Communication method and communication apparatus
When a terminal device is unable to generate an encrypted identity identifier, it accesses the network by using an identity identifier with plaintext identity information and sends an instruction message to request the generation of parameters, thus solving the problem of network access failure and achieving normal access and improved information security.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- HUAWEI TECH CO LTD
- Filing Date
- 2025-10-29
- Publication Date
- 2026-06-11
Smart Images

Figure CN2025130889_11062026_PF_FP_ABST
Abstract
Description
Communication methods and communication devices
[0001] This application claims priority to Chinese Patent Application No. 202411562610.0, filed on November 3, 2024, entitled "Communication Method and Communication Device", the entire contents of which are incorporated herein by reference. Technical Field
[0002] This application relates to the field of wireless communication, and more specifically, to a communication method and a communication device. Background Technology
[0003] In the field of communications, terminal devices may have multiple different identifiers. Furthermore, for the sake of interoperability, communication protocols often stipulate that terminal devices need to use specific identifiers to access the network in different scenarios.
[0004] For example, in 5G, the identity identifiers of terminal devices include a subscription concealed identifier (SUCI) and a subscription permanent identifier (SUPI). SUPI can be simply understood as the true identity information of the terminal device, while SUCI is the identity identifier obtained by encrypting or anonymizing SUPI. SUCI plays a crucial role in the network authentication process.
[0005] For example, when a terminal device attempts to access a network, it typically uses an anonymous identity (such as SUCI) to authenticate with the network, ensuring that attackers cannot directly obtain the user's real identity information and improving the network security of the terminal device. In the process of a terminal device accessing the network, the anonymous identity is a necessary parameter carried in the initial registration request message. However, in some cases, the terminal device cannot obtain the relevant parameters (such as the public key) used to generate the anonymous identity, causing it to fail to generate the anonymous identity, which in turn leads to the failure of the registration request message generation and the failure of the terminal device to access the network.
[0006] Currently, there is no solution to the problem of terminal devices failing to generate specific identity identifiers, resulting in network access failures. Summary of the Invention
[0007] This application provides a communication method and a communication device to ensure that the terminal device can access the network normally when the terminal device is unable to generate an encrypted identity.
[0008] Firstly, a communication method is provided. This method can be applied to a terminal-side device; that is, the method can be executed by the terminal-side device itself, or by components within the terminal-side device (such as a chip, chip system, circuit, or communication module). This application does not limit the scope of the method. This application uses a terminal device as an example for description.
[0009] The method may include:
[0010] If it is determined that a first identity identifier for accessing the first network cannot be generated, a second identity identifier is used to access the first network; wherein, the first identity identifier is an anonymized identity identifier obtained by encrypting plaintext identity information; the second identity identifier is an identity identifier different from the first identity identifier obtained based on the plaintext identity information; and a first indication message is sent to the first network, the first indication message being used to indicate at least one of the following: the first identity identifier cannot be generated; a request for some or all of the parameters used to generate the anonymized identity identifier; or a reason why the first identity identifier cannot be generated.
[0011] According to this method, when a terminal device determines that it cannot generate a first identity identifier, it uses a second identity identifier to access the first network and sends a first indication message to the first network. This method provides a way for the terminal device to access the first network normally when it cannot use an anonymized identity identifier obtained by encrypting plaintext identity information. The terminal device reports the first indication message to the first network, informing it of the anomaly and / or the reason for the anomaly. This allows the first network to be promptly aware of the anomaly and to resolve it appropriately. For example, the first network can send update parameters to the terminal device based on the first indication message, so that the terminal device can subsequently use the updated parameters to generate an anonymized identity identifier.
[0012] In conjunction with the first aspect, in some possible implementations, the second identity identifier is identity information obtained based on the plaintext identity information that differs from the first identity identifier, including: the first identity identifier and the second identity identifier are generated by different modules of the terminal device.
[0013] For example, the second identity identifier differs from the first identity identifier, which can be understood as the device (or module, unit) that generates the first identity identifier being different from the device (or module, unit) that generates the second identity identifier. For instance, the anonymized identity identifier obtained by the second module of the terminal device through encryption of plaintext identity information is the first identity identifier, and the anonymized identity identifier obtained by the first module of the terminal device through encryption of plaintext identity information is the second identity identifier. The encryption method used for the first identity identifier and the encryption method used for the second identity identifier can be the same or different.
[0014] For example, the difference between the first identity identifier and the second identity identifier can also be understood as the first identity identifier and the second identity identifier being generated at different times. For instance, the system pre-configures the second module of the terminal device to generate the first identity identifier. If the second module fails to generate the first identity identifier due to a lack of relevant parameters, the first module can generate the second identity identifier based on the error indication (or error reason value, error information) that the second module cannot generate the first identity identifier.
