[0053] In a third aspect, embodiments of this disclosure provide a communication method. This method is executed by a second network element of a first core network. The method includes: receiving a key request sent by a first network element of the first core network; sending a key response to the first network element of the first core network, the key response containing a first key used to protect the security of a PDU session, the PDU session being a session between a terminal and a third network element of the first core network.

[0054] In conjunction with some embodiments of the third aspect, in some embodiments, the first core network is the home network of the terminal.

[0055] In conjunction with some embodiments of the third aspect, in some embodiments, the method further includes: generating a first key based on a second key, wherein the second key is the native key of a second network element of the first core network, or the second key is a derived key of a second network element of the first core network.

[0056] In conjunction with some embodiments of the third aspect, in some embodiments, the key request is received before receiving the session establishment request message; the key request includes at least one of the following: the identifier of the terminal; the identifier of the PDU session.

[0057] In conjunction with some embodiments of the third aspect, in some embodiments, the key request is received after a session establishment request acceptance message has been sent; the key request includes at least one of the following: the identifier of the terminal; the identifier of the PDU session; and parameters of the access traffic routing, switching, and offloading ATSSS rules.

[0058] In a fourth aspect, embodiments of this disclosure provide a communication method. This method is executed by a first network element of a second core network. The method includes: sending a second key to the first network element of the first core network, the second key being used to generate a first key together with parameters; wherein the parameters are parameters shared by the first core network and the terminal, and the first key is used to protect the security of a PDU session, the PDU session being a session between the terminal and a third network element of the first core network.

[0059] In conjunction with some embodiments of the fourth aspect, in some embodiments, the first core network is the home network of the terminal.

[0060] In conjunction with some embodiments of the fourth aspect, in some embodiments, the method further includes: receiving a second key sent by a second network element of the second core network.

[0061] In conjunction with some embodiments of the fourth aspect, in some embodiments, the second key is generated based on a third key, which is used to protect the communication security between the terminal and the second network element of the second core network.

[0062] In some embodiments, in conjunction with the fourth aspect, the method further includes: receiving indication information sent by a first network element of the first core network; sending the indication information to a second network element of the second core network; wherein the indication information is used by the terminal to determine the first key.

[0063] In conjunction with some embodiments of the fourth aspect, in some embodiments, the indication information includes at least one of the following: the PDU session is a home network routing PDU session; and the derivation method of the first key.

[0064] In a fifth aspect, embodiments of this disclosure provide a communication method. This method is executed by a second network element of a second core network. The method includes: sending a second key to a first network element of the second core network, the second key being used to generate a first key together with parameters; wherein the parameters are shared by the first core network and the terminal, and the first key is used to protect the security of a PDU session, the PDU session being a session between the terminal and a third network element of the first core network.

[0065] In conjunction with some embodiments of the fifth aspect, in some embodiments, the first core network is the home network of the terminal.

[0066] In some embodiments of the fifth aspect, the method further includes: generating a second key based on a third key, wherein the third key is used to protect the communication security between the terminal and a second network element of the second core network.

[0067] In some embodiments of the fifth aspect, the method further includes: receiving indication information sent by a first network element of the second core network; sending the indication information to a terminal through an access network; wherein the indication information is used by the terminal to determine the first key.

[0068] In conjunction with some embodiments of the fifth aspect, in some embodiments, the indication information includes at least one of the following: the PDU session is a home network routing PDU session; and the derivation method of the first key.

[0069] In a sixth aspect, embodiments of this disclosure provide a communication method. The method is executed by a terminal. The method includes: receiving indication information sent by a second network element of a second core network through an access network, the indication information being used by the terminal to determine a first key; wherein the first key is used to protect the security of a PDU session, the PDU session being a session between the terminal and a third network element of the first core network.

[0070] In conjunction with some embodiments of the sixth aspect, in some embodiments, the first core network is the home network of the terminal.

[0071] In conjunction with some embodiments of the sixth aspect, in some embodiments, the indication information includes at least one of the following: the PDU session is a home network routing PDU session; and the derivation method of the first key.

[0072] In a seventh aspect, embodiments of this disclosure provide a communication method. This method is executed by a communication system. The method includes: a first network element of a first core network sending a key request to a second network element of the first core network; the second network element of the first core network sending a key response to the first network element of the first core network, the key response containing a first key used to protect the security of a PDU session, the PDU session being a session between a terminal and a third network element of the first core network.

[0073] In an eighth aspect, embodiments of this disclosure provide a communication method. This method is executed by a communication system. The method includes: a first network element of a second core network sending a second key to a first network element of a first core network; the first network element of the first core network generating a first key based on the second key and parameters; wherein the parameters are parameters shared by the first core network and a terminal, and the first key is used to protect the security of a PDU session, the PDU session being a session between the terminal and a third network element of the first core network.

[0074] In a ninth aspect, embodiments of this disclosure provide a communication device. The communication device is a first network element of a first core network. The communication device includes a transceiver module. The transceiver module is configured to: send a key request to a second network element of the first core network; and receive a key response sent by the second network element of the first core network, the key response containing a first key used to protect the security of a PDU session, the PDU session being a session between a terminal and a third network element of the first core network.

[0075] In a tenth aspect, embodiments of this disclosure provide a communication device. The communication device is a first network element of a first core network. The communication device includes a transceiver module and a processing module. The transceiver module is configured to receive a second key sent by a first network element of a second core network. The processing module is configured to generate a first key based on the second key and parameters. The parameters are shared by the first core network and the terminal, and the first key is used to protect the security of a PDU session, which is a session between the terminal and a third network element of the first core network.

[0076] In an eleventh aspect, this disclosure provides a communication device. The communication device is a second network element of a first core network. The communication device includes a transceiver module and a processing module. The transceiver module is configured to: receive a key request sent by a first network element of the first core network; and send a key response to the first network element of the first core network, wherein the key response contains a first key used to protect the security of a PDU session, the PDU session being a session between a terminal and a third network element of the first core network.

[0077] In a twelfth aspect, embodiments of this disclosure provide a communication device. The communication device is a first network element of a second core network. The communication device includes a transceiver module. The transceiver module is configured to: send a second key to a first network element of a first core network, the second key being used to generate a first key together with parameters; wherein the parameters are parameters shared by the first core network and a terminal, and the first key is used to protect the security of a PDU session, the PDU session being a session between the terminal and a third network element of the first core network.

[0078] In a thirteenth aspect, embodiments of this disclosure provide a communication device. The communication device is a second network element of a second core network. The communication device includes a transceiver module. The transceiver module is configured to: send a second key to a first network element of the second core network, the second key being used to generate a first key together with parameters; wherein the parameters are parameters shared by the first core network and the terminal, and the first key is used to protect the security of a PDU session, the PDU session being a session between the terminal and a third network element of the first core network.

[0079] In a fourteenth aspect, embodiments of this disclosure provide a communication device. The communication device is a terminal. The communication device includes a transceiver module. The transceiver module is configured to: receive indication information sent by a second network element of a second core network through an access network, the indication information being used by the terminal to determine a first key; wherein the first key is used to protect the security of a PDU session, the PDU session being a session between the terminal and a third network element of the first core network.

[0080] In a fifteenth aspect, embodiments of this disclosure provide a communication system. The communication system includes a first network element of a first core network, a second network element of the first core network, a first network element of a second core network, a second network element of the second core network, and a terminal. The first network element of the first core network is configured to perform a communication method as described in any one of the first or second aspects; the second network element of the first core network is configured to perform a communication method as described in any one of the third aspects; the first network element of the second core network is configured to perform a communication method as described in any one of the fourth aspects; the second network element of the second core network is configured to perform a communication method as described in any one of the fifth aspects; and the terminal is configured to perform a communication method as described in any one of the sixth aspects.

[0081] In a sixteenth aspect, embodiments of this disclosure provide a storage medium storing instructions. When executed on a communication device, the instructions cause the communication device to perform the communication method as described in any of the first to sixth aspects.

[0082] In a seventeenth aspect, embodiments of this disclosure provide a program product. The program product includes at least one of a program and instructions. When executed by a communication device, the program or instructions implement the communication method as described in any one of the first to sixth aspects.

[0083] In an eighteenth aspect, embodiments of this disclosure provide a computer program. When this computer program is run on a computer, it causes the computer to perform the communication methods described in any one of the first to sixth aspects.

[0084] In a nineteenth aspect, embodiments of this disclosure provide a chip or chip system. The chip or chip system includes processing circuitry. The processing circuitry is configured to perform the communication methods described in any one of the first to sixth aspects.

[0085] It is understood that the aforementioned communication devices, communication systems, storage media, program products, computer programs, chips, and chip systems are all used to execute the methods provided in the embodiments of this disclosure. Therefore, the beneficial effects they can achieve can be referred to the beneficial effects in the corresponding methods, and will not be repeated here.

[0086] This disclosure provides a communication method, a communication device, a communication system, a storage medium, and a program product. In some embodiments, terms such as communication method, information processing method, and information transmission method can be used interchangeably; terms such as communication device, communication equipment, network equipment, network function, and network entity can be used interchangeably; and terms such as communication system and information processing system can be used interchangeably.

[0087] This disclosure is not exhaustive, but merely illustrative of some embodiments, and is not intended to limit the scope of protection of this disclosure. Unless otherwise specified, each step in a particular embodiment can be implemented as an independent embodiment, and the steps can be arbitrarily combined. For example, a solution after removing some steps in a particular embodiment can also be implemented as an independent embodiment, and the order of the steps in a particular embodiment can be arbitrarily interchanged. Furthermore, the optional implementation methods in a particular embodiment can be arbitrarily combined; moreover, the embodiments can be arbitrarily combined, for example, some or all steps of different embodiments can be arbitrarily combined, and a particular embodiment can be arbitrarily combined with the optional implementation methods of other embodiments.

[0088] In the embodiments disclosed herein, unless otherwise specified or in case of logical conflict, the terminology and / or descriptions of the various embodiments are consistent and can be referenced by each other. Technical features in different embodiments can be combined to form new embodiments based on their inherent logical relationships.

[0089] The terminology used in the embodiments of this disclosure is for the purpose of describing particular embodiments only and is not intended to limit the scope of this disclosure.

[0090] In this embodiment of the disclosure, unless otherwise stated, elements expressed in the singular form, such as "a," "an," "the," "the," "the," "the," "the," "the," "this," etc., can mean "one and only one," or "one or more," "at least one," etc. For example, when using articles such as "a," "an," "the," etc. in translation, the noun following the article can be understood as either a singular expression or a plural expression.

[0091] In the embodiments of this disclosure, "a plurality of" means two or more.

[0092] In some embodiments, the terms “at least one of A or B, at least one of A and B”, “one or more”, “a plurality of”, “multiple”, etc., may be used interchangeably.

[0093] In some embodiments, the notation "at least one of A and B", "A and / or B", "A in one case, B in another", "in response to one case A, in response to another case B", etc., may include the following technical solutions depending on the situation: in some embodiments, A (execute A regardless of whether there is a branch B); in some embodiments, B (execute B regardless of whether there is a branch A); in some embodiments, execution is selected from A and B (A and B are selectively executed); in some embodiments, both A and B are executed. The same applies when there are more branches such as A, B, C, etc.

[0094] In some embodiments, the notation "A or B" may include the following technical solutions, depending on the situation: in some embodiments, A (execute A regardless of whether a branch B exists); in some embodiments, B (execute B regardless of whether a branch A exists); in some embodiments, execution is selected from A and B (A and B are selectively executed). The same applies when there are more branches such as A, B, and C.

