Identifier processing method, apparatus, and computer-readable storage medium
The identifier processing method in extended GBA and AKMA systems addresses abnormal flow terminations and security issues by determining the current stage based on key queries, ensuring secure and authorized processing.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Patents
- Current Assignee / Owner
- CHINA MOBILE COMM LTD RES INST
- Filing Date
- 2023-12-15
- Publication Date
- 2026-07-07
AI Technical Summary
Existing extended Generic Bootstrapping Architecture (GBA) and Authentication and Key Management for Applications (AKMA) systems experience abnormal termination of business flows due to identical HTTP request messages being forwarded, leading to security issues and HTTP 404 errors.
An identifier processing method that determines the current stage of the GBA or AKMA flow by querying a first key based on an attached identifier, allowing for appropriate processing to prevent bypassing of business authorization operations and ensuring secure key management.
Prevents abnormal termination of business flows and enhances security by accurately determining the flow stage, thereby avoiding HTTP 404 errors and ensuring proper authorization in extended GBA and AKMA systems.
Smart Images

Figure 0007886499000001 
Figure 0007886499000002 
Figure 0007886499000003
Abstract
Description
Technical Field
[0001] (Cross-reference to Related Applications) This disclosure is filed based on a Chinese patent application with application number 202211655203.5 and filing date December 21, 2022, claims priority based on the Chinese patent application, and the entire content of the Chinese patent application is incorporated into this disclosure by reference. This disclosure relates to the field of communication technologies, and particularly to an identifier processing method, device, and computer-readable storage medium.
Background Art
[0002] The Generic Bootstrapping Architecture (GBA) is a general authentication architecture based on 4G or 5G network root keys. By using a standard authentication and key negotiation mechanism, GBA can achieve two-way identity authentication and key sharing between a terminal and a network.
[0003] In an extended GBA system, Network Application Function (NAF) network elements or Authentication Proxy (AP) network elements are located on the carrier network side and provide services to multiple Application Servers (AS). While authenticating the identity of User Equipment (UE), the NAF or AP must also authorize the UE's business requests. If the UE's business requests are authorized, the NAF or AP generates a one-time GBA application layer session key Ks_NAF* for the current session between the UE and the application server, and provides this Ks_NAF* to the application server so that the application server knows that the UE's business requests are authorized. Otherwise, the NAF or AP rejects the UE's business requests, in which case Ks_NAF* is not generated and not provided to the application server.
[0004] The extended GBA system workflow includes four stages: GBA initialization, bootstrapping, bootstrapping secure correlation usage, and application secure correlation usage. In the fourth stage, two processing methods are supported for obtaining the GBA application layer session key Ks_NAF*: active push by NAF or AP and active request by Server.
[0005] In an extended GBA flow, the NAF or AP needs to perform the correct processing based on the current stage of the GBA flow. For example, in stage 3, the NAF or AP needs to directly respond to the receipt of a Hypertext Transfer Protocol (HTTP) message, and in stage 4, the NAF or AP needs to forward the HTTP message to the Server for processing. However, during actual testing, it was discovered that the HTTP request messages sent by the UE in stages 3 and 4 were the same. In this case, the NAF or AP could forward either received HTTP request message to the Server for processing, resulting in the following errors: One error is that the HTTP message forwarded by the NAF or AP to the Server is treated as an abnormal situation by the Server, which returns an HTTP 404 error response, ultimately causing the extended GBA business flow to terminate in stage 3. Another error is that the business authorization operation in stage 4 of the extended GBA mechanism is bypassed, leading to security issues. A similar problem exists in the Authentication and Key Management for Applications (AKMA) architecture at the application layer. [Overview of the project] [Problems that the invention aims to solve]
[0006] The embodiments of this disclosure aim to provide an identifier processing method, apparatus, and computer-readable storage medium to solve the problem of abnormal termination of business flows in extended GBA flows or AKMA flows in the prior art. [Means for solving the problem]
[0007] A first embodiment of the embodiments of the present disclosure provides an identifier processing method performed by a first device, the method comprising: receiving a first message transmitted from a user device (UE) accompanied by a first identifier; sending a second message to a second device to obtain a first key if the first key has not been queried based on the first identifier, and / or sending a third message to a third device if the first key has been queried based on the first identifier.