[0015] In conjunction with the first aspect, in some possible implementations, the method further includes:
[0016] The first parameter is received from the first network, the first parameter including some or all of the parameters for generating an anonymous identity.
[0017] Based on the above scheme, the terminal device receives the first parameter, thereby ensuring that the terminal device can generate an anonymous identity in the case of re-registration, preventing attackers from obtaining relevant information of the terminal device and improving the information security of the terminal device.
[0018] In conjunction with the first aspect, in some possible implementations, the method further includes: generating an anonymized third identity identifier based on the first parameter; and using the third identity identifier to access the first network.
[0019] Based on the above scheme, the terminal device receives the first parameter, generates an anonymous third identity identifier, and uses the third identity identifier to access the first network, thereby preventing attackers from obtaining relevant information of the terminal device and improving the information security of the terminal device.
[0020] In conjunction with the first aspect, in some possible implementations, receiving the first parameter from the first network includes: receiving the first parameter from the first network through a UE parameters update (UPU) procedure or a UE configuration update (UCU) procedure.
[0021] Based on the above solution, the first parameter received by the terminal device can be transmitted through the existing process, reducing the need to modify the existing communication protocol.
[0022] In conjunction with the first aspect, in some possible implementations, the first parameter includes one or more of the following: a public key for encrypted communication between the terminal device and the first network, routing indication information, and a protection mechanism identifier.
[0023] In conjunction with the first aspect, in some possible implementations, before sending the first indication information to the first network, the method further includes: determining that the first identity identifier for accessing the first network cannot be generated.
[0024] In conjunction with the first aspect, in some possible implementations, determining that the first identity identifier for accessing the first network cannot be generated includes: the terminal-side device determining that it needs to access the first network; the terminal device using a first module requesting a second module in the terminal-side device to generate the first identity identifier; the first module receiving an error response from the second module; and the first module determining, based on the error response, that the second module cannot generate the first identity identifier.
[0025] For example, the first module is a module in the terminal device. This could be a function implemented through software or a function on a chip card. For instance, the first module could be mobile equipment (ME); the second module is a pluggable device or a module within a pluggable device. For instance, the second module could be a universal subscriber identity module (USIM).
[0026] In conjunction with the first aspect, in some possible implementations, the first module generates the second identity identifier based on the plaintext identity information.
[0027] In conjunction with the first aspect, in some possible implementations, the first module obtains the plaintext identity information from the second module.
[0028] In conjunction with the first aspect, in some possible implementations, the error response includes the plaintext identity information; the first module obtaining the plaintext identity information from the second module includes: the first module obtaining the plaintext identity information from the error response.
[0029] In conjunction with the first aspect, in some possible implementations, the first indication information may also be used to indicate at least one of the following, or the first indication information may be used to indicate at least one of the following: the second module is unable to generate the first identity identifier; the second module requests some or all of the parameters used to generate the anonymized identity identifier; or the reason why the second module is unable to generate the first identity identifier.
[0030] In conjunction with the first aspect, in some possible implementations, the first module receives second indication information from the first network, the second indication information being used to instruct the first module to generate the third identity identifier, wherein receiving the first parameter from the first network includes: the first module receiving the first parameter from the first network; wherein generating the anonymized third identity identifier based on the first parameter includes: the first module generating the third identity identifier based on the first parameter.
[0031] In conjunction with the first aspect, in some possible implementations, the first module receives second indication information from the first network, the second indication information being used to instruct the second module to generate the third identity identifier, wherein receiving the first parameter from the first network includes: the first module receiving the first parameter from the first network; wherein generating the anonymized third identity identifier based on the first parameter includes: the first module sending the first parameter to the second module; and the second module generating the third identity identifier based on the first parameter.
[0032] In conjunction with the first aspect, in some possible implementations, the plaintext identity information is the user's permanent identity identifier (SUPI).
[0033] In conjunction with the first aspect, in some possible implementations, the use of the second identity identifier to access the first network includes: sending an initial registration request message to the first network for requesting access to the first network, the initial registration request message including the second identity identifier.
[0034] In conjunction with the first aspect, in some possible implementations, sending the first indication information to the first network includes: sending a NAS message with non-access stratum NAS security protection to the first network, wherein the NAS message includes the first indication information.
[0035] Based on the above scheme, the first indication information received by the terminal device can be transmitted through a secure NAS message to ensure that the first indication information is not tampered with.
[0036] In conjunction with the first aspect, in some possible implementations, the NAS message is a Non-Access Stratum Security Mode Command NAS SMP message.
[0037] Based on the above scheme, the first indication information received by the terminal device can be transmitted through existing secure NAS messages, ensuring that the first indication information is not tampered with while reducing changes to the existing communication protocol.