[0095] The prefixes "first," "second," etc., used in the embodiments of this disclosure are merely for distinguishing different descriptive objects and do not impose restrictions on the position, order, priority, quantity, or content of the descriptive objects. The description of the descriptive objects is found in the claims or the context of the embodiments, and the use of prefixes should not constitute unnecessary restrictions. For example, if the descriptive object is a "field," the ordinal numbers preceding "field" in "first field" and "second field" do not restrict the position or order of the "fields." "First" and "second" do not restrict whether the "fields" they modify are in the same message, nor do they restrict the order of "first field" and "second field." Similarly, if the descriptive object is a "level," the ordinal numbers preceding "level" in "first level" and "second level" do not restrict the priority between "levels." Furthermore, the number of descriptive objects is not limited by ordinal numbers and can be one or more. For example, in "first device," the number of "devices" can be one or more. Furthermore, the objects modified by different prefixes can be the same or different. For example, if the object being described is "device", then "first device" and "second device" can be the same device or different devices, and their types can be the same or different. Similarly, if the object being described is "information", then "first information" and "second information" can be the same information or different information, and their content can be the same or different.

[0096] In some embodiments, “including A,” “containing A,” “for indicating A,” and “carrying A” can be interpreted as directly carrying A or indirectly indicating A.

[0097] In some embodiments, terms such as “in response to…”, “in response to determining…”, “in the case of…”, “when…”, “when…”, “if…”, etc. can be used interchangeably. These descriptions all refer to the device making a corresponding action under certain objective circumstances. They do not necessarily limit the time, nor do they require the device to make a judgment action when implementing it, nor do they mean that there must be other limitations.

[0098] In some embodiments, terms such as “greater than,” “more than,” “higher than,” and “exceeding” can be used interchangeably; terms such as “greater than or equal to,” “not less than,” “more than or equal to,” “not less than,” “higher than or equal to,” “not lower than,” and “above” can be used interchangeably; terms such as “less than,” “less than,” and “lower than” can be used interchangeably; and terms such as “less than or equal to,” “not greater than,” “less than or equal to,” “not more than,” “lower than or equal to,” “not higher than,” and “below” can be used interchangeably.

[0099] In some embodiments, devices, etc., can be interpreted as physical or virtual, and their names are not limited to the names recorded in the embodiments. Terms such as “device”, “equipment”, “circuit”, “network element”, “node”, “function”, “unit”, “section”, “system”, “network”, “chip”, “chip system”, “entity”, and “subject” can be used interchangeably.

[0100] In some embodiments, "network" can be interpreted as devices included in a network (e.g., access network devices, core network devices, etc.).

[0101] In some embodiments, the terms "access network device (AN device)," "radio access network device (RAN device)," "base station (BS)," "radio base station," "fixed station," "node," "access point," "transmission point (TP)," "reception point (RP)," "transmission / reception point (TRP)," "panel," "antenna panel," "antenna array," "cell," "macro cell," "small cell," "femto cell," "pico cell," "sector," "cell group," "serving cell," "carrier," "component carrier," and "bandwidth part (BWP)" can be used interchangeably.

[0102] In some embodiments, the terms "terminal", "terminal device", "user equipment (UE)", "user terminal", "mobile station (MS)", "mobile terminal (MT)", subscriber station, mobile unit, subscriber unit, wireless unit, remote unit, mobile device, wireless device, wireless communication device, remote device, mobile subscriberstation, access terminal, mobile terminal, wireless terminal, remote terminal, handset, user agent, mobile client, and client can be used interchangeably.

[0103] In some embodiments, access network devices, core network devices, or network devices can be replaced by terminals. For example, embodiments of this disclosure can also be applied to structures where communication between access network devices, core network devices, or network devices and terminals is replaced by communication between multiple terminals (e.g., device-to-device (D2D), vehicle-to-everything (V2X), etc.). In this case, the structure can also be configured such that the terminal has all or part of the functions of the access network device. Furthermore, terms such as "uplink" and "downlink" can be replaced with terms corresponding to communication between terminals (e.g., "sidelink"). For example, uplink channel, downlink channel, etc., can be replaced with sidelink channel, and uplink link, downlink, etc., can be replaced with sidelink link.

[0104] In some embodiments, the terminal may be replaced by an access network device, a core network device, or a network device. In this case, the access network device, core network device, or network device may also be configured to have all or some of the functions of the terminal.

[0105] In some embodiments, the acquisition of data, information, etc., may comply with the laws and regulations of the country where the location is situated.

[0106] In some embodiments, data, information, etc., may be obtained with the user's consent.

[0107] Furthermore, each element, each row, or each column in the table of this disclosure can be implemented as an independent embodiment, and any combination of any element, any row, or any column can also be implemented as an independent embodiment.

[0108] Figure 1 This is a schematic diagram of the architecture of a communication system provided according to embodiments of this disclosure. Figure 1 As shown, the communication system 100 includes at least one of the following: a first network element 101 of a first core network, a second network element 102 of a first core network, a third network element 103 of a first core network, a first network element 104 of a second core network, a second network element 105 of a second core network, and a terminal 106.

[0109] Understandable Figure 1 There may be other nodes between interconnected nodes, and communication between interconnected nodes may be through other nodes. For example, there may be access network equipment, access and mobility management functions (AMFs) between terminal 106 and the first network element 101 of the first core network. This disclosure does not list all examples, but is not limited to these.

[0110] In some embodiments, the first core network may be the terminal's home network (HN), or simply the terminal's home network.

[0111] In some embodiments, the first network element 101 of the first core network may be the Session Management Function (SMF) of the terminal's home network.

[0112] In some embodiments, the second network element 102 of the first core network may be the Authentication Server Function (AUSF) of the terminal's home network.

[0113] In some embodiments, the third network element 103 of the first core network may be the user plane function (UPF) of the terminal's home network.

[0114] In some embodiments, the second core network may be the terminal's visited network (VN), or simply the terminal's visited network.

[0115] In some embodiments, the first network element 104 of the second core network may be the SMF (H-SMF) of the visited network of the terminal.

[0116] In some embodiments, the second network element 105 of the second core network may be the AMF (H-AMF) of the visited network of the terminal.

[0117] In some embodiments, terminal 106 includes, but is not limited to, at least one of the following: mobile phone, wearable device, Internet of Things device, car with communication function, smart car, tablet computer, computer with wireless transceiver function, virtual reality (VR) terminal device, augmented reality (AR) terminal device, wireless terminal device in industrial control, wireless terminal device in self-driving, wireless terminal device in remote medical surgery, wireless terminal device in smart grid, wireless terminal device in transportation safety, wireless terminal device in smart city, and wireless terminal device in smart home.

[0118] In some embodiments, the communication system 100 may also include other nodes such as access network equipment, which is not limited in this disclosure.

[0119] In some embodiments, the access network device is, for example, a node or device that connects a terminal to a wireless network. The access network device may include, but is not limited to, at least one of the following in a 5G communication system: evolved Node B (eNB), next-generation eNB (ng-eNB), next-generation Node B (gNB), node B (NB), home node B (HNB), home evolved node B (HeNB), radio backhaul device, radio network controller (RNC), base station controller (BSC), base transceiver station (BTS), base band unit (BBU), mobile switching center, base station in a 6G communication system, open RAN, cloud RAN, base station in other communication systems, and access node in a Wi-Fi system.

[0120] In some embodiments, the technical solutions of this disclosure can be applied to the Open RAN architecture. In this case, the interfaces between or within access network devices involved in the embodiments of this disclosure can be transformed into internal interfaces of Open RAN. The processes and information interactions between these internal interfaces can be implemented by software or programs.

[0121] In some embodiments, the access network device may be composed of a central unit (CU) and a distributed unit (DU). The CU may also be called a control unit. The CU-DU structure can separate the protocol layer of the access network device. Some of the protocol layer functions are centrally controlled by the CU, while the remaining part or all of the protocol layer functions are distributed in the DU and centrally controlled by the CU. However, this is not the only possibility.

[0122] In some embodiments, the communication system 100 described above may be a 4G communication system, a 5G communication system, or a 6G communication system. It should be noted that the communication system 100 may also be other communication systems, and this disclosure does not specifically limit it.

[0123] It is understood that the communication system described in this disclosure is for the purpose of more clearly illustrating the technical solutions of this disclosure, and does not constitute a limitation on the technical solutions proposed in this disclosure. As those skilled in the art will know, with the evolution of system architecture and the emergence of new business scenarios, the technical solutions proposed in this disclosure are also applicable to similar technical problems.

[0124] The following embodiments of this disclosure can be applied to Figure 1 The communication system 100 shown, or a part of the main body of the communication system 100, but not limited thereto. Figure 1 The entities shown are illustrative; the communication system 100 may include... Figure 1 All or part of the main body, or may include Figure 1 Other entities besides the main body, the number and form of each entity are arbitrary, each entity can be physical or virtual, the connection relationship between the entities is illustrative, the entities can be unconnected or connected, and the connection can be in any way, it can be a direct connection or an indirect connection, it can be a wired connection or a wireless connection.

[0125] The embodiments disclosed herein can be applied to Long Term Evolution (LTE), LTE-Advanced (LTE-A), LTE-Beyond (LTE-B), SUPER 3G, IMT-Advanced, 4th generation mobile communication system (4G), 5th generation mobile communication system (5G), 5G new radio (NR), Future Radio Access (FRA), New-Radio Access Technology (RAT), New Radio (NR), New radio access (NX), Futuregeneration radio access (FX), Global System for Mobile communications (GSM), CDMA2000, Ultra Mobile Broadband (UMB), IEEE 802.11 (Wi-Fi), IEEE 802.16 (WiMAX), and IEEE 802.20, Ultra-Wideband (UWB), Bluetooth (a registered trademark), Public Land Mobile Network (PLMN) networks, Device-to-Device (D2D) systems, Machine-to-Machine (M2M) systems, Internet of Things (IoT) systems, Vehicle-to-Everything (V2X) systems, systems utilizing other communication methods, and next-generation systems built upon them, etc. Furthermore, multiple systems can be combined (e.g., a combination of LTE or LTE-A with 5G).

[0126] In some embodiments, the ATSSS architecture reference model may specify the use of the multi-path quick UDP internetconnections (MPQUIC) protocol for the routing, switching, and offloading of UDP traffic between the terminal and the user plane function (UPF).

[0127] In some embodiments, the use of the MPQUIC protocol is extended to non-UDP traffic bootstrapping, handover, and offloading between the UE and UPF. This protocol is primarily applied to MA PDU sessions carrying terminal requests.

[0128] In some embodiments, the MPQUIC protocol is based on the Quick UDP Internet Connections (QUIC) protocol, which further employs transport layer security (TLS) technology to provide transport layer security protection for traffic between the terminal and the UPF.

[0129] In some embodiments, TLS can be used to provide security protection for MPQUIC, but the security modes used for TLS authentication and tunnel establishment (asymmetric certificate mode or symmetric pre-shared key (PSK) mode) are open options and not mandatory specifications.

[0130] In some embodiments, the main advantage of the PSK mode is its ability to save computational and communication overhead. Furthermore, this mode offers flexible deployment and supports early data (0-RTT) transmission in the QUIC protocol. The PSK between the terminal and the UPF can be obtained in various ways, such as through pre-configuration of hard-coded keys or derivation based on the security context between the terminal and the network. Related technologies indicate that the use of hard-coded pre-shared keys should be avoided, meaning that key derivation based on the security context between the terminal and the network may become the mainstream method for generating PSKs. The goal of the new research project in 3GPP 5GA regarding providing PSKs to achieve MPQUIC / TLS security is to study the PSK derivation and transmission for UPFs.