[0008] In some embodiments, the third message is: It includes at least one of the following: the first identifier, the first key, the second key derived from the first key, the information obtained by encrypting the first key, and the information obtained by encrypting the second key. The third message may be the same as the first message, or it may be the first message with additional or deleted information.
[0009] In some embodiments, after sending a second message for obtaining the first key to a second device, the method further includes sending a fourth message to the UE.
[0010] In some embodiments, the fourth message is used to indicate that the first message has been successfully processed, or that the first device has successfully obtained the first key, or that the first device has successfully obtained the first key and the first message has been successfully verified, and / or, the fourth message is used to indicate that the first message has been unsuccessfully processed, or that the first device has failed to obtain the first key, or that the first device has successfully obtained the first key but the verification of the first message has failed.
[0011] In some embodiments, the first device is a network application function (NAF) network element or an authentication agent (AP) network element, and the first identifier is a bootstrapping transaction identifier (B-TID). If the first key is not queried based on the first identifier, a second message is sent to the second device to retrieve the first key, and / or, if the first key is queried based on the first identifier, a third message is sent to the third device. If the first key has not been queried based on the B-TID, it is determined that the system is in the third stage of the Extended Generic Bootstrapping Architecture (GBA) business flow and a second message is sent to the Generic Service Function (BSF) network element to retrieve the first key, and / or, if the first key has been queried based on the B-TID, it is determined that the system is in the fourth stage of the Extended GBA business flow and a third message is sent to the application server.
[0012] In some embodiments, the first identifier is a key identifier (A-KID), If the first key is not queried based on the first identifier, a second message is sent to the second device to retrieve the first key, and / or, if the first key is queried based on the first identifier, a third message is sent to the third device. If the first key is not queried based on the A-KID, this includes sending a second message to the Application Layer Identity Verification and Key Management Anchor (AAnF) network element to retrieve the first key, and / or sending a third message to the Application Function AF network element or AS if the first key is queried based on the A-KID.
[0013] In some embodiments, the third message includes the first identifier, and the method further includes Receiving a fifth message requesting a key transmitted from the third device, This includes sending a sixth message to a third device, The sixth message includes at least one of the following: the first key, the second key derived from the first key, the information obtained by encrypting the first key, and the information obtained by encrypting the second key.
[0014] In a second embodiment of the embodiments of the present disclosure, a first device is provided which includes a processor and a transceiver, the transceiver transmitting and receiving data under the control of the processor. The aforementioned processor, Receiving a first message transmitted from the UE, wherein the first message is accompanied by a first identifier, If the first key is not queried based on the first identifier, a second message is sent to the second device to retrieve the first key, and / or, if the first key is queried based on the first identifier, a third message is sent to the third device.
[0015] In some embodiments, the third message is: It includes at least one of the following: the first identifier, the first key, the second key derived from the first key, the information obtained by encrypting the first key, and the information obtained by encrypting the second key. In some embodiments, the processor is further used to send a fourth message to the UE. The third message may be the same as the first message, or it may be the first message with additional or deleted information.
[0016] In some embodiments, the fourth message is used to indicate that the first message has been successfully processed, or that the first device has successfully obtained the first key, or that the first device has successfully obtained the first key and / or that the first message has been successfully verified, and / or The fourth message is used to indicate that processing of the first message failed, or that the first device failed to obtain the first key, or that the first device succeeded in obtaining the first key but failed to verify the first message.
[0017] In some embodiments, the first device is NAF / AP, and the first identifier is B-TID. The aforementioned processor further, If the first key is not queried based on the B-TID, it is determined that it is in the third stage of the extended GBA service flow, a second message for obtaining the first key is sent to the BSF, and / or if the first key is queried based on the B-TID, it is determined that it is in the fourth stage of the extended GBA service flow, and it is used to execute sending a third message to the application server.