[0038] Secondly, a communication method is provided. This method can be applied to a terminal-side device; that is, the method can be executed by the terminal-side device itself, or by components within the terminal-side device (such as a chip, chip system, circuit, or communication module). This application does not limit the scope of the method. This application uses a terminal device as an example for illustration.
[0039] The method may include: if it is determined that a first identity identifier for accessing a first network cannot be generated, generating a second identity identifier different from the first identity identifier based on plaintext identity information and using the second identity identifier to access the first network; wherein, the first identity identifier is an anonymized identity identifier obtained by processing plaintext identity information in an encrypted manner; the second identity identifier information includes first indication information, the first indication information being used to indicate at least one of the following: the first identity identifier cannot be generated; a request for some or all of the parameters used to generate the anonymized identity identifier; or a reason why the first identity identifier cannot be generated.
[0040] According to this method, when a terminal device determines that it cannot generate a first identity identifier, it generates a second identity identifier based on plaintext identity information to access the second network and sends a first indication message to the second network. This method provides a solution for when a terminal device cannot access the first network using an anonymized identity identifier obtained by encrypting plaintext identity information, thereby enabling the terminal device to access the network normally. The terminal device reports the first indication message to the first network, informing it of the anomaly and / or the reason for the anomaly. This allows the first network to be promptly aware of the anomaly and to resolve it appropriately. For example, the first network can send update parameters to the terminal device based on the first indication message, so that the terminal device can subsequently use the updated parameters to generate an anonymized identity identifier.
[0041] In conjunction with the second aspect, in some possible implementations, the first identity identifier and the second identity identifier are generated by different modules of the terminal device.
[0042] For example, some parts of the second aspect are similar to the first aspect, and for specific descriptions and technical effects, please refer to the description of the first aspect above.
[0043] In conjunction with the second aspect, in some possible implementations, the method further includes: receiving a first parameter from the first network, the first parameter including some or all parameters for generating anonymized identity identifiers.
[0044] In conjunction with the second aspect, in some possible implementations, the method further includes: generating an anonymized third identity identifier based on the first parameter; and using the third identity identifier to access the first network.
[0045] In conjunction with the second aspect, in some possible implementations, receiving the first parameter from the first network includes: receiving the first parameter from the first network through a user parameter update UPU process or a user configuration update UCU process.
[0046] In conjunction with the second aspect, in some possible implementations, the first parameter includes one or more of the following: a public key for encrypted communication between the terminal device and the first network, routing indication information, and a protection mechanism identifier.
[0047] In conjunction with the second aspect, in some possible implementations, the method further includes: determining that the first identity identifier for accessing the first network cannot be generated.
[0048] In conjunction with the second aspect, in some possible implementations, determining that the first identity identifier for accessing the first network cannot be generated includes: the terminal-side device determining that it needs to access the first network; a first module in the terminal device for generating anonymized identity identifiers requesting a second module in the terminal-side device for generating anonymized identity identifiers to generate the first identity identifier; the first module receiving an error response from the second module; and the first module determining, based on the error response, that the second module cannot generate the first identity identifier.
[0049] In conjunction with the second aspect, in some possible implementations, the first module generates the second identity identifier based on the plaintext identity information.
[0050] In conjunction with the second aspect, in some possible implementations, the first module obtains the plaintext identity information from the second module.
[0051] In conjunction with the second aspect, in some possible implementations, the error response includes the plaintext identity information; the first module obtaining the plaintext identity information from the second module includes: the first module obtaining the plaintext identity information from the error response.
[0052] In conjunction with the second aspect, in some possible implementations, the first indication information may also be used to indicate at least one of the following, or the first indication information may be used to indicate at least one of the following: the second module is unable to generate the first identity identifier; the second module requests some or all of the parameters used to generate the anonymized identity identifier; or the reason why the second module is unable to generate the first identity identifier.
[0053] In conjunction with the second aspect, in some possible implementations, the first module receives second indication information from the first network, the second indication information being used to instruct the first module to generate the third identity identifier, wherein receiving the first parameter from the first network includes: the first module receiving the first parameter from the first network; wherein generating the anonymized third identity identifier based on the first parameter includes: the first module generating the third identity identifier based on the first parameter.
[0054] In conjunction with the second aspect, in some possible implementations, the first module receives second indication information from the first network, the second indication information being used to instruct the second module to generate the third identity identifier, wherein receiving the first parameter from the first network includes: the first module receiving the first parameter from the first network; wherein generating the anonymized third identity identifier based on the first parameter includes: the first module sending the first parameter to the second module; and the second module generating the third identity identifier based on the first parameter.