[0131] In some embodiments, when the UE is in the visited network (VN) and the UPF is in the home network (HN), in a home-routed roaming scenario, the derivation and transmission of the PSK poses a security risk.

[0132] For example, PSK is the key (K) of the Access and Mobility Management Function (AMF) in the UE's serving network. AMF The PSK is then exported. It is then passed to the UPF in the serving network (SN). If the UE is roaming and the requested PDU session needs to be routed to the home network, the serving network's key (e.g., K) is used. AMF Exporting the home network's PSK can introduce security risks. For example, if the home network's PSK is derived from a key in the serving network, the serving network can also export the home network's PSK without needing to derive it, thereby enabling it to decrypt or manipulate UE user plane data (UP traffic) routed to the home network.

[0133] For example, a serving network can be understood as the network where the terminal resides, or as the network the terminal is currently accessing. For instance, if the terminal accesses a visited network, then the terminal's serving network is the visited network. If the terminal accesses a home network, then the terminal's serving network is the home network.

[0134] Figure 2a This is an interactive schematic diagram of a communication method provided according to an embodiment of this disclosure. The communication method involved in this embodiment can be applied to a communication system 100. Figure 2a As shown, the communication method of this embodiment includes steps S2101 to S2108.

[0135] In step S2101, the first network element 101 of the first core network sends a key request to the second network element 102 of the first core network.

[0136] In some embodiments, the second network element 102 of the first core network receives a key request sent by the first network element 101 of the first core network.

[0137] In the embodiments of this disclosure, the first network element 101 of the first core network can be simply referred to as the first network element of the first core network. The second network element 102 of the first core network can be simply referred to as the second network element of the first core network.

[0138] In some embodiments, the first core network is the terminal's home network.

[0139] In some embodiments, the first network element of the first core network may be the home network's SMF (H-SMF), but is not limited thereto.

[0140] In some embodiments, the second network element of the first core network may be the AUSF (H-AUSF) of the home network, but is not limited thereto.

[0141] In some embodiments, a key request is used to request a first key. For example, after receiving a key request, a second network element of the first core network can generate a first key and send the first key to the first network element of the first core network via a key response.

[0142] In some embodiments, the first key is used to protect the security of the PDU session, which is a session between the terminal and a third network element of the first core network.

[0143] For example, the third network element of the first core network can be the UPF (H-UPF) of the home network.

[0144] For example, the H-SMF can send a key request to the H-AUSF to request a key (first key) to protect the PDU session security between the terminal and the H-UPF.

[0145] Understandably, the first network element of the first core network requests the first key from the second network element of the first core network to protect the security of the PDU session between the terminal and the third network element of the first core network. Compared to the first network element of the first core network receiving the root key from the first network element of the second core network and then generating the first key, this avoids the security risk that the second core network could also generate the first key, thereby decrypting or manipulating the user plane data (UP traffic) of the terminal routed to the first core network.

[0146] In other words, some embodiments of this disclosure can protect the security of the UPtraffic of the terminal routing in the first core network. Or, some embodiments of this disclosure can protect the security of the PDU session between the terminal and a third network element of the first core network.

[0147] For example, the first core network is the home network of the terminal. The third network element of the first core network is the H-UPF. Some embodiments of this disclosure can protect the security of UP traffic of the terminal routed on the home network. In other words, some embodiments of this disclosure can protect the security of PDU sessions between the terminal and the H-UPF.

[0148] In some embodiments, the key request is sent before the Session Establishment Request message is sent.

[0149] For example, a session establishment request message can be sent from the first network element of the first core network to the third network element of the first core network.

[0150] For example, a first network element in the first core network can send a key request to a second network element in the first core network before sending a session establishment request message. After receiving the key response and obtaining the first key from the key response, the session establishment request message is then sent, thus allowing the first key to be included in the session establishment request message.

[0151] In this embodiment, even without initiating the PDU session modification process, the first key can be sent to the third network element of the first core network, which can save signaling resources and improve efficiency.

[0152] In some embodiments, the first network element of the first core network is H-SMF, the third network element of the first core network is H-UPF, and N4 is the interface between SMF and UPF. The key request can be sent before sending the N4 SessionEstablishment Request message. That is, the session establishment request message in the above embodiments can be an N4 session establishment request message.

[0153] For example, after receiving the PDU session request message from the terminal, the SMF can send an N4 session establishment request to the UPF to perform operations such as instruction and configuration on the UPF, thereby determining whether to accept the terminal's PDU session request by obtaining the response from the UPF.

[0154] In this embodiment, H-SMF can receive PDU session requests from the terminal from the SMF (V-SMF) of the visited network. After receiving the terminal's PDU session request message, H-SMF first sends a key request to H-AUSF. After receiving the key response and obtaining the first key from the key response, H-AUSF sends an N4 session establishment request to H-UPF. The first key is included in the N4 session establishment request.

[0155] In some embodiments, where the key request is sent before the session establishment request message is sent, the key request includes at least one of the following: the identifier of the terminal; the identifier of the PDU session.

[0156] For example, a second network element of the first core network can generate a first key based on at least one of the terminal identifier and the PDU session identifier.

[0157] For example, it can be generated using a Key Derivation Function (KDF), whose input parameters include at least one of the following:

[0158] P0: Identifier of the PDU session;

[0159] L0: The length of the identifier for the PDU session;

[0160] P1: Terminal identifier;

[0161] L1: The length of the terminal's identifier.

[0162] For example, the identifier of a terminal may include a Subscription Permanent Identifier (SUPI) or the terminal's Internet Protocol (IP) address, but is not limited to these.

[0163] Understandably, the input parameters of KDF are not limited to these; for example, they can also include function numbers (FunctionCode, FC), etc.

[0164] Understandably, if the key request is sent before the session establishment request message is sent, the key request does not include the parameters of the ATSSS rule, thus allowing the first key to be unbound to the ATSSS procedure parameters.

[0165] In some embodiments, before the first network element of the first core network sends a key request to the second network element of the first core network, the following steps may be included: the terminal sends a PDU session establishment request to the second network element of the second core network; the second network element of the second core network selects the first network element of the second core network and sends the PDU session establishment request to the selected first network element of the second core network; and the first network element of the second core network sends a PDU session establishment request to the first network element of the first core network.

[0166] For example, the first network element of the first core network is H-SMF, the second network element of the first core network is H-AUSF, the first network element of the second core network is V-SMF, and the second network element of the second core network is the AMF of the visited network (V-AMF). When the V-AMF receives the UE's PDU session establishment request, it selects a V-SMF and sends the PDU session establishment request to the selected V-SMF. The V-SMF then sends the PDU session establishment request to the H-SMF.

[0167] In some embodiments, the key request is sent after the session establishment request acceptance message has been received.

[0168] For example, a session establishment request acceptance message can be sent from a third network element of the first core network to a first network element of the first core network.

[0169] For example, the first network element of the first core network can send a session establishment request message to the third network element of the first core network. The third network element of the first core network can send a session establishment request acceptance message to the first network element of the first core network. After receiving the session establishment request acceptance message, the first network element of the first core network sends a key request to the second network element of the first core network.

[0170] In this embodiment, the first network element of the first core network only sends a key request if the third network element of the first core network accepts the session establishment request. This avoids meaningless key request transmission and thus saves signaling resources. For example, if the third network element of the first core network does not accept the session establishment request, then the first network element of the first core network may not send a key request.

[0171] In some embodiments, a session establishment request acceptance message may also be referred to as a positive session establishment response.

[0172] In some embodiments, the first network element of the first core network is H-SMF, the third network element of the first core network is H-UPF, and N4 is the interface between SMF and UPF. The key request can be sent after receiving the N4 session establishment request acceptance message. That is, the session establishment request acceptance message in the above embodiments can be an N4 session establishment request acceptance message, or it can be referred to as a positive N4 session establishment response.

[0173] For example, after receiving a PDU session request message from a terminal, the SMF can send an N4 session establishment request to the UPF to instruct and configure the UPF. If the UPF supports the received instructions and configuration, it can send a session establishment accept message to the SMF. If it does not support them, the UPF can send a session establishment reject message. A session establishment reject message can also be called a negative session establishment response.

[0174] In this embodiment, the H-SMF can receive the terminal's PDU session request from the V-SMF. After receiving the terminal's PDU session request message, it sends an N4 session establishment request to the H-UPF. After receiving the H-UPF's N4 session establishment request acceptance message, the H-SMF sends a key request to the H-AUSF.

[0175] In some embodiments, when the key request is sent after receiving the session establishment request acceptance message, the key request includes at least one of the following: the identifier of the terminal; the identifier of the PDU session; and the parameters of the ATSSS rule.

[0176] For example, the second network element of the first core network can generate the first key based on at least one of the terminal identifier, the PDU session identifier, and the parameters of the ATSSS rule.

[0177] For example, a first key can be generated using a Key Derivation Function (KDF), whose input parameters include at least one of the following:

[0178] P0: Identifier of the PDU session;

[0179] L0: The length of the identifier for the PDU session;

[0180] P1: Terminal identifier;

[0181] L1: The length of the terminal's identifier;

[0182] P2: Parameters of the ATSSS rule;

[0183] L2: The length of the parameters of the ATSSS rule.

[0184] It is understandable that the input parameters of KDF are not limited to these; for example, they can also include FC, etc.

[0185] In some embodiments, after the first network element of the first core network sends a key request to the second network element of the first core network, the following steps may be further included: the terminal sends a PDU session establishment request to the second network element of the second core network; the second network element of the second core network selects the first network element of the second core network and sends the PDU session establishment request to the selected first network element of the second core network; the first network element of the second core network sends a PDU session establishment request to the first network element of the first core network; the first network element of the first core network sends an N4 session establishment request to the third network element of the first core network; and the third network element of the first core network sends an N4 session establishment request acceptance message to the first network element of the first core network.

[0186] For example, the first network element of the first core network is H-SMF, the second network element of the first core network is H-AUSF, the first network element of the second core network is V-SMF, and the second network element of the second core network is the AMF of the visited network (V-AMF). The V-AMF receives the UE's PDU session establishment request, selects a V-SMF, and sends the PDU session establishment request to the selected V-SMF. The V-SMF sends the PDU session establishment request to the H-SMF. The H-SMF sends an N4 session establishment request to the H-UPF. The H-UPF sends an N4 session establishment request acceptance message to the H-SMF.

[0187] In some embodiments, the PDU session between the terminal and the third network element of the first core network can be an MA PDU session, but is not limited thereto.

[0188] In some embodiments, the first key may be a PSK, but is not limited thereto.

[0189] In some embodiments, a key request may also be referred to as a key request message or a first message, etc., and this disclosure does not limit it in this regard.

[0190] In step S2102, the second network element 102 of the first core network generates the first key.

[0191] In some embodiments, a second network element of the first core network can generate a first key based on a second key.

[0192] For example, the second network element of the first core network can use KDF to generate the first key based on the second key.

[0193] For example, the input key of KDF is the second key, and the input parameters of KDF are at least one of the following: FC: to be determined; P0: PDU session identifier; L0: length of PDU session identifier; P1: terminal identifier; L1: length of terminal identifier; P2: ATSSS rule parameter; L2: length of ATSSS rule parameter. The output key of KDF is the second key.

[0194] For example, the input parameters of KDF can be determined based on the key request sent by the first network element of the first core network.

[0195] In some embodiments, the second key is the native key of the second network element of the first core network, or the second key is the derived key of the second network element of the first core network.

[0196] For example, the second network element of the first core network can be H-AUSF, and the native key of AUSF can be called K. AUSF In other words, the second key can be the K of H-AUSF. AUSF .