[0018] In some embodiments, the first identifier is the A-KID, The processor further If the first key is not queried based on the A-KID, a second message for obtaining the first key is sent to the AAnF, and / or if the first key is queried based on the A-KID, it is used to execute sending a third message to the AF or AS.
[0019] In some embodiments, the third message includes the first identifier, and the processor further receives a fifth message for requesting a key transmitted from a third device, and is used to execute sending a sixth message to the third device, The sixth message includes at least one of the first key, a second key derived from the first key, information obtained by encrypting the first key, and information obtained by encrypting the second key.
[0020] In a third aspect of the embodiments of the present disclosure, a first device including a memory, a processor, and a program stored in the memory and executable on the processor is further provided, and when the processor executes the program, the identifier processing method described above is realized.
[0021] In a fourth aspect of the embodiments of the present disclosure, a computer-readable storage medium storing a computer program is further provided, and when the program is executed by a processor, the steps in the identifier processing method described above are realized.
Advantages of the Invention
[0022] The above-mentioned technical solutions in this disclosure have at least the following beneficial effects. According to the identifier processing method, device, and computer-readable storage medium of the embodiments of this disclosure, the first device queries the first key via the first identifier attached to the first message and takes corresponding processing depending on whether the first device is querying the first key, thereby indirectly determining the stage in which the flow is currently located, preventing the bypassing of business authorization operations at a certain stage, and improving the security of the extended GBA system and / or AKMA system. Furthermore, this disclosure can also prevent abnormal termination of extended GBA business flows and / or AKMA business flows. [Brief explanation of the drawing]
[0023] [Figure 1] This is a step flowchart of the identifier processing method according to an embodiment of the present disclosure. [Figure 2] This is a schematic diagram illustrating the principle of Example 1 of the identifier processing method according to the embodiments of this disclosure. [Figure 3] This is a schematic diagram illustrating the principle of Example 2 of the identifier processing method according to the embodiments of this disclosure. [Figure 4] This is a schematic diagram of the structure of the first device according to an embodiment of the present disclosure. [Modes for carrying out the invention]
[0024] To further clarify the technical problem, technical solution, and advantages that this disclosure aims to solve, they will be described in detail below with reference to the drawings and specific embodiments.
[0025] As shown in Figure 1, the implementation of this disclosure provides an identifier processing method performed by a first device, the method comprising the following steps 101-102.
[0026] In step 101, a first message transmitted from the user equipment (UE) is received, and the first message is accompanied by a first identifier.
[0027] The first message can be, as selected, an HTTP message or an HTTP request message, etc. In step 102, if the first key has not been queried based on the first identifier, a second message is sent to the second device to retrieve the first key, and / or, if the first key has been queried based on the first identifier, a third message is sent to the third device.
[0028] Selectively, if the first key has not been queried, it is determined that the system is currently in a certain stage; if the first key has been queried, it is determined that the system is currently in a different stage. In embodiments of this disclosure, when processing the first message of the UE, the first device can determine the stage in which the flow is currently located depending on whether the first key has been queried, and then take the corresponding processing method. For example, the first device can clearly distinguish between the third and fourth stages of the GBA from a business perspective. In the third stage, the first device should not forward the first message of the UE to the application server. In the fourth stage, the first device should either proactively push the key to the application server based on a pre-configured key acquisition method, or the application server should proactively request the first device to acquire the key.
[0029] Selectively, the identifier processing method according to the embodiments of this disclosure may have multiple embodiments. Of these, two selectable embodiments are an identifier processing method applicable to GBA and an identifier processing method applicable to AKMA.
[0030] As one possible embodiment, the third message is: It includes at least one of the following: the first identifier, the first key, the second key derived from the first key, the information obtained by encrypting the first key, and the information obtained by encrypting the second key.
[0031] Here, the first key can be the GBA session key Ks_NAF or Ks_(int / ext)_NAF, and the second key can be the GBA application layer session key Ks_NAF*. Alternatively, the first key may be KAKMA or KAF, and the second key may be a key derived from KAKMA or KAF.