[0055] In conjunction with the second aspect, in some possible implementations, the first module is the mobile device ME, and the second module is the global user identity module USIM.
[0056] In conjunction with the second aspect, in some possible implementations, the plaintext identity information is the user's permanent identity identifier (SUPI).
[0057] In conjunction with the second aspect, in some possible implementations, the use of the second identity identifier to access the first network includes: sending an initial registration request message to the first network to request access to the first network, the initial registration request message including the second identity identifier.
[0058] In conjunction with the second aspect, in some possible implementations, the second identity identifier is an identity identifier different from the first identity identifier, which is obtained based on the plaintext identity information and the first identifier, and the first identifier is an identifier other than the protection scheme identifier specified by the null mechanism.
[0059] Thirdly, a communication method is provided. This method can be applied to a terminal-side device; that is, the method can be executed by the terminal-side device itself, or by components within the terminal-side device (such as a chip, chip system, circuit, or communication module). This application does not limit the scope of this method. This application uses a terminal device as an example for illustration.
[0060] The method may include: accessing a second network using plaintext identity information when it is determined that a first identity identifier for accessing a first network cannot be generated; wherein the first identity identifier is an anonymized identity identifier obtained by processing the plaintext identity information in an encrypted manner; and sending a first indication message to the second network, the first indication message indicating at least one of the following: the first identity identifier cannot be generated; requesting some or all of the parameters for generating the anonymized identity identifier; or the reason why the first identity identifier cannot be generated.
[0061] According to this method, when a terminal device determines that it cannot generate a first identity identifier, it uses plaintext identity information to access the second network and sends a first indication message to the second network. This method provides a way for the terminal device to access the second network using plaintext identity information when it cannot use an anonymized identity identifier obtained by encrypting plaintext identity information, thus enabling normal network access. The terminal device reports the first indication message to the network (e.g., the first network and the second network), informing the network of the anomaly and / or the reason for it. This allows the network to be promptly aware of the anomaly and resolve it appropriately. For example, the network can send update parameters to the terminal device based on the first indication message, so that the terminal device can subsequently use the updated parameters to generate an anonymized identity identifier.
[0062] In conjunction with the third aspect, in some possible implementations, the method further includes: receiving a first parameter, the first parameter including some or all parameters for generating anonymized identity identifiers.
[0063] It should be understood that some parts of the third aspect are similar to the first aspect, and for specific explanations and technical effects, please refer to the description of the first aspect above.
[0064] In conjunction with the third aspect, in some possible implementations, the method further includes: generating an anonymized third identity identifier based on the first parameter; and using the third identity identifier to access the first network.
[0065] In conjunction with the third aspect, in some possible implementations, the first parameter includes one or more of the following: a public key for encrypted communication between the terminal device and the first network, routing indication information, and a protection mechanism identifier.
[0066] In conjunction with the third aspect, in some possible implementations, before sending the first indication information to the second network, the method further includes: determining that the first identity identifier for accessing the first network cannot be generated.
[0067] In conjunction with the third aspect, in some possible implementations, determining that the first identity identifier for accessing the first network cannot be generated includes: the terminal-side device determining that it needs to access the first network; a first module in the terminal device for generating anonymized identity identifiers requesting a second module in the terminal-side device for generating anonymized identity identifiers to generate the first identity identifier; the first module receiving an error response from the second module; and the first module determining, based on the error response, that the second module cannot generate the first identity identifier.
[0068] In conjunction with the third aspect, in some possible implementations, the method further includes: the first module obtaining the plaintext identity information from the second module.
[0069] In conjunction with the third aspect, in some possible implementations, the error response includes the plaintext identity information; the first module obtaining the plaintext identity information from the second module includes: the first module obtaining the plaintext identity information from the error response.
[0070] In conjunction with the third aspect, in some possible implementations, the first indication information may also be used to indicate at least one of the following, or the first indication information may be used to indicate at least one of the following: the second module is unable to generate the first identity identifier; the second module requests some or all of the parameters used to generate the anonymized identity identifier; or the reason why the second module is unable to generate the first identity identifier.
[0071] In conjunction with the third aspect, in some possible implementations, the first module receives second indication information from the first network, the second indication information being used to instruct the first module to generate the third identity identifier, wherein receiving the first parameter from the first network includes: the first module receiving the first parameter from the first network; wherein generating the anonymized third identity identifier based on the first parameter includes: the first module generating the third identity identifier based on the first parameter.
[0072] In conjunction with the third aspect, in some possible implementations, the first module receives second indication information from the first network, the second indication information being used to instruct the second module to generate the third identity identifier, wherein receiving the first parameter from the first network includes: the first module receiving the first parameter from the first network; wherein generating the anonymized third identity identifier based on the first parameter includes: the first module sending the first parameter to the second module; and the second module generating the third identity identifier based on the first parameter.