[0197] For example, K AUSF It can be generated during the Authentication and Key Agreement (AKA) or the modified AKA (EAP-AKA') process. AUSF It can be stored in AUSF and used to derive other keys.

[0198] For example, K AUSF It can derive the Security Anchor Function key (K). SEAF ).

[0199] For example, the second network element of the first core network can be H-AUSF, and the derived key of AUSF can include K. SEAF The second key can be the K key of H-AUSF. SEAF .

[0200] In some embodiments, a second network element of the first core network can send the first key to the first network element of the first core network via a key response.

[0201] In step S2103, the second network element 102 of the first core network sends a key response to the first network element 101 of the first core network.

[0202] In some embodiments, the first network element 101 of the first core network receives a key response sent by the second network element 102 of the first core network.

[0203] In some embodiments, the key response includes a first key.

[0204] In some embodiments, the key response may also be referred to as a key response message, a second message, etc., and this disclosure does not limit it.

[0205] In step S2104, the first network element 101 of the first core network sends the first key to the third network element 103 of the first core network.

[0206] In some embodiments, the third network element 103 of the first core network receives the first key sent by the first network element 101 of the first core network.

[0207] In the embodiments of this disclosure, the third network element 103 of the first core network can be simply referred to as the third network of the first core network.

[0208] In some embodiments, the third network element 101 of the first core network receives the first key and can protect the security of the PDU session between the terminal based on the first key.

[0209] For example, before establishing a PDU session, the terminal and the third network element of the first core network can use the first key to authenticate each other. After successful authentication, a PDU session is established, thereby protecting the security of the PDU session.

[0210] In some embodiments, the first key sent by the first network element of the first core network to the third network element of the first core network is based on at least one of the following: a session establishment request message; a session modification request message.

[0211] For example, the first network element of the first core network can send a session establishment request message to the third network element of the first core network, and the session establishment request message includes the first key.

[0212] For example, the first network element of the first core network can send a session establishment modification message to the third network element of the first core network, and the session establishment modification message includes the first key.

[0213] In step S2105, the first network element 101 of the first core network sends an instruction message to the first network element 104 of the second core network.

[0214] In some embodiments, the first network element 104 of the second core network receives indication information sent by the first network element 101 of the first core network.

[0215] In some embodiments, after receiving the indication information, the first network element 104 of the second core network can send the indication information to the second network element 105 of the second core network. After receiving the indication information, the second network element 105 of the second core network can send the indication information to the terminal 106 through the access network.

[0216] In the embodiments of this disclosure, the first network element 104 of the second core network can be simply referred to as the first network element of the second core network. The second network element 105 of the second core network can be simply referred to as the second network element of the second core network.

[0217] In some embodiments, the second core network may be the terminal's visited network.

[0218] In some embodiments, the first network element of the second core network may be a V-SMF.

[0219] In some embodiments, the second network element of the second core network may be a V-AMF.

[0220] For example, the first network element of the first core network is H-SMF, the first network element of the second core network is V-SMF, and the second network element of the second core network is V-AMF. H-SMF can send indication information to V-SMF, V-SMF can send indication information to V-AMF, V-AMF can send indication information to access network devices, and access network devices can send indication information to terminals.

[0221] For example, the H-SMF can send indication information to the V-SMF via a PDU session establishment response message. That is, the indication information can be included in the PDU session response message sent by the H-SMF to the V-SMF.

[0222] For example, the V-SMF can send indication information to the V-AMF through the "Namf_Communication_N1N2MessageTransfer" service. Here, Namf_Communication indicates that this is a communication service provided by the AMF, and _N1N2MessageTransfer indicates that the function of this service is to transmit N1 and N2 messages. N1 is the interface between the UE and the AMF, and N2 is the interface between the AMF and the access network equipment.

[0223] For example, V-AMF can send indication information to access network devices through PDU session request messages, that is, the indication information can be included in the PDU session request message.

[0224] For example, the access network device can send indication information to the terminal through an RRC reconfiguration message; that is, the indication information can be included in the RRC reconfiguration message.

[0225] In some embodiments, the indication information is used by the terminal to determine a first key. The terminal can determine the first key based on the indication information and use the first key to protect the security of the PDU session between the terminal and a third network element of the first core network.

[0226] In some embodiments, the indication information includes at least one of the following: the PDU session is a home-routed PDU session; and the method for deriving the first key.

[0227] For example, the indication information may include: the PDU session is a home network routing PDU session. Based on the indication that the PDU session is a home network routing PDU session, the terminal can determine that it should authenticate with the home network's UPF, and then use the corresponding key derivation method to generate the first key.

[0228] For example, the terminal can have two key derivation methods: one for PDU sessions that are not part of the home network and one for PDU sessions that are part of the home network. If an indication message is received indicating that the PDU session is a part of the home network, a key for protecting the PDU session (e.g., the first key in this embodiment) can be generated based on the key derivation method corresponding to the part of the home network PDU session. If no indication message is received or if an indication message is received indicating that the PDU session is not part of the home network, a key for protecting the PDU session can be generated based on the key method corresponding to the part of the home network PDU session.

[0229] For example, the two key methods mentioned above can be configured by the network device or predefined in the protocol, and this disclosure does not limit them.

[0230] It is understood that a terminal may have more than two key derivation methods, and this disclosure does not limit this.

[0231] For example, the instruction information may include a method for deriving the first key.

[0232] For example, the terminal does not need to know whether the PDU session is a home network routed PDU session or a non-home network routed PDU session. It can send the key derivation method corresponding to the home network routed PDU session (such as the derivation method of the first key in the embodiments of this disclosure) to the terminal through the instruction information.

[0233] In some embodiments, the instruction information may also be referred to as additional instruction or additional information, which is not limited herein.

[0234] In step S2106, the first network element 104 of the second core network sends an instruction message to the second network element 105 of the second core network.

[0235] The relevant embodiments of step S2106 can be referred to step S2105, and will not be repeated here.

[0236] In step S2107, the second network element 105 of the second core network sends indication information to the terminal 106 through the access network.

[0237] The relevant embodiments of step S2107 can be referred to step S2105, and will not be repeated here.

[0238] In step S2108, terminal 106 generates a first key based on the instruction information.

[0239] In some embodiments, a third network element of the first core network can receive a first key sent by a first network element of the first core network, and a terminal can generate a first key based on indication information. The third network element of the first core network and the terminal can protect the PDU session based on the same first key.

[0240] For example, third network elements and terminals in the first core network can authenticate each other based on the first key.

[0241] For example, after successful authentication based on the first key, a secure Transport Layer Security (TLS) tunnel can be established, and the PDU session can take place over the secure TLS tunnel.

[0242] In some embodiments, the names of information, etc., are not limited to the names described in the embodiments. Terms such as "information", "message", "signal", "signaling", "report", "configuration", "indication", "instruction", "command", "channel", "parameter", "domain", "field", "symbol", "symbol", "codebook", "codeword", "codepoint", "bit", "data", "program", and "chip" can be used interchangeably.

[0243] In some embodiments, "acquire," "get," "obtain," "receive," "transmit," "bidirectional transmission," and "send and / or receive" can be used interchangeably and can be interpreted as receiving from other entities, acquiring from protocols, acquiring from higher layers, obtaining through self-processing, or autonomous implementation. Protocols include, for example, at least one of the 3GPP protocol, Wi-Fi protocol, and audio and / or video protocols.

[0244] In some embodiments, terms such as “send,” “transmit,” “report,” “distribute,” “transfer,” “bidirectional transmission,” “send and / or receive” can be used interchangeably.

[0245] In some embodiments, terms such as "certain", "preset", "default", "set", "indicated", "a certain", "any", and "first" can be used interchangeably. "Certain A", "preset A", "default A", "set A", "indicated A", "a certain A", "any A", and "first A" can be interpreted as A pre-defined in a protocol or the like, or as A obtained through setting, configuration, or instruction, or as specific A, a certain A, any A, or first A, but are not limited thereto.

[0246] The communication method involved in the embodiments of this disclosure may include at least one of steps S2101 to S2108. For example, steps S2101 and S2103 may be implemented as independent embodiments, but are not limited thereto. For example, steps S2105 to S2107 may be implemented as separate embodiments, but are not limited thereto.

[0247] In some embodiments, any one of steps S2102, S2104 to S2108 is optional, and any one or more of them may be omitted or substituted in different embodiments.

[0248] In some embodiments, the execution order of steps S2101 to S2108 is not limited. For example, step S2105 may be executed before step S2101, after step S2101, or simultaneously, and is not limited thereto.

[0249] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.

[0250] Figure 2b This is an interactive schematic diagram of a communication method provided according to an embodiment of this disclosure. The communication method involved in this embodiment can be applied to a communication system 100. Figure 2b As shown, the communication method of this embodiment includes steps S2201 to S2209.

[0251] In step S2201, the second network element 105 of the second core network generates the second key.

[0252] In this embodiment of the disclosure, the second network element 105 of the second core network can be simply referred to as the second network element of the second core network.

[0253] In some embodiments, the second core network may be the terminal's visited network.

[0254] In some embodiments, the second network element of the second core network may be a V-AMF.

[0255] In some embodiments, the second network element of the second core network can generate a second key based on a third key.

[0256] For example, a second key can be generated using KDF. The input key for KDF is the third key, and the input parameters of KDF are at least one of the following: FC: to be determined; P0: the identifier of the first network element of the first core network; L0: the length of P0, i.e., the length of the identifier of the first network element of the first core network; P1: the count (COUNT) in the Non-Access Stratum (NAS) message; L1: the length of P1, i.e., the length of COUNT.

[0257] For example, a NAS message can be a PDU session establishment request message. The counter increments by one each time the terminal sends a PDU session establishment request message. In other words, different PDU sessions can correspond to different counters.

[0258] In some embodiments, the third key is used to protect the communication security between the terminal and the second network element of the second core network.

[0259] For example, the second network element of the second core network is V-AMF. The AMF key (K) of V-AMF... AMF This can protect the security of communication between the terminal and V-AMF. In other words, the third key can be the V-AMF's K... AMF .

[0260] For example, the second network element of the second core network is V-AMF. The K of V-AMF... SEAF It can be used to protect the security of communication between the terminal and V-AMF. In other words, the third key can be the V-AMF's K key. SEAF .

[0261] In some embodiments, the third key may be referred to as K. H-SMF .

[0262] In some embodiments, before the second network element of the second core network generates the second key, the following steps may be included: the terminal sends a PDU session request message to the second network element of the second core network.

[0263] In step S2202, the second network element 105 of the second core network sends the second key to the first network element 104 of the second core network.

[0264] In some embodiments, the first network element 104 of the second core network receives the second key sent by the second network element 105 of the second core network.

[0265] In some embodiments, the first network element 104 of the second core network may be simply referred to as the first network element of the second core network.

[0266] In some embodiments, the first network element of the second core network may be a V-SMF.

[0267] In some embodiments, before the second network element of the second core network sends the second key to the first network element of the second core network, the following step may be included: the second network element of the second core network selects the first network element of the second core network.

[0268] In some embodiments, the second key may be included in a PDU session request message sent by a second network element of the second core network to a first network element of the second core network.

[0269] For example, the first network element of the second core network is a V-SMF. The second network element of the second core network is a V-AMF. After receiving a PDU session request message from the terminal, the V-AMF generates a second key. The V-AMF selects a V-SMF and sends the second key to the selected V-SMF in the PDU session request message.

[0270] In step S2203, the first network element 104 of the second core network sends the second key to the first network element 101 of the first core network.

[0271] In some embodiments, the first network element 101 of the first core network receives the second key sent by the first network element 104 of the second core network.