[0032] In at least one embodiment of the present disclosure, after sending a second message for obtaining the first key to a second device, the method further includes sending a fourth message to the UE.
[0033] In at least one embodiment of the present disclosure, the fourth message is used to indicate that the first message has been successfully processed, or that the first device has successfully obtained the first key, or that the first device has successfully obtained the first key and the first message has been successfully verified, and / or the fourth message is used to indicate that the first message has been unsuccessfully processed, or that the first device has failed to obtain the first key, or that the first device has successfully obtained the first key but failed to verify the first message.
[0034] In at least one embodiment of the present disclosure, the first device is a network application function (NAF) network element or an authentication agent (AP) network element, and the first identifier is a bootsstrapping-transaction identifier (B-TID), in which case step 102 is, If the first key has not been queried based on the B-TID, it is determined that the process is in the third stage of the Extended Generic Bootstrapping Architecture (GBA) business flow, and the Bootstrapping Server Function (BSF) sends a second message to the network element to retrieve the first key, and / or If the first key is being queried based on the B-TID, it is determined that the process is in the fourth stage of the extended GBA business flow, which includes sending a third message to the application server.
[0035] According to the extended GBA workflow, the NAF / AP does not have the GBA session key Ks_(int / ext)_NAF initially. In the third stage, when the NAF / AP receives an HTTP request message sent from the UE, it realizes that the Ks_(int / ext)_NAF key needed to authenticate the HTTP request message does not exist locally, requests the BSF to obtain the Ks_(int / ext)_NAF key, retrieves the key from the BSF, and then uses the key to perform HTTP summary authentication. In the fourth stage, when the NAF / AP receives an HTTP request message sent from the UE, it realizes that the Ks_(int / ext)_NAF key already exists locally, and uses the key to perform HTTP summary authentication.
[0036] Therefore, in the embodiments of this disclosure, the current stage of the GBA authentication flow is determined by determining whether a GBA session key Ks_(int / ext)_NAF exists on the NAF / AP. When the NAF / AP receives an HTTP request message (i.e., the first message) sent from the UE, it first queries whether an available Ks_(int / ext)_NAF exists locally based on the B-TID information in the message. If no available Ks_(int / ext)_NAF exists, it recognizes that the flow is currently in stage 3 and then interacts with the BSF via a BIR (Bootstrapping-Info-Answer) / BIA (Bootstrapping-Info-Request) message to request the acquisition of Ks_(int / ext)_NAF. If an available Ks_(int / ext)_NAF exists, it recognizes that the flow is currently in stage 4. Here, the availability of Ks_(int / ext)_NAF means that the NAF / AP has Ks_(int / ext)_NAF stored locally, and that it is not a key that has expired beyond its lifetime, but is still within its valid lifetime. Next, the NAF / AP performs HTTP summary authentication on the HTTP request message based on Ks_(int / ext)_NAF. If the summary authentication on the HTTP request message is successful, the process proceeds to the third or fourth stage depending on the above determination result. If the summary authentication on the HTTP request message fails, an HTTP 401 message is returned, requesting the UE to re-execute the GBA bootstrapping process, and AKA (Authentication key agreement) identity authentication is performed.
[0037] In another selected embodiment of the present disclosure, the first identifier is a key identifier (AKMA Key Identifier, A-KID), in which case step 102 is: If the first key has not been queried based on the A-KID, a second message is sent to the application layer's Identity Verification and Key Management Anchor Function (AAnF) network element to retrieve the first key, and / or, When querying the first key based on A-KID, this includes sending a third message to the application function AF network element or AS.
[0038] Here, the first device can have various embodiments, but is not specifically limited, such as an AAP (AKMA Application Proxy), AKMA AP (AKMA Application Proxy), AKMA application agent, AS agent, agent server, AF agent, etc.
[0039] As one possible embodiment, if the third message includes the first identifier, the method further receives a fifth message requesting a key transmitted from the third device, This includes sending a sixth message to a third device, The sixth message includes at least one of the following: the first key, the second key derived from the first key, the information obtained by encrypting the first key, and the information obtained by encrypting the second key.