[0073] In conjunction with the third aspect, in some possible implementations, the first module is the mobile device ME, and the second module is the global user identity module USIM.
[0074] In conjunction with the third aspect, in some possible implementations, the use of plaintext identity information to access the second network includes:
[0075] Send an initial attach request message to the second network to request access to the second network, the initial attach request message including the plaintext identity information.
[0076] In conjunction with the third aspect, in some possible implementations, sending the indication information to the second network includes:
[0077] Send a NAS message with non-access stratum NAS security protection to the second network, wherein the NAS message includes the indication information.
[0078] In conjunction with the third aspect, in some possible implementations, the initial attach request message may also include the first indication information.
[0079] In conjunction with the third aspect, in some possible implementations, the NAS message is a Non-Access Stratum Security Mode Command NAS SMP message.
[0080] Fourthly, a communication method is provided. This method can be applied to a first network element; that is, the method can be executed by the first network element or by components within the first network element (such as a chip, chip system, circuit, or communication module). This application does not limit the scope of the method. This application uses a first network element as an example for description.
[0081] The method may include: receiving first indication information from a terminal device; sending the first indication information to a second network element, wherein the first indication information is used to indicate at least one of the following: the first identity identifier cannot be generated, the first identity identifier is an anonymized identity identifier obtained by processing plaintext identity information in an encrypted manner; requesting some or all of the parameters used to generate the anonymized identity identifier; or the reason why the first identity identifier cannot be generated.
[0082] For example, the first network element sending the first instruction information may be achieved by processing the format or presentation of the first instruction information and then sending the processed first instruction information to the second network element; or, the first network element may directly forward the received first instruction information. This invention does not distinguish between the presentation of the first instruction information, but only focuses on its specific function. Therefore, it does not distinguish between the first instruction information and the processed first instruction information, and both are described using the term "first instruction information."
[0083] For example, the first network element may belong to a first network or a second network.
[0084] According to this method, the first network element receives the first indication information and sends the first indication information to the network (first network or second network), which can promptly inform the network that the terminal device has an anomaly, so that the network can resolve the anomaly of the terminal device in an appropriate manner. For example, the network can send update parameters to the terminal device according to the first indication information, so that the terminal device can subsequently use the update parameters to generate an anonymous identity.
[0085] In conjunction with the fourth aspect, in some possible implementations, sending the first indication information includes: processing the format or representation of the first indication information and sending the processed first indication information.
[0086] It should be understood that part of the content of the fourth aspect corresponds to the first to third aspects, and for specific explanations and technical effects, please refer to the descriptions of the first to third aspects above.
[0087] In conjunction with the fourth aspect, in some possible implementations, the method further includes: receiving a first parameter from a second network element, the first parameter including some or all parameters for generating an anonymous identity identifier; and sending the first parameter to the terminal device.
[0088] In conjunction with the fourth aspect, in some possible implementations, sending the first parameter to the terminal device includes: sending the first parameter to the terminal device via a downlink non-access stratum (DL NAS) message.
[0089] In conjunction with the fourth aspect, in some possible implementations, the first parameter includes one or more of the following: a public key for encrypted communication between the terminal device and the first network, routing indication information, and a protection mechanism identifier.
[0090] In conjunction with the fourth aspect, in some possible implementations, receiving the first indication information from the terminal device includes: receiving an initial registration request message from the terminal device for requesting access to the first network, the initial registration request message including the first indication information.
[0091] In conjunction with the fourth aspect, in some possible implementations, receiving the first indication information from the terminal device includes: receiving an initial attach request message from the terminal device for requesting access to the second network, the initial attach request message including the first indication information.
[0092] In conjunction with the fourth aspect, in some possible implementations, receiving the first indication information from the terminal device includes: receiving a NAS message from the terminal device indicating that it has NAS security protection, wherein the NAS message includes the first indication information.
[0093] In conjunction with the fourth aspect, in some possible implementations, the NAS message is a NAS SMP message.
[0094] In conjunction with the fourth aspect, in some possible implementations, after receiving the first indication information, the method further includes: updating the context information of the terminal device, wherein updating the context information of the device includes: storing the first indication information in the context of the terminal device; and sending the updated context information of the terminal device to the third network element.
[0095] Fifthly, a communication method is provided. This method can be applied to a second network element; that is, the method can be executed by the second network element or by components within the second network element (such as a chip, chip system, circuit, or communication module). This application does not limit the scope of this method. This application uses a second network element as an example for description.