[0272] In this embodiment of the disclosure, the first network element 101 of the first core network can be referred to as the first network element of the first core network.

[0273] In some embodiments, the first core network may be the home network of the terminal.

[0274] In some embodiments, the first network element of the first core network may be an H-SMF.

[0275] In some embodiments, the second key is used together with parameters to generate the first key, which are parameters shared by the first core network and the terminal.

[0276] For example, this parameter can be stored in the first network element of the first core network. Alternatively, it can be stored in other network elements of the first core network, such as the Unified Data Management (UDM) network element or the Policy Control Function (PCF) network element of the first core network. The first network element of the first core network can retrieve this parameter from the UDM or PCF of the first core network.

[0277] For example, this parameter can be called a shared parameter or a pre-configured parameter.

[0278] Understandably, in Figure 2a In this embodiment, the parameters for generating the first key can be parameters shared by the first core network and the terminal, or they can be parameters not shared by the first core network and the terminal. However... Figure 2b In this embodiment, the parameters for generating the first key are parameters shared by the first core network and the terminal.

[0279] exist Figure 2aIn this embodiment, the first key is generated based on the second key and parameters. The second key is the native key or derived key of the second network element of the first core network. The second core network cannot know the native key and derived key of the first network element of the first core network, and therefore cannot generate the first key. The first key can protect the security of the PDU session between the terminal and the third network element of the first core network.

[0280] Therefore, in Figure 2a In the embodiments, the parameters for generating the first key may be parameters shared by the first core network and the terminal, or they may not be parameters shared by the first core network and the terminal.

[0281] And in Figure 2b In one embodiment, the first key is generated based on the second key and parameters. The second key is sent by the first network element of the second core network to the first network element of the first core network. In other words, the second core network may generate the first key based on the second key, which may result in the first key being unable to ensure that the PDU session between the terminal and the third network element of the first core network is not eavesdropped or tampered with by the second core network.

[0282] Therefore, in Figure 2b In this embodiment, the parameters for generating the first key are shared by the first core network and the terminal. These parameters are unknown to the second core network, thus ensuring the security of the PDU session between the terminal and a third network element of the first core network, preventing eavesdropping or tampering by the second core network. In other words, this improves the security of PDU sessions across network routes.

[0283] Understandably, in Figure 2a In one embodiment, the key request sent by the first network element of the first core network to the second network element of the first core network is a new message. And... Figure 2b In this embodiment, the first network element of the second core network already needs to send a PDU session establishment request message to the first network element of the first core network; therefore, the second key is included in this message, and there is no need to establish a new message. In other words, Figure 2b The implementation can improve the security of PDU sessions across networks while minimizing the consumption of signaling resources.

[0284] In some embodiments, the parameters shared between the first core network and the terminal may be referred to as pre-configured parameters, but are not limited thereto. For example, these parameters may also be referred to as shared parameters, etc.

[0285] In step S2204, the first network element 101 of the first core network generates the first key.

[0286] In some embodiments, the first network element of the first core network can generate the first key based on the second key.

[0287] For example, the first network element of the first core network can use KDF to generate the first key based on the second key.

[0288] For example, the input key of KDF is the second key. The input parameters of KDF include: FC: to be determined; P0: parameters shared by the first core network and the terminal; L0: the length of P0. The output key of KDF is the first key.

[0289] Steps S2205 to S2209 are the same as steps S2104 to S2108, and will not be repeated here.

[0290] In the embodiment of step S2209, when the terminal receives the instruction information, the terminal can generate a second key in a manner similar to that in step S2201, and then generate a first key based on the second key and parameters, which are parameters shared by the first core network and the terminal.

[0291] The communication method involved in the embodiments of this disclosure may include at least one of steps S2201 to S2209. For example, steps S2203 and S2204 may be implemented as independent embodiments, but are not limited thereto. For example, steps S2206 to S2208 may be implemented as separate embodiments, but are not limited thereto.

[0292] In some embodiments, any one of steps S2201 to S2202 and steps S2205 to S2209 is optional, and any one or more of them may be omitted or substituted in different embodiments.

[0293] In some embodiments, the execution order of steps S2201 to S2209 is not limited. For example, step S2206 may be executed before step S2204, after step S2204, or simultaneously, and is not limited thereto.

[0294] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.

[0295] It is understood that the examples of the first network element, second network element, and third network element of the first core network, the first network element of the second core network, and the second network element of the second core network in this embodiment are merely illustrative and can be other network elements capable of performing the above steps. For example, in different communication systems, the step of sending the key request may not be performed by the SMF. For example, in different communication systems, the key request may not be sent to the AUSF, but to other network elements. This disclosure does not provide examples of similar situations, but is not limited thereto.

[0296] Understandably, in this public disclosure Figure 2a Examples and Figure 2b Although a second key exists in all embodiments, it can refer to different second keys. For example, in Figure 2a In one embodiment, the second key may be K AUSF ,exist Figure 2b In one embodiment, the second key may be K AMF The second key can also be other keys, and this disclosure is not limited to them.

[0297] Figure 3a This is an interactive schematic diagram of a communication method provided according to an embodiment of this disclosure. Embodiments of this disclosure relate to communication methods. Figure 3a As shown, the above method includes steps S3101 to S3102.

[0298] In step S3101, the first network element 101 of the first core network sends a key request to the second network element 102 of the first core network.

[0299] For optional implementations of step S3101, please refer to [link / reference]. Figure 2a Optional implementations of step S2101, and Figure 2a Other related parts in the embodiments involved will not be described in detail here.

[0300] In step S3102, the second network element 102 of the first core network sends a key response to the first network element 101 of the first core network.

[0301] For optional implementations of step S3102, please refer to [link / reference]. Figure 2a Optional implementations of step S2103, and Figure 2a Other related parts in the embodiments involved will not be described in detail here.

[0302] In some embodiments, the first core network is the terminal's home network.

[0303] In some embodiments, the first key is generated based on the second key, which is either the native key of the second network element of the first core network or a derived key of the second network element of the first core network.

[0304] In some embodiments, the method further includes sending a first key to a third network element of the first core network.

[0305] In some embodiments, the first key sent to the third network element of the first core network is sent based on at least one of the following: a session establishment request message; a session modification request message.

[0306] In some embodiments, the method further includes: sending indication information to a first network element of the second core network, the indication information being used to determine a first terminal key.

[0307] In some embodiments, the indication information includes at least one of the following: the PDU session is a home network routing PDU session; and a method for deriving the first key.

[0308] In some embodiments, the key request is sent before sending the session establishment request message; the key request includes at least one of the following: the identifier of the terminal; the identifier of the PDU session.

[0309] In some embodiments, the key request is sent after receiving the session establishment request acceptance message; the key request includes at least one of the following: the identifier of the terminal; the identifier of the PDU session; and parameters of the access traffic routing, handover, and offloading ATSSS rules.

[0310] Figure 3b This is an interactive schematic diagram of a communication method provided according to an embodiment of this disclosure. Embodiments of this disclosure relate to communication methods. Figure 3b As shown, the above method includes steps S3201 to S3202.

[0311] In step S3201, the first network element 104 of the second core network sends the second key to the first network element 101 of the first core network.

[0312] For optional implementations of step S3201, please refer to [link / reference]. Figure 2b Optional implementations of step S2203, and Figure 2b Other related parts in the embodiments involved will not be described in detail here.

[0313] In step S3202, the first network element 101 of the first core network generates the first key.

[0314] For optional implementations of step S3202, please refer to [link / reference]. Figure 2b Optional implementations of step S2204, and Figure 2b Other related parts in the embodiments involved will not be described in detail here.

[0315] In some embodiments, the first core network is the terminal's home network.

[0316] In the following, the technical solutions of the embodiments of this disclosure will be described by way of specific implementation.

[0317] In some embodiments, the PSK of the home network's UPF should be derived from the key in the home network; or if the serving network sends a key to the home network, the home network should derive a new PSK based on the key from the serving network to achieve key separation.

[0318] Figure 4a This is an interactive schematic diagram of a communication method provided according to an embodiment of this disclosure. Embodiments of this disclosure relate to communication methods. Figure 4a As shown, the above method includes steps S4101 to S4119.

[0319] In some embodiments, to prevent the use of keys from the serving network to derive the PSK of the home UPF, it is recommended that:

[0320] Keys in the service network should not be transmitted to the home network;

[0321] The SMF (H-SMF) in the home network requests a PSK from the network function (NF) in the home network (e.g., AUSF);

[0322] H-SMF sends PSK to the UPF (H-UPF) in the home network;

[0323] The PSK derivation method for home route roaming differs from that in the serving / visited network. To ensure the UE selects the correct derivation method, the home network (e.g., H-SMF) should send an indication to the UE, informing it of the home route established for the PDU session.

[0324] In step S4101, the UE sends a PDU session establishment request message to the V-AMF.

[0325] In some embodiments, the UE provides the request type as "MA PDU Request" in the UL NAS transport message and provides its ATSSS capability in the PDU session establishment request message.

[0326] In step S4102, V-AMF and V-SMF create a Session Management (SM) context for the PDU session.

[0327] In some embodiments, based on the request type of the "MA PDU Request" received from the UE, the V-AMF initiates the SMContext Creation procedure, selects a V-SMF, and notifies the V-SMF that the request is for an MA PDU session by including an "MA PDU Request" indication. The V-AMF also provides the V-SMF with the identity of the H-SMF.

[0328] In step S4103, V-UPF and V-SMF establish an N4 session.

[0329] In some embodiments, the V-SMF uses the selected V-UPF to initiate the N4 session establishment process.

[0330] In step S4104, the V-SMF sends a PDU session establishment request message to the H-SMF.

[0331] In some embodiments, based on the identity of the H-SMF received from the V-AMF in step S4102, the V-SMF sends a PDU session establishment request message (Nsmf_PDUSession_Create Request) to the H-SMF, which includes the UE ID, PDU session ID, "MA PDU Request" indication, etc.

[0332] In step S4105, H-SMF sends a PDU session establishment request message containing the user plane (UP) security policy to H-UPF.

[0333] In some embodiments, the H-SMF initiates an N4 session establishment process with the selected H-UPF by sending an N4 session establishment / modification request. If the MA PDU session supports MPQUIC functionality, the H-SMF instructs the H-UPF to activate the corresponding functionality for this MA PDU session. The H-SMF also includes the UE ID and UP security policy used to request the MA PDU session in the request message.

[0334] In step S4106, H-UPF sends an N4 session establishment response message to H-SMF containing a QUIC security activation indication or a TLS security activation indication.

[0335] In some embodiments, if the H-UPF is able to accept the N4 session establishment request of the MA PDU session, it determines how to activate QUIC / TLS security based on the received UP security policy and returns a QUIC / TLS security activation indication to the H-SMF.

[0336] In step S4107, H-SMF sends a key request message to AUSF containing the UE identifier (ID) and PDU session ID.

[0337] In some embodiments, upon receiving an affirmative N4 session establishment response, the H-SMF sends a key request to the AUSSF, which includes the UE ID, PDU session ID, and parameters from the ATSSS rules.

[0338] In step S4108, AUSF derives PSK.

[0339] In some embodiments, AUSF uses the following parameters from K AUSF or K SEAF Export the PSK to form the input S of the KDF:

[0340] -FC = Undetermined (TBD);

[0341] -P0 = PDU Session ID;

[0342] -L0 = length of P0;

[0343] -P1 = UE ID (e.g., SUPI or UE IP address);

[0344] -L1 = length of P1;

[0345] -P2 = a parameter in the ATSSS rule (e.g., "MPQUIC link-specific multipath" address / prefix);

[0346] -L2 = length of P2;

[0347] The key is K. AUSF / K SEAF .