[0040] In the embodiments of this disclosure, the first device queries the first key via the first identifier attached to the first message and takes corresponding processing depending on whether the first device is querying the first key, thereby indirectly determining the stage in which the flow is currently located, preventing the bypassing of business authorization operations at a certain stage, and improving the security of the extended GBA system and / or AKMA system. Furthermore, it is possible to avoid HTTP 404 error responses that the AS returns in response to abnormal situation processing, and abnormal termination of the extended GBA business flow and / or AKMA business flow.
[0041] To more clearly explain the identifier processing method relating to the embodiments of this disclosure, two examples of an extended GBA authentication flow are described below.
[0042] [Example 1] NAF / AP can determine the current stage of an extended GBA flow using a method that includes stage identifiers. When employing a method that includes stage identifiers, stage information can be recorded in different ways. For example, a flag can be set to indicate that the flow is in stage 3, and no flag can be set to indicate that it is in stage 4, or the flag can be set to 0 to indicate that the flow is in stage 3, and the flag can be set to 1 to indicate that it is in stage 4. A specific flow is shown in Figure 2.
[0043] In step 1, the NAF or AP receives an HTTP request message sent from the UE.
[0044] In step 2, the NAF or AP queries whether an available GBA session key Ks_(int / ext)_NAF exists locally, based on the B-TID.
[0045] In step 3, if no available Ks_(int / ext)_NAF exists, it is determined that the system is currently in stage 3, the identifier is recorded, and the process proceeds to step 4.
[0046] In step 4, NAF or AP obtains Ks_(int / ext)_NAF from BSF and proceeds to step 6.
[0047] In step 5, if a usable Ks_(int / ext)_NAF exists, it is determined that the system is currently in stage 4, the identifier is recorded, and the process proceeds to step 6.
[0048] In step 6, NAF or AP performs HTTP summary (Digest) authentication.
[0049] In step 7, if authentication is successful, the current stage is determined based on the identifier. If it is determined to be in stage 3, proceed to step 8; if it is determined to be in stage 4, proceed to step 9.
[0050] In step 8, an HTTP response message is sent back to the UE.
[0051] In step 9, the HTTP request message is forwarded to the application server, and Ks_NAF* is provided to the server in an appropriate manner.
[0052] In step 10, if authentication fails, an HTTP 401 message is sent back to the UE.
[0053] [Example 2] NAF / AP can determine the current stage of an extended GBA flow using a method without stage identifiers. The specific flow is shown in Figure 3.
[0054] In step 1, the NAF or AP receives an HTTP request message sent from the UE.
[0055] In step 2, the NAF or AP queries whether an available GBA session key Ks_(int / ext)_NAF exists locally, based on the B-TID.
[0056] In step 3, if an available Ks_(int / ext)_NAF exists, it is determined that the system is currently in stage 4, and the NAF or AP performs HTTP summary (Digest) authentication, proceeding to step 5 or step 6.
[0057] In step 4, if no available Ks_(int / ext)_NAF exists, it is determined that the system is currently in stage 3, a Ks_(int / ext)_NAF is obtained from the BSF, and the system proceeds to step 7.
[0058] In step 5, if authentication is successful, the HTTP request message is forwarded to the application server, and Ks_NAF* is provided to the server in an appropriate manner.
[0059] In step 6, if authentication fails, an HTTP 401 message is sent back to the UE.
[0060] In step 7, NAF or AP performs HTTP summary (Digest) authentication.
[0061] In step 8, if authentication is successful, an HTTP 200 OK message is sent back to the UE.
[0062] In step 9, if authentication fails, an HTTP 401 message is sent back to the UE.
[0063] As shown in Figure 4, an embodiment of the present disclosure further provides a first device including a processor 400 and a transceiver 410, the transceiver 410 transmitting and receiving data under the control of the processor 400. The aforementioned processor 400 is Receiving a first message transmitted from a user device UE, wherein the first message is accompanied by a first identifier. If the first key is not queried based on the first identifier, a second message is sent to the second device to retrieve the first key, and / or, if the first key is queried based on the first identifier, a third message is sent to the third device.