[0096] The method may include: receiving first indication information for a terminal device; sending first parameters to the terminal device according to the first indication information, the first parameters including some or all parameters for generating an anonymous identity identifier, wherein the first indication information is used to indicate at least one of the following: the first identity identifier cannot be generated, the first identity identifier is an anonymized identity identifier obtained by processing plaintext identity information in an encrypted manner; requesting some or all parameters for generating an anonymous identity identifier; or the reason why the first identity identifier cannot be generated.
[0097] In one possible implementation, the second network element receives first instruction information and triggers the following first operation based on the first instruction information.
[0098] It should be understood that some content in the fifth aspect is similar to that in the first to fourth aspects mentioned above. For specific explanations and technical effects, please refer to the descriptions in the first to fourth aspects mentioned above.
[0099] In conjunction with the fifth aspect, in some possible implementations, receiving the first instruction information includes: receiving processed first instruction information, wherein the processed first instruction information is information obtained by processing the format or representation of the first instruction information.
[0100] In conjunction with the fifth aspect, in some possible implementations, sending the first parameter includes: sending the first parameter through a first operation, wherein the first operation includes one or more of the following:
[0101] The first parameter is sent via over-the-air (OTA) download; or,
[0102] An alarm is triggered, which is used to enable the terminal device to obtain the first parameter;
[0103] Send the first parameter along with the UPU data in the UPU process; or...
[0104] The first parameter is sent to the first network element.
[0105] For example, the alarm in the alarm is triggered to let network administrators see the information that there is an error in the terminal device so that they can resolve the error; or, the alarm can be sent by the second network element with the first parameter.
[0106] In conjunction with the fifth aspect, in some possible implementations, the method further includes: sending second indication information, the second indication information being used to instruct the first module or the second module in the terminal-side device for providing applications and services to generate an anonymous third identity identifier.
[0107] Sixthly, a communication apparatus is provided for performing the methods of any one of the first to fifth aspects and any possible implementation thereof. Specifically, the apparatus may include units and / or modules for performing the methods of any one of the first to fifth aspects and any possible implementation thereof, such as processing units and / or communication units.
[0108] In one implementation, the device is a communication device (such as a target access network device, or a terminal device). When the device is a communication device, the communication unit can be a transceiver, or an input / output interface; the processing unit can be at least one processor. Optionally, the transceiver can be a transceiver circuit. Optionally, the input / output interface can be an input / output circuit.
[0109] In another implementation, the device is a chip, chip system, circuit, or communication module for a communication device (such as a target access network device or a terminal device). When the device is a chip, chip system, or circuit for a communication device, the communication unit may be an input / output interface, interface circuit, output circuit, input circuit, pin, or related circuit on the chip, chip system, or circuit; the processing unit may be at least one processor, processing circuit, or logic circuit.
[0110] A seventh aspect provides a communication device comprising: at least one processor configured to cause the device to perform any of the first to fifth aspects and any possible implementation thereof.
[0111] Optionally, the at least one processor is configured to execute computer programs or instructions to perform the methods of any of the first to fifth aspects and any possible implementation thereof.
[0112] Optionally, the device further includes a memory for storing the computer program or instructions.
[0113] Optionally, the at least one processor is coupled to a memory for storing the computer program or instructions. The memory may be located externally to the device.
[0114] Optionally, the device also includes a communication interface through which the processor reads instructions from memory. This can be understood as the communication interface being coupled to the processor and used to input computer programs or instructions to the processor, or to output information from the processor.
[0115] Unless otherwise specified, or if the transmission and acquisition / reception operations involved do not contradict their actual function or internal logic in the relevant description, they can be understood as output, input, or other operations, or as transmission and reception operations performed by radio frequency circuits and antennas. This application does not limit them in this regard.
[0116] In one implementation, the device is a communication device (such as a target access network device or a terminal device).
[0117] In another implementation, the device is a chip, chip system, circuit, or communication module for a communication device (such as a target access network device, or a first access network device, if there is a terminal device). Optionally, the chip is a modem chip, also known as a baseband chip, or a system-on-chip (SoC) chip containing a modem core, or a system-in-package (SIP) chip.
[0118] Eighthly, a computer-readable storage medium is provided that stores a computer program (e.g., program code) or instructions that, when executed on a communication device, cause the communication device to perform the methods of any one of the first to fifth aspects and any possible implementation thereof.
[0119] Ninth aspect, a computer program product containing instructions is provided, which, when run on a computer, causes the computer to perform the methods of any one of the first to fifth aspects and any possible implementation thereof.
[0120] In a tenth aspect, a communication system is provided, comprising at least one of the following: a terminal device, a first network element, a second network element, and a third network element. Attached Figure Description
[0121] Figure 1 is a schematic diagram of a network architecture applicable to an embodiment of this application.
[0122] Figure 2 is a schematic diagram of the structure of SUCI.