[0348] In step S4109, AUSF sends a key response message containing the PSK to H-SMF.

[0349] In some embodiments, AUSF returns a key response message containing the exported PSK.

[0350] In step S4110, H-UPF and H-SMF establish an N4 session.

[0351] In some embodiments, H-SMF and H-UPF initiate an N4 session modification process to send the PSK to H-UPF.

[0352] In step S4111, the H-SMF sends indication information to the V-SMF via a PDU session establishment response message.

[0353] In some embodiments, the H-SMF returns a PDU session establishment request message (Nsmf_PDUSession_Create Response) to the V-SMF, which includes an "MA PDU session accepted" indication and additional indications to be transmitted to the UE.

[0354] In some embodiments, the additional indication may indicate the Home Routed (HoR) session or the PSK derivation method, such as the Home Routed (HoR) indication or the PSK KDF FC number.

[0355] In step S4112, V-SMF and V-UPF perform the N4 session modification process.

[0356] In some embodiments, the V-SMF uses the selected V-UPF to initiate the N4 session establishment process.

[0357] In step S4113, the V-SMF sends indication information to the V-AMF through the communication service provided by the AMF for transmitting N1 and N2 messages.

[0358] In some embodiments, the V-SMF sends a Namf_Communication_N1N2MessageTransfer message to the V-AMF, which contains indication information provided by the H-SMF. For example, the indication information is the additional indication in the above embodiments.

[0359] In step S4114, the V-AMF sends indication information to the RAN via a PDU session response message.

[0360] In some embodiments, the V-AMF sends a PDU session request message to the RAN, which includes an indication provided by the H-SMF.

[0361] In step S4115, the RAN sends indication information to the UE via an RRC reconfiguration message.

[0362] In some embodiments, the RAN node sends an RRC reconfiguration message to the UE, which includes indication information provided by the H-SMF. For example, the indication information is the additional indication in the above embodiments.

[0363] In step S4116a, the UE derives the PSK.

[0364] In some embodiments, upon receiving an RRC reconfiguration message, if it includes indication information provided by H-SMF, the UE determines in step S4108 to reconfigure from K in the same manner as AUSF. AUSF / K SEAF Export the PSK. For example, the instruction information is the additional instruction in the above embodiment.

[0365] In step S4116b, the RAN sends a PDU session response message to the V-AMF.

[0366] In some embodiments, after exchanging access network (AN) specific signaling with the UE, the RAN returns a PDU session response message to the V-AMF.

[0367] In step S4117, each node establishes a secure TLS using PSK based on the QUIC security instruction.

[0368] In some embodiments, the UE and H-UPF mutually authenticate each other based on the PSK exported by both parties, and then establish TLS tunnel security.

[0369] In step S4118, the UE sends the first user plane data based on PSK protection to the H-UPF.

[0370] In some embodiments, starting from this step, the UE is now able to send first user plane data protected by TLS security.

[0371] In step S4119, V-AMF and V-SMF update the SM context of the PDU session.

[0372] In some embodiments, the V-AMF initiates a PDU session SM context update (Nsmf_PDUSession_UpdateSMContext) procedure to forward N2 SM information received from the RAN to the V-SMF.

[0373] Figure 4b This is an interactive schematic diagram of a communication method provided according to an embodiment of this disclosure. Embodiments of this disclosure relate to communication methods. Figure 4b As shown, the above method includes steps S4201 to S4218.

[0374] In some embodiments, the H-SMF can request a PSK from the AUSF before initiating the N4 session establishment process with the selected H-UPF. During the N4 session establishment process, the H-SMF can already send the exported PSK to the H-UPF, and there is no need to initiate the N4 session modification process.

[0375] Steps S4201 to S4204 are the same as steps S4101 to S4104, and steps S4205 and S4107 are the same, so they will not be described again.

[0376] In step S4206, AUSF derives PSK.

[0377] In some embodiments, the parameters in the ATSSS rules are not included in the input parameters of the PSK derivation; that is, the PSK is derived from K using the following parameters. AUSF or K SEAF The derived input S, used to form the KDF:

[0378] FC = TBD;

[0379] P0 = P0 = PDU Session ID;

[0380] L0 = length of P0;

[0381] P1 = UE ID (e.g., SUPI or UE IP address);

[0382] L1 = length of P1;

[0383] The key is K. AUSF / K SEAF .

[0384] Steps S4207 and S4109 are the same and will not be described again.

[0385] In step S4208, H-SMF sends an N4 session establishment request message containing the UP security policy and PSK to H-UPF.

[0386] In step S4209, H-UPF sends an N4 session establishment response message to H-SMF containing a QUIC security activation indication or a TLS security activation indication.

[0387] Steps S4210 to S4218 and steps S4111 to S4119 are the same and will not be described again.

[0388] Figure 4c This is an interactive schematic diagram of a communication method provided according to an embodiment of this disclosure. Embodiments of this disclosure relate to communication methods. Figure 4c As shown, the above method includes steps S4301 to S4316.

[0389] In some embodiments, in order to derive a new PSK for the home network using a key from the serving network, it is recommended that:

[0390] - The serving network should transmit the key (e.g., K) to the home network. HSMF );

[0391] -H-SMF uses a key from the home network and parameters shared between the UE and the home network to derive a new PSK;

[0392] -H-SMF sends a new PSK to H-UPF;

[0393] - Because the PSK derivation for home route roaming differs from the PSK derivation method in the serving / visited network, the H-SMF should send an indication to the UE informing it of the home route status established in the PDU session in order to allow the UE to select the correct derivation method.

[0394] In step S4301, the UE sends a PDU session establishment request message to the V-AMF.

[0395] In some embodiments, the UE provides the request type as "MA PDU Request" in the UL NAS transport message and provides its ATSSS capability in the PDU session establishment request message.

[0396] In step S4302, V-AMF sends the key to V-SMF through the PDU session creation Session Management (SM) context procedure.

[0397] In some embodiments, based on the request type of the "MA PDU Request" received from the UE, the V-AMF initiates the SMContext Creation procedure, selects a V-SMF, and notifies the V-SMF that the request is for a MAPDU session by including an "MA PDU Request" indication. The V-AMF also provides the V-SMF with the identity of the H-SMF.

[0398] In some embodiments, V-AMF can be derived from K AMF Exporting keys (e.g., K) HSMF ), and K HSMF Send to V-SMF.

[0399] In some embodiments, K HSMF The following parameters are used to form the input S of the KDF:

[0400] -FC = Pending;

[0401] -P0 = "Home Network Router ID" or "Home Network SMF ID" or "Home Network UPF ID";

[0402] -L0 = the length of P0;

[0403] -P1 = count;

[0404] -L1 = Count length;

[0405] The input key KEY can be K AMF or K SEAF COUNT is the downlink NAS COUNT value.

[0406] In step S4303, V-UPF and V-SMF establish an N4 session message.

[0407] In some embodiments, the V-SMF uses the selected V-UPF to initiate the N4 session establishment process.

[0408] In step S4304, the V-SMF sends a key to the H-SMF via a PDU session establishment request message.

[0409] In some embodiments, based on the identity of the H-SMF received from the V-AMF in step S4302, the V-SMF sends an Nsmf_PDUSession_Create Request to the H-SMF, which includes the UEID, PDU session ID, PDU dialogue type "MAPDU Request", and K. HSMF wait.

[0410] In step S4305, H-SMF derives PSK based on the key.

[0411] In some embodiments, upon receiving K HSMF Then, H-SMF uses the following parameters from K HSMF Export the PSK to form the input S of the KDF:

[0412] -FC = Pending

[0413] -P0 = Pre-configuration parameters shared between the UE and the home network

[0414] -L0 = P0 length

[0415] The key is K. HSMF .

[0416] In some embodiments, K cannot be used to generate a service network. HSMF The exported PSK only needs to share parameters unknown to the serving network between the UE and the home network for PSK export. It is recommended to pre-configure a parameter in both the UE and the home network as input for PSK derivation. If the parameter is not configured locally in the H-SMF, the H-SMF needs to retrieve the parameter from the relevant network function, such as UDM or PCF.

[0417] In step S4306, H-SMF sends an N4 session establishment request message containing the UP security policy and PSK to H-UPF.

[0418] In some embodiments, the H-SMF initiates an N4 session establishment process with the selected H-UPF by sending an N4 session establishment / modification request. If the MA PDU session supports MPQUIC functionality, the H-SMF instructs the H-UPF to activate the corresponding functionality for this MA PDU session. The H-SMF includes the UE ID, PSK, and UP security policy in the request message to request the MA PDU session.

[0419] In step S4307, H-UPF sends an N4 session establishment response message to H-SMF containing a QUIC security activation indication or a TLS security activation indication.

[0420] In some embodiments, if the H-UPF is able to accept the N4 session establishment request of the MA PDU session, it determines how to activate QUIC / TLS security based on the received UP security policy and returns a QUIC / TLS security activation indication to the H-SMF.

[0421] Steps S4308 to S4312 and steps S4111 to S4115 are the same and will not be described again.

[0422] In step S4313a, the UE derives the PSK.

[0423] In some embodiments, upon receiving the RRC reconfiguration message, if it includes indication information provided by H-SMF, the UE first derives K in step #2 in the same manner as V-AMF. HSMF Then, the UE uses the parameters configured locally in the UE to retrieve data from K in the same manner as the H-SMF in step #5. HSMF The PSK is exported from there. For example, the instruction information is the additional instruction in the above embodiment.

[0424] Steps S4313b to S4316 and steps S4116b to S4119 are the same and will not be described again.

[0425] In some embodiments, for the UE:

[0426] The UE should be able to understand indications from the H-SMF, such as HoR indications or PSK KDF FC.

[0427] Once the UE receives the instruction from the H-SMF, it should be able to access the K-SMF. AUSF or K SEAF Export PSK.

[0428] Once the UE receives the instruction from the H-SMF, it should be able to access the K-SMF. AMF Derivation of K HSMF .

[0429] In some embodiments, for AMF:

[0430] Once H-SMF is selected, AMF should be able to [receive from K]. AMF Derivation of K HSMF .

[0431] AMF should be able to K HSMF Send to H-SMF.

[0432] The AMF should be able to receive instructions from the H-SMF and include them in the PDU session request sent to the RAN.

[0433] In some embodiments, for SMF:

[0434] V-SMF should be able to K HSMF Forwarded from V-AMF to H-SMF.

[0435] The V-SMF should be able to forward instructions from the H-SMF to the V-AMF.

[0436] H-SMF should be able to send a key request containing the UE ID and PDU session ID to AUSF.

[0437] H-SMF should be able to receive key responses from AUSF that includes PSK.

[0438] H-SMF should be able to receive K from V-SMF HSMF The PSK is derived from this.

[0439] H-SMF should be able to initiate the N4 session modification procedure to pass the PSK to H-UPF.

[0440] H-SMF should be able to send an indication to the UE, indicating the home route PDU session or PSK derivation method.

[0441] In some embodiments, for AUSF:

[0442] AUSF should be able to receive key requests from H-SMF.

[0443] AUSF should be able to use the PDU session ID from K AUSF or K SEAF Export PSK.

[0444] In some embodiments, for the RAN:

[0445] RAN nodes should be able to receive and understand instructions for no-UP safety from SMF.

[0446] The RAN node should be able to receive the indication from the H-SMF and include it in the RRC reconfiguration message sent to the UE.

[0447] This disclosure also proposes an apparatus (also referred to as a communication device, etc.) for implementing any of the above methods. For example, this disclosure proposes an apparatus including units or modules for implementing the steps performed by the terminal in any of the above methods. Furthermore, another apparatus is proposed, including units or modules for implementing the steps performed by the network device in any of the above methods.