[0064] As one possible embodiment, the third message is: It includes at least one of the following: the first identifier, the first key, the second key derived from the first key, the information obtained by encrypting the first key, and the information obtained by encrypting the second key.
[0065] In one possible embodiment, the processor is further used to perform the task of sending a fourth message to the UE.
[0066] In one selectable embodiment, the fourth message is used to indicate that the processing of the first message was successful, or that the first device successfully obtained the first key, or that the first device successfully obtained the first key and the verification of the first message was successful, and / or, the fourth message is used to indicate that the processing of the first message failed, or that the first device failed to obtain the first key, or that the first device successfully obtained the first key but the verification of the first message failed.
[0067] As one possible embodiment, the first device is a NAF / AP, the first identifier is a B-TID, and the processor is further, This is used to determine that the process is in the third stage of the extended GBA business flow and to send a second message to the BSF to retrieve the first key if the first key has not been queried based on the B-TID, and / or to determine that the process is in the fourth stage of the extended GBA business flow and to send a third message to the application server if the first key has been queried based on the B-TID.
[0068] In one selectable embodiment, the first identifier is an A-KID, and the processor is further used to send a second message to AAnF to retrieve the first key if it has not queried the first key based on the A-KID, and / or to send a third message to AF or AS if it has queried the first key based on the A-KID.
[0069] In one selectable embodiment, the third message includes the first identifier, and the processor is further used to receive a fifth message requesting a key to be transmitted from the third device, and to transmit a sixth message to the third device. The sixth message includes at least one of the following: the first key, the second key derived from the first key, the information obtained by encrypting the first key, and the information obtained by encrypting the second key.
[0070] In the embodiments of this disclosure, the first device queries the first key via the first identifier attached to the first message and takes corresponding processing depending on whether the first device is querying the first key, thereby indirectly determining the stage in which the flow is currently located, preventing the bypassing of business authorization operations at a certain stage, and improving the security of the extended GBA system and / or AKMA system. Furthermore, it is possible to eliminate the HTTP 404 error response that the business server returns in response to abnormal situation processing, thereby avoiding abnormal termination of the extended GBA business flow and / or AKMA business flow.
[0071] Since the first device according to the embodiment of this disclosure is a device capable of performing the identifier processing method described above, all embodiments of the identifier processing method can be applied to this device and achieve the same or similar beneficial effects, and therefore, their explanation is omitted here.
[0072] Embodiments of this disclosure further provide a first device including memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor can achieve the same technical effect by implementing each of the steps in the identifier processing method embodiment described above when executing the program, and to avoid duplication, the explanation is omitted here.
[0073] It should be understood that the processor in the embodiments of this disclosure may be an integrated circuit chip having signal processing capability. In the implementation process, each step of the above method embodiment can be executed by hardware integrated logic circuits or software-form instructions within the processor. The processor may be a general-purpose processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field programmable gate array (FPGA), or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component, and can implement or execute each method, step and logic block diagram disclosed in the embodiments of this disclosure. The general-purpose processor may be a microprocessor or any conventional processor. In relation to the steps of the method disclosed in the embodiments of this disclosure, they can be embodied directly as hardware decoding processor execution completion, or they can be embodied as execution completion by combining hardware and software modules in the decoding processor. The software modules may reside in existing storage media in the art, such as random memory, flash memory, read-only memory, programmable read-only memory, or electrically erasable programmable memory, or registers. The storage medium is located in memory, and the processor reads the information in memory and completes the steps of the method according to its hardware.
[0074] It should be understood that the memory in the embodiments of this disclosure may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. Here, non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (Erasable PROM, EPROM), electrically erasable programmable read-only memory (Electrically EPROM, EEPROM), or flash memory. Volatile memory may be random access memory (RAM) used as an external cache. Many forms of RAM are available, although this is illustrative and not an exhaustive description. Examples include static random access memory (Static RAM, SRAM), dynamic random access memory (Dynamic RAM, DRAM), synchronous dynamic random access memory (Synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (Double Data Rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (Enhanced SDRAM, ESDRAM), synchronous connected dynamic random access memory (Synchlink DRAM, SLDRAM), and direct memory bus associated access memory (Direct Rambus RAM, DR RAM). The memories described herein are intended to include, but are not limited to, these and any other suitable types of memory.