[0123] Figure 3 shows the scheme output under the air protection scheme.
[0124] Figure 4 is a schematic flowchart of a SUPI privacy protection method.
[0125] Figure 5 is a schematic flowchart of a UPU mechanism.
[0126] Figure 6 is a flowchart illustrating a communication method provided in this application.
[0127] Figure 7 is a flowchart illustrating another communication method provided in this application.
[0128] Figure 8 is a flowchart illustrating another communication method provided in this application.
[0129] Figure 9 is a flowchart illustrating another communication method provided in this application.
[0130] Figure 10 is a flowchart illustrating another communication method provided in this application.
[0131] Figure 11 is a schematic block diagram of a communication device 1100 provided in an embodiment of this application.
[0132] Figure 12 is a schematic block diagram of the communication device 1200 provided in an embodiment of this application. Detailed Implementation
[0133] The technical solutions in this application will now be described with reference to the accompanying drawings.
[0134] Before introducing the scheme of this application, the following points should be noted.
[0135] (1) In this application, "instruction" can include direct instruction, indirect instruction, explicit instruction, implicit instruction, etc. When describing an instruction information as indicating A, it can be understood that the instruction information carries A, carries the identifier of A, carries B which is associated with A, carries the identifier of B which is associated with A, etc. In other words, if the receiving side of an instruction information can determine A based on the instruction information, it can be described as the instruction information indicating A, and the specific method of determination is not limited. When it is understood that the instruction information carries A, "instruction" can be replaced with "includes". In this case, a statement such as "send / receive instruction information, the instruction information indicates A" can be replaced with "send / receive A".
[0136] In this application, the information indicated by the instruction information is called the information to be instructed. In specific implementations, there are many ways to indicate the information to be instructed, such as, but not limited to, directly indicating the information to be instructed, such as the information to be instructed itself or its index. It can also indirectly indicate the information to be instructed by indicating other information, where there is a relationship between the other information and the information to be instructed. It can also indicate only a part of the information to be instructed, while the other parts are known or pre-agreed upon. For example, the instruction of specific information can be achieved by using a pre-agreed (e.g., protocol-defined) arrangement of various pieces of information, thereby reducing instruction overhead to some extent. Furthermore, the information to be instructed can be sent as a whole or divided into multiple sub-information pieces, and the sending period and / or timing of these sub-information pieces can be the same or different.
[0137] (2) In this application, the expression " / " is used to indicate that the objects before and after are in an "or" relationship; for example, A / B can mean: A or B. The expression "and / or" is used to indicate that the objects before and after are in a relationship of either "and" or "or"; for example, A and / or B can mean the following: A exists alone, B exists alone, A and B exist simultaneously, where A and B can be single or multiple. "At least one of the following" or similar expressions are used to indicate any combination of the listed items; for example, at least one of A, B and / or C can mean the following: A exists alone, B exists alone, C exists alone, A and B exist simultaneously, B and C exist simultaneously, A and C exist simultaneously, A, B and C exist simultaneously, where A, B, and C can be single or multiple.
[0138] (3) In this application, "send" and "receive" indicate the direction of signal transmission. For example, "send information to XX" can be understood as the destination of the information being XX, which may include direct transmission via the air interface or indirect transmission by other units or modules via the air interface. "Receive information from YY" can be understood as the source of the information being YY, which may include direct reception from YY via the air interface or indirect reception from YY via other units or modules via the air interface. "Send" can also be understood as the "output" of the chip interface, and "receive" can also be understood as the "input" of the chip interface. In other words, sending and receiving can occur between devices, such as between network devices and terminal devices, or within a device, such as between components, modules, chips, software modules, or hardware modules within the device via a bus, wiring, or interface.
[0139] (4) In the various embodiments of this application, unless otherwise specified or in case of logical conflict, the terms and / or descriptions of different embodiments are consistent and can be referenced by each other. The technical features of different embodiments can be combined to form new embodiments according to their inherent logical relationship.
[0140] (5) In this application, "first," "second," and "#1," "#2," and "#A" are merely for descriptive convenience and are used to distinguish objects, and are not intended to limit the scope of the embodiments of this application. They are not used to describe the order or sequence of features. It should be understood that such described objects can be interchanged where appropriate in order to describe solutions other than those in the embodiments of this application.
[0141] (6) In this application, "predefined" can mean a standard protocol predefined, or it can mean a pre-agreed or pre-negotiated agreement between devices. Here, "protocol" can refer to a standard protocol in the field of communications, for example, it may include fourth-generation (4G) protocols. th Generation 4G network, fifth generation (5G) network th This application does not limit the scope to network protocols such as 5G (generation, 5G), New Radio (NR) protocols, 5.5G network protocols, and related protocols applied in future communication systems.