[0448] It should be understood that the division of units or modules in the above device is only a logical functional division. In actual implementation, they can be fully or partially integrated into a single physical entity, or they can be physically separated. Furthermore, the units or modules in the device can be implemented by a processor calling software: for example, the device includes a processor connected to a memory containing instructions. The processor calls the instructions stored in the memory to implement any of the above methods or to implement the functions of the units or modules in the above device. The processor can be, for example, a general-purpose processor, such as a Central Processing Unit (CPU) or a microprocessor, and the memory can be internal or external to the device. Alternatively, the units or modules in the device can be implemented in the form of hardware circuits. The functionality of some or all of the units or modules can be achieved through the design of these hardware circuits, which can be understood as one or more processors. For example, in one implementation, the hardware circuit is an application-specific integrated circuit (ASIC). The functionality of some or all of the units or modules is achieved through the design of the logical relationships between the components within the circuit. In another implementation, the hardware circuit can be implemented using a programmable logic device (PLD). Taking a field-programmable gate array (FPGA) as an example, it can include a large number of logic gates. The connection relationships between the logic gates are configured through configuration files, thereby achieving the functionality of some or all of the units or modules. All units or modules of the above device can be implemented entirely through processor-called software, entirely through hardware circuits, or partially through processor-called software with the remaining parts implemented through hardware circuits.

[0449] In this embodiment, the processor is a circuit with signal processing capabilities. In one implementation, the processor can be a circuit with instruction read and execute capabilities, such as a central processing unit, microprocessor, graphics processing unit (GPU) (which can be understood as a type of microprocessor), or digital signal processor (DSP). In another implementation, the processor can implement certain functions through the logical relationships of hardware circuits. The logical relationships of the aforementioned hardware circuits are fixed or reconfigurable. For example, the processor is a hardware circuit implemented by an application-specific integrated circuit (ASIC) or a programmable logic device, such as an FPGA. In a reconfigurable hardware circuit, the process of the processor loading a configuration document and configuring the hardware circuit can be understood as the process of the processor loading instructions to implement the functions of some or all of the above units or modules. Furthermore, it can also be a hardware circuit designed for artificial intelligence, which can be understood as an ASIC, such as a neural network processing unit (NPU), tensor processing unit (TPU), deep learning processing unit (DPU), etc.

[0450] Figure 5a This is a schematic diagram of the structure of a first network element in a first core network according to an embodiment of this disclosure. For example... Figure 5a As shown, the first network element 5100 of the first core network may include at least one of the following: transceiver module 5101 and processing module 5102.

[0451] In some embodiments, the transceiver module 5101 is configured to: send a key request to a second network element of the first core network; receive a key response sent by the second network element of the first core network, wherein the key response contains a first key, the first key being used to protect the security of a PDU session, and the PDU session being a session between the terminal and a third network element of the first core network.

[0452] In some embodiments, the first core network is the terminal's home network.

[0453] In some embodiments, the first key is generated based on the second key, which is either the native key of the second network element of the first core network or a derived key of the second network element of the first core network.

[0454] In some embodiments, the transceiver module 5101 is configured to send a first key to a third network element of the first core network.

[0455] In some embodiments, the first key sent to the third network element of the first core network is sent based on at least one of the following: a session establishment request message; a session modification request message.

[0456] In some embodiments, the transceiver module 5101 is configured to send indication information to a first network element of the second core network, the indication information being used by the terminal to determine the first key.

[0457] In some embodiments, the indication information includes at least one of the following: the PDU session is a home network routing PDU session; and a method for deriving the first key.

[0458] In some embodiments, the key request is sent before sending the session establishment request message; the key request includes at least one of the following: the identifier of the terminal; the identifier of the PDU session.

[0459] In some embodiments, the key request is sent after receiving the session establishment request acceptance message; the key request includes at least one of the following: the identifier of the terminal; the identifier of the PDU session; and parameters of the access traffic routing, handover, and offloading ATSSS rules.

[0460] In some embodiments, the transceiver module 5101 is configured to receive a second key sent by a first network element of the second core network. The processing module 5102 is configured to generate a first key based on the second key and parameters; wherein the parameters are parameters shared by the first core network and the terminal, and the first key is used to protect the security of the PDU session, which is a session between the terminal and a third network element of the first core network.

[0461] Figure 5b This is a schematic diagram of the structure of the second network element of the first core network provided according to an embodiment of this disclosure. For example... Figure 5b As shown, the second network element 5200 of the first core network may include at least one of the following: transceiver module 5201 and processing module 5202.

[0462] In some embodiments, the transceiver module 5201 is configured to: receive a key request sent by a first network element of the first core network; send a key response to the first network element of the first core network, wherein the key response contains a first key, the first key being used to protect the security of a PDU session, and the PDU session being a session between the terminal and a third network element of the first core network.

[0463] In some embodiments, the first core network is the terminal's home network.

[0464] In some embodiments, the processing module 5202 is configured to: generate a first key based on a second key, wherein the second key is the native key of a second network element of the first core network, or the second key is a derived key of a second network element of the first core network.

[0465] In some embodiments, the key request is received before the session establishment request message is received; the key request includes at least one of the following: the identifier of the terminal; the identifier of the PDU session.

[0466] In some embodiments, the key request is received after a session establishment request acceptance message has been sent; the key request includes at least one of the following: the identifier of the terminal; the identifier of the PDU session; and parameters of the access traffic routing, handover, and offloading ATSSS rules.

[0467] Figure 5c This is a schematic diagram of the structure of the first network element of the second core network provided according to an embodiment of this disclosure. For example... Figure 5c As shown, the first network element 5300 of the second core network may include at least one of the following: transceiver module 5301 and processing module 5302.

[0468] In some embodiments, the transceiver module 5301 is configured to: send a second key to a first network element of the first core network, the second key being used to generate a first key together with parameters; wherein, the parameters are parameters shared by the first core network and the terminal, and the first key is used to protect the security of the PDU session, the PDU session being a session between the terminal and a third network element of the first core network.

[0469] In some embodiments, the first core network is the terminal's home network.

[0470] In some embodiments, the transceiver module 5301 is configured to receive a second key sent by a second network element of the second core network.

[0471] In some embodiments, the second key is generated based on the third key, which is used to protect the communication security between the terminal and the second network element of the second core network.

[0472] In some embodiments, the transceiver module 5301 is configured to: receive indication information sent by a first network element of the first core network; and send indication information to a second network element of the first core network; wherein the indication information is used by the terminal to determine the first key.

[0473] In some embodiments, the indication information includes at least one of the following: the PDU session is a home network routing PDU session; and a method for deriving the first key.

[0474] Figure 5d This is a schematic diagram of the structure of a second network element in a second core network according to an embodiment of this disclosure. For example... Figure 5d As shown, the second network element 5400 of the second core network may include at least one of the following: transceiver module 5401 and processing module 5402.

[0475] In some embodiments, the transceiver module 5401 is configured to: send a second key to a first network element of the second core network, the second key being used to generate a first key together with parameters; wherein, the parameters are parameters shared by the first core network and the terminal, and the first key is used to protect the security of the PDU session, the PDU session being a session between the terminal and a third network element of the first core network.

[0476] In some embodiments, the first core network is the terminal's home network.

[0477] In some embodiments, the processing module 5402 is configured to generate a second key based on a third key, wherein the third key is used to protect the communication security between the terminal and a second network element of the second core network.

[0478] In some embodiments, the transceiver module 5401 is configured to: receive indication information sent by a second network element of the second core network; and send indication information to the terminal through the access network; wherein the indication information is used by the terminal to determine the first key.

[0479] In some embodiments, the indication information includes at least one of the following: the PDU session is a home network routing PDU session; and a method for deriving the first key.

[0480] Figure 5e This is a structural diagram of a terminal provided according to an embodiment of this disclosure. For example... Figure 5e As shown, terminal 5500 may include at least one of the following: transceiver module 5501 and processing module 5502.

[0481] In some embodiments, the transceiver module 5501 is configured to: receive indication information sent by a second network element of the second core network through the access network, the indication information being used by the terminal to determine a first key; wherein, the first key is used to protect the security of the PDU session, the PDU session being a session between the terminal and a third network element of the first core network.

[0482] In some embodiments, the first core network is the terminal's home network.

[0483] In some embodiments, the indication information includes at least one of the following: the PDU session is a home network routing PDU session; and a method for deriving the first key.

[0484] Figure 6aThis is a schematic diagram of the structure of a communication device provided according to an embodiment of this disclosure. The communication device 6100 can be a terminal (e.g., a user equipment), a network device (e.g., a core network device, an access network device), a chip, chip system, or processor that supports the terminal in implementing any of the above methods, or a chip, chip system, or processor that supports the network device in implementing any of the above methods. The communication device 6100 can be used to implement the methods described in the above method embodiments; for details, please refer to the descriptions in the above method embodiments.

[0485] like Figure 6a As shown, the communication device 6100 includes one or more processors 6101. The processor 6101 can be a general-purpose processor or a dedicated processor, such as a baseband processor or a central processing unit (CPU). The baseband processor can be used to process communication protocols and communication data, while the CPU can be used to control communication devices (e.g., base stations, baseband chips, terminal devices, terminal device chips, DUs or CUs, etc.), execute programs, and process program data. Optionally, the communication device 6100 can be used to execute any of the above methods. Optionally, one or more processors 6101 can be used to invoke instructions to cause the communication device 6100 to execute any of the above methods.

[0486] In some embodiments, the communication device 6100 further includes one or more transceivers 6102. When the communication device 6100 includes one or more transceivers 6102, the transceiver 6102 performs at least one of the communication steps such as sending and / or receiving in the above method (e.g., step S2101, but not limited thereto), and the processor 6101 performs at least one of other steps (e.g., step S2102, but not limited thereto). In optional embodiments, the transceiver may include a receiver and / or a transmitter, which may be separate or integrated together. Optionally, the terms transceiver, transceiver unit, transceiver, transceiver circuit, interface circuit, interface, etc., can be used interchangeably; the terms transmitter, transmitting unit, transmitter, transmitting circuit, etc., can be used interchangeably; and the terms receiver, receiving unit, receiver, receiving circuit, etc., can be used interchangeably.

[0487] In some embodiments, the communication device 6100 further includes one or more memories 6103 for storing data. Optionally, all or part of the memories 6103 may be located outside the communication device 6100. In optional embodiments, the communication device 6100 may include one or more interface circuits 6104. Optionally, the interface circuits 6104 are connected to the memories 6103 and can be used to receive data from the memories 6103 or other devices, and to send data to the memories 6103 or other devices. For example, the interface circuits 6104 can read data stored in the memories 6103 and send that data to the processor 6101.

[0488] The communication device 6100 described in the above embodiments may be a network device or a terminal, but the scope of the communication device 6100 described in this disclosure is not limited thereto, and the structure of the communication device 6100 may vary. Figure 6a The limitations. Communication equipment can be a standalone device or part of a larger device. For example, communication equipment can be: (1) a standalone integrated circuit IC, or chip, or chip system or subsystem; (2) a collection of one or more ICs, optionally including storage components for storing data and programs; (3) an ASIC, such as a modem; (4) a module that can be embedded in other devices; (5) a receiver, terminal device, smart terminal device, cellular phone, wireless device, handheld device, mobile unit, vehicle device, network device, cloud device, artificial intelligence device, etc.; (6) others, etc.

[0489] Figure 6b This is a schematic diagram of the chip structure provided according to an embodiment of this disclosure. For cases where the communication device 6100 can be a chip or a chip system, please refer to... Figure 6b The diagram shown is a schematic representation of the structure of chip 6200, but it is not limited to this.