[0075] The above-mentioned memories are illustrative but not limited to; for example, the memories in the embodiments of this disclosure may also include static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous linked dynamic random access memory (synch-link DRAM, SLDRAM), and direct memory bus random access memory (Direct Rambus RAM, DR RAM). In other words, the memories in the embodiments of this disclosure include, but are not limited to, these and any other suitable types of memory.
[0076] Embodiments of this disclosure further provide a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, the same technical effects can be achieved by implementing each of the identifier processing method embodiments described above, and to avoid duplication, the explanation is omitted here. The computer-readable storage medium can be read-only memory (ROM), random access memory (RAM), magnetic disk, or optical disk, etc.
[0077] Those skilled in the art will understand that embodiments of this disclosure may be provided as methods, systems, or computer program products. Accordingly, this disclosure may take the form of complete hardware embodiments, complete software embodiments, or embodiments combining software and hardware aspects. Furthermore, this disclosure may take the form of computer program products implemented on a computer-readable storage medium (including, but not limited to, disk memory or optical memory) containing computer-usable program code.
[0078] This disclosure will be described with reference to flowcharts and / or block diagrams of methods, devices (systems), and computer program products according to embodiments of this disclosure. It should be understood that each flow and / or block in a flowchart and / or block diagram, and combinations of flows and / or blocks in a flowchart and / or block diagram, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a dedicated computer, an embedded processor, or other programmable data processing device to generate a device, so that instructions executed by a computer or other programmable data processing device processor can generate a device to implement one or more flows and / or one or more blocks of a flowchart.
[0079] These computer program instructions can also be stored in a computer-readable storage medium that can operate a computer or other programmable data processing device in a specific manner, and the instructions stored in the computer-readable storage medium can generate a product that includes an instruction device that implements the functions specified in one or more flowcharts and / or one or more blocks in a block diagram.
[0080] These computer program instructions may also be loaded into a computer or other programmable data processing device, thereby executing a series of operational steps on the computer or other programmable device to generate the processing of a computer implementation. The instructions executed on a computer or other scientific programmable device provide steps for implementing a specified function within one or more flows in a flowchart and / or one or more blocks in a block diagram.
[0081] The above describes preferred embodiments of the present disclosure, and it should be noted that several improvements and refinements can be made by those in the art without departing from the principles of the present disclosure and should be considered within the scope of the present disclosure.
Claims
1. An identifier processing method performed by a first device, wherein the method is: Receiving a first message transmitted from a user device (UE), wherein the first message is accompanied by a first identifier, An identifier processing method comprising: sending a second message to a second device to obtain the first key if the first key has not been queried based on the first identifier, and / or sending a third message to a third device if the first key has been queried based on the first identifier.
2. The third message is, The method according to claim 1, comprising at least one of the first identifier, the first key, the second key derived from the first key, information obtained by encrypting the first key, and information obtained by encrypting the second key.
3. After sending a second message to the second device for obtaining the first key, the method further: The method according to claim 1, comprising sending a fourth message to the UE.
4. The fourth message is used to indicate that the processing of the first message was successful, or that the first device successfully obtained the first key, or that the first device successfully obtained the first key and the verification of the first message was successful, and / or The method according to claim 3, wherein the fourth message is used to indicate that the processing of the first message failed, or that the acquisition of the first key by the first device failed, or that the acquisition of the first key by the first device was successful but the verification of the first message failed.
5. The first device is a network application function (NAF) network element or an authentication agent (AP) network element, and the first identifier is a bootstrapping transaction identifier (B-TID). If the first key has not been queried based on the first identifier, a second message to obtain the first key is sent to the second device, and / or if the first key has been queried based on the first identifier, a third message is sent to the third device. The method according to claim 1, comprising determining that the system is in the third stage of the Extended General Purpose Bootstrapping Architecture (GBA) business flow and sending a second message to a Bootstrapping Service Function (BSF) network element to retrieve the first key if the first key has not been queried based on the B-TID, and / or determining that the system is in the fourth stage of the Extended GBA business flow and sending a third message to the application server if the first key has been queried based on the B-TID.
6. The aforementioned first identifier is the application layer identity verification and key management (AKMA) key identifier (A-KID), If the first key has not been queried based on the first identifier, a second message to obtain the first key is sent to the second device, and / or if the first key has been queried based on the first identifier, a third message is sent to the third device. The method according to claim 1, comprising sending a second message to an AKMA anchor function (AAnF) network element to retrieve the first key if the first key has not been queried based on the A-KID, and / or sending a third message to an application function (AF) network element or an application server (AS) if the first key has been queried based on the A-KID.
7. The third message includes the first identifier, and the method further includes, Receiving a fifth message requesting a key transmitted from a third device, This includes transmitting a sixth message to a third device, The method according to claim 2, wherein the sixth message includes at least one of the first key, the second key derived from the first key, the information obtained by encrypting the first key, and the information obtained by encrypting the second key.
8. A first device including a processor and a transceiver, The aforementioned transceiver transmits and receives data under the control of the processor. The aforementioned processor, Receiving a first message transmitted from a user device UE, wherein the first message is accompanied by a first identifier. A first device used to perform the following actions: if the first key is not queried based on the first identifier, it sends a second message to a second device to retrieve the first key, and / or if the first key is queried based on the first identifier, it sends a third message to a third device.
9. The third message is, The device according to claim 8, comprising at least one of the first identifier, the first key, the second key derived from the first key, information obtained by encrypting the first key, and information obtained by encrypting the second key.
10. The apparatus according to claim 8, wherein the processor is further used to perform the task of sending a fourth message to the UE.
11. The fourth message is used to indicate that the processing of the first message was successful, or that the first device successfully obtained the first key, or that the first device successfully obtained the first key and the verification of the first message was successful, and / or The device according to claim 10, wherein the fourth message is used to indicate that the processing of the first message failed, or that the acquisition of the first key by the first device failed, or that the acquisition of the first key by the first device was successful but the verification of the first message failed.
12. The first device is a network application function (NAF) network element or an authentication agent (AP) network element, and the first identifier is a bootstrapping transaction identifier (B-TID). The aforementioned processor further, If the first key has not been queried based on the B-TID, it is determined that the system is in the third stage of the Extended General Purpose Bootstrapping Architecture (GBA) business flow, and a second message is sent to the Bootstrapping Service Function (BSF) to retrieve the first key, and / or The device according to claim 8, which is used to determine that the first key is in the fourth stage of the extended GBA business flow when querying the first key based on the B-TID, and to send a third message to the application server.
13. The first identifier is the application layer Identity Verification and Key Management (AKMA)-Key Identifier (A-KID), and the processor further... If the first key has not been queried based on A-KID, a second message is sent to the AKMA anchor function (AAnF) network element to retrieve the first key, and / or The device according to claim 8, used to send a third message to an application function (AF) or application server (AS) when querying a first key based on A-KID.
14. The third message includes the first identifier, and the processor further, Receiving a fifth message requesting a key transmitted from a third device, It is used to transmit the sixth message to the third device, The apparatus according to claim 9, wherein the sixth message includes at least one of the first key, a second key derived from the first key, information obtained by encrypting the first key, and information obtained by encrypting the second key.
15. A first device comprising memory, a processor, and a program stored in the memory and executable on the processor, A first device that implements the identifier processing method according to any one of claims 1 to 7 when the processor executes the program.
16. A computer-readable storage medium in which a computer program is stored, A computer-readable storage medium that, when the computer program is executed by a processor, enables the steps in the identifier processing method described in any one of claims 1 to 7.
17. A computer program that includes instructions, A computer program wherein, when the instruction is executed by a processor, the processor performs the steps in the identifier processing method according to any one of claims 1 to 7.