[0490] Chip 6200 includes one or more processors 6201. Chip 6200 is used to perform any of the methods described above.

[0491] In some embodiments, chip 6200 further includes one or more interface circuits 6202. Optionally, terms such as interface circuit, interface, and transceiver pin can be used interchangeably. In some embodiments, chip 6200 further includes one or more memories 6203 for storing data. Optionally, all or part of the memories 6203 may be located outside chip 6200. Optionally, interface circuit 6202 is connected to memory 6203, and interface circuit 6202 can be used to receive data from memory 6203 or other devices, and interface circuit 6202 can be used to send data to memory 6203 or other devices. For example, interface circuit 6202 can read data stored in memory 6203 and send the data to processor 6201.

[0492] In some embodiments, the interface circuit 6202 performs at least one of the communication steps such as sending and / or receiving in the above-described method (e.g., step S2101, but not limited thereto). For example, the interface circuit 6202 performing the communication steps such as sending and / or receiving in the above-described method means that the interface circuit 6202 performs data interaction between the processor 6201, the chip 6200, the memory 6203, or the transceiver device. In some embodiments, the processor 6201 performs at least one of other steps (e.g., step S2102, but not limited thereto).

[0493] The modules and / or devices described in the various embodiments, such as virtual devices, physical devices, and chips, can be combined or separated arbitrarily as needed. Optionally, some or all steps can also be performed collaboratively by multiple modules and / or devices, which is not limited here.

[0494] This disclosure also proposes a storage medium storing instructions that, when executed on a communication device 6100, cause the communication device 6100 to perform any of the methods described above. Optionally, the storage medium is an electronic storage medium. Optionally, the storage medium is a computer-readable storage medium, but not limited thereto; it may also be a storage medium readable by other devices. Optionally, the storage medium may be a non-transitory storage medium, but not limited thereto; it may also be a temporary storage medium.

[0495] This disclosure also provides a program product that, when executed by a communication device 6100, causes the communication device 6100 to perform any of the above methods. Optionally, the program product is a computer program product.

[0496] This disclosure also proposes a computer program that, when run on a computer, causes the computer to perform any of the above methods.

Claims

1. A communication method, characterized in that, The method is executed by a first network element of the first core network, and the method includes: Send a key request to the second network element of the first core network; The terminal receives a key response sent by a second network element of the first core network. The key response contains a first key, which is used to protect the security of Protocol Data Unit (PDU) sessions. The PDU session is a session between the terminal and a third network element of the first core network.

2. The method according to claim 1, characterized in that, The first core network is the home network of the terminal.

3. The method according to claim 1 or 2, characterized in that, The first key is generated based on the second key, which is either the native key of the second network element of the first core network or a derived key of the second network element of the first core network.

4. The method according to any one of claims 1-3, characterized in that, The method further includes: The first key is sent to the third network element of the first core network.

5. The method according to claim 4, characterized in that, The first key is sent based on at least one of the following: Session establishment request message; Session modification request message.

6. The method according to any one of claims 1-5, characterized in that, The method further includes: The terminal sends an instruction message to the first network element of the second core network, the instruction message being used by the terminal to determine the first key.

7. The method according to claim 6, characterized in that, The indication information includes at least one of the following: The PDU session is a home network routing PDU session; The method for deriving the first key.

8. The method according to any one of claims 1-7, characterized in that, The key request is sent before sending the session establishment request message; the key request includes at least one of the following: The identifier of the terminal; The identifier of the PDU session.

9. The method according to any one of claims 1-7, characterized in that, The key request is sent after receiving the session establishment request acceptance message; the key request includes at least one of the following: The identifier of the terminal; The identifier of the PDU session; Parameters for ATSSS rules that enable traffic redirection, switching, and routing.

10. A communication method, characterized in that, The method is executed by a first network element of the first core network, and the method includes: Receive the second key sent by the first network element of the second core network; Generate a first key based on the second key and parameters; The parameters are shared by the first core network and the terminal. The first key is used to protect the security of the Protocol Data Unit (PDU) session. The PDU session is a session between the terminal and a third network element of the first core network.

11. The method according to claim 10, characterized in that, The first core network is the home network of the terminal.

12. A communication method, characterized in that, The method is executed by a second network element of the first core network, and the method includes: Receive key requests sent by the first network element of the first core network; A key response is sent to the first network element of the first core network. The key response contains a first key, which is used to protect the security of Protocol Data Unit (PDU) sessions. The PDU session is a session between the terminal and the third network element of the first core network.

13. The method according to claim 12, characterized in that, The first core network is the home network of the terminal.

14. The method according to claim 12 or 13, characterized in that, The method further includes: The first key is generated based on the second key, wherein the second key is the native key of the second network element of the first core network, or the second key is a derived key of the second network element of the first core network.

15. The method according to any one of claims 12-14, characterized in that, The key request is received before the session establishment request message is received; the key request includes at least one of the following: The identifier of the terminal; The identifier of the PDU session.

16. The method according to any one of claims 12-14, characterized in that, The key request is received after the session establishment request acceptance message has been sent; the key request includes at least one of the following: The identifier of the terminal; The identifier of the PDU session; Parameters for ATSSS rules that enable traffic redirection, switching, and routing.

17. A communication method, characterized in that, The method is executed by the first network element of the second core network, and the method includes: Send a second key to the first network element of the first core network. The second key is used together with parameters to generate the first key. The parameters are shared by the first core network and the terminal. The first key is used to protect the security of the Protocol Data Unit (PDU) session. The PDU session is a session between the terminal and a third network element of the first core network.

18. The method according to claim 17, characterized in that, The first core network is the home network of the terminal.

19. The method according to claim 17 or 18, characterized in that, The method further includes: Receive the second key sent by the second network element of the second core network.

20. The method according to claim 19, characterized in that, The second key is generated based on the third key, which is used to protect the communication security between the terminal and the second network element of the second core network.

21. The method according to any one of claims 17-20, characterized in that, The method further includes: Receive the indication information sent by the first network element of the first core network; Send the instruction information to the second network element of the first core network; The indication information is used by the terminal to determine the first key.

22. The method according to claim 21, characterized in that, The indication information includes at least one of the following: The PDU session is a home network routing PDU session; The method for deriving the first key.

23. A communication method, characterized in that, The method is executed by a second network element of the second core network, and the method includes: Send a second key to the first network element of the second core network. The second key is used together with parameters to generate the first key. The parameters are shared by the first core network and the terminal. The first key is used to protect the security of the Protocol Data Unit (PDU) session, which is a session between the terminal and a third network element of the first core network.

24. The method according to claim 23, characterized in that, The first core network is the home network of the terminal.

25. The method according to claim 23 or 24, characterized in that, The method further includes: A second key is generated based on a third key, and the third key is used to protect the communication security between the terminal and the second network element of the second core network.

26. The method according to any one of claims 23-25, characterized in that, The method further includes: Receive indication information sent by the second network element of the second core network; The instruction information is sent to the terminal via the access network; The indication information is used by the terminal to determine the first key.

27. The method according to claim 26, characterized in that, The indication information includes at least one of the following: The PDU session is a home network routing PDU session; The method for deriving the first key.

28. A communication method, characterized in that, The method is executed by a terminal, and the method includes: The terminal receives indication information sent by a second network element of the second core network through the access network, the indication information being used by the terminal to determine the first key; The first key is used to protect the security of Protocol Data Unit (PDU) sessions, which are sessions between the terminal and a third network element of the first core network.

29. The method according to claim 28, characterized in that, The first core network is the home network of the terminal.

30. The method according to claim 28 or 29, characterized in that, The indication information includes at least one of the following: The PDU session is a home network routing PDU session; The method for deriving the first key.

31. A first network element of a first core network, characterized in that, The first network element of the first core network is used to execute the communication method as described in any one of claims 1-9.

32. A first network element of a first core network, characterized in that, The first network element of the first core network is used to execute the communication method as described in any one of claims 10-11.

33. A second network element of a first core network, characterized in that, The second network element of the first core network is used to execute the communication method as described in any one of claims 12-16.

34. A first network element of a second core network, characterized in that, The first network element of the second core network is used to execute the communication method as described in any one of claims 17-22.

35. A second network element of a second core network, characterized in that, The second network element of the second core network is used to perform the communication method as described in any one of claims 23-27.

36. A terminal, characterized in that, The terminal is used to perform the communication method as described in any one of claims 28-30.

37. A communication system, characterized in that, The communication system includes a first network element of a first core network and a second network element of the first core network, wherein the first network element of the first core network is configured to perform the communication method as described in any one of claims 1-9, and the second network element of the first core network is configured to perform the communication method as described in any one of claims 12-16.

38. The communication system according to claim 37, characterized in that, The communication system further includes a terminal configured to perform the communication method as described in any one of claims 28-30.

39. The communication system according to claim 37 or 38, characterized in that, The communication system further includes at least one of the following: a third network element of the first core network, a first network element of the second core network, a second network element of the second core network, and a terminal.

40. A communication system, characterized in that, The communication system includes a first network element of a first core network and a first network element of a second core network, wherein the first network element of the first core network is configured to perform the communication method as described in any one of claims 10-11, and the first network element of the second core network is configured to perform the communication method as described in any one of claims 17-22.

41. The communication system according to claim 40, characterized in that, The communication system further includes a second network element of a second core network, which is configured to perform the communication method as described in any one of claims 23-27.

42. The communication system according to claim 40 or 41, characterized in that, The communication system further includes a terminal configured to perform the communication method as described in any one of claims 28-30.

43. The communication system according to any one of claims 40-42, characterized in that, The communication system further includes at least one of a second network element of the first core network and a third network element of the first core network.

44. A storage medium storing instructions, wherein, When the instruction is executed on the first network element of the first core network, the first network element of the first core network performs the communication method as described in any one of claims 1-9.

45. A storage medium storing instructions, wherein, When the instruction is executed on the first network element of the first core network, the first network element of the first core network performs the communication method as described in any one of claims 10-11.

46. ​​A storage medium storing instructions, wherein, When the instruction is executed on the second network element of the first core network, the second network element of the first core network performs the communication method as described in any one of claims 12-16.

47. A storage medium storing instructions, wherein, When the instruction is executed on the first network element of the second core network, the first network element of the second core network performs the communication method as described in any one of claims 17-22.

48. A storage medium storing instructions, wherein, When the instruction is executed on the second network element of the second core network, the second network element of the second core network performs the communication method as described in any one of claims 23-27.

49. A storage medium storing instructions, wherein, When the instruction is executed on the terminal, the terminal causes the terminal to perform the communication method as described in any one of claims 28-30.

50. A program product comprising at least one of a program and instructions, wherein, At least one of the program or instructions is implemented by a first network element of the first core network as the communication method as described in any one of claims 1-9.

51. A program product comprising at least one of a program and instructions, wherein, At least one of the program or instructions is implemented by a first network element of the first core network as the communication method as described in any one of claims 10-11.

52. A program product comprising at least one of a program and instructions, wherein, At least one of the program or instructions is implemented by a second network element of the first core network as the communication method as described in any one of claims 12-16.

53. A program product comprising at least one of a program and instructions, wherein, At least one of the program or instructions is implemented by a first network element of the second core network as the communication method as described in any one of claims 17-22.

54. A program product comprising at least one of a program and instructions, wherein, At least one of the program or instructions is implemented by a second network element of the second core network as the communication method as described in any one of claims 23-27.

55. A program product comprising at least one of a program and instructions, wherein, At least one of the program or instructions is implemented by the terminal as the communication method as described in any one of claims 28-30.