[0142] (7) In this application, the words “exemplary,” “for example,” etc., are used to indicate examples, illustrations, or descriptions. Any embodiment or design described as an “example” in this application should not be construed as being more preferred or advantageous than other embodiments or designs. Specifically, the use of the word “example” is intended to present the concept in a concrete manner. In the embodiments of this application, “of,” “corresponding, relevant,” and “corresponding” may sometimes be used interchangeably, and it should be noted that their intended meanings are consistent unless their distinction is emphasized.
[0143] First, let me introduce the communication system to which this application applies.
[0144] The technical solutions provided in this application can be applied to various communication systems, such as 5th generation (5G) or new radio (NR) systems, long term evolution (LTE) systems, LTE frequency division duplex (FDD) systems, and LTE time division duplex (TDD) systems. The technical solutions provided in this application can also be applied to future communication systems. Furthermore, the technical solutions provided in this application can be applied to device-to-device (D2D) communication, vehicle-to-everything (V2X) communication, machine-to-machine (M2M) communication, machine-type communication (MTC), and Internet of Things (IoT) communication systems. The technical solutions provided in this application can also be applied to non-terrestrial network (NTN) systems such as inter-satellite communication and satellite communication.
[0145] As an example, a satellite communication system includes a satellite base station and terminal equipment. The satellite base station provides communication services to the terminal equipment. Satellite base stations can also communicate with each other. A satellite can act as a base station or as a terminal device. Here, "satellite" can refer to drones, hot air balloons, low-Earth orbit satellites, medium-Earth orbit satellites, high-Earth orbit satellites, etc. "Satellite" can also refer to non-terrestrial base stations or non-terrestrial equipment.
[0146] As an example, V2X communication can include: vehicle-to-vehicle (V2V) communication, vehicle-to-infrastructure (V2I) communication, vehicle-to-pedestrian (V2P) communication, and vehicle-to-network (V2N) communication.
[0147] In communication systems, the portion operated by the operator can be referred to as a public land mobile network (PLMN), or operator network, etc. A PLMN is a network established and operated by relevant authorities or their approved operators for the purpose of providing land mobile communication services to the public. It is primarily a public network where mobile network operators (MNOs) provide mobile broadband access services to users. The PLMN described in this application embodiment can specifically be a network conforming to the 3rd Generation Partnership Project (3GPP) standards, or simply a 3GPP network. 3GPP networks typically include, but are not limited to, 5G networks, 4th-generation (4G) networks, and other future communication systems.
[0148] In a communication system, a device can send signals to or receive signals from another device. These signals can include information, signaling, or data. The device can also be replaced by an entity, network entity, communication equipment, communication module, node, communication node, etc. This application uses a device as an example for description.
[0149] The network architecture is described below.
[0150] Figure 1 is a schematic diagram of a network architecture applicable to an embodiment of this application. As shown in Figure 1, this network architecture takes a 5G system (5GS) as an example. As an example, this network architecture includes three parts: a terminal device part, a data network (DN) part, and an operator network PLMN part. The operator network PLMN part may include, but is not limited to, a radio access network (RAN) and a core network (CN) part.
[0151] The following is a brief introduction to the network elements of each part.
[0152] 1. Terminal equipment, including user equipment (UE). UE: Also known as a terminal or terminal device, it can be a device or module that accesses the aforementioned communication system and has corresponding communication functions. UE can include various devices with wireless communication capabilities, which can be used to connect people, objects, machines, etc. Terminal devices can be widely used in various scenarios, such as: cellular communication, D2D, V2X, peer-to-peer, M2M, MTC, IoT, virtual reality (VR), augmented reality (AR), industrial control, autonomous driving, telemedicine, smart grids, smart furniture, smart offices, smart wearables, smart transportation, smart cities, drones, robots, remote sensing, passive sensing, positioning, navigation and tracking, autonomous delivery, etc. Terminal devices can be terminals in any of the above scenarios, such as MTC terminals, IoT terminals, etc. Terminal devices can be UEs (User Equipment), terminals, fixed equipment, mobile station equipment or mobile devices, subscriber units, handheld devices, vehicle-mounted equipment, wearable devices, cellular phones, smartphones, session initiation protocol (SIP) phones, wireless data cards, personal digital assistants (PDAs), computers, tablets, laptops, wireless modems, handsets, laptop computers, computers with wireless transceiver capabilities, smart books, vehicles, satellites, global positioning system (GPS) devices, target tracking devices, aircraft (e.g., drones, helicopters, multiple helicopters, four helicopters, or airplanes), ships, remote control devices, smart home devices, industrial equipment, transportation vehicles with wireless communication capabilities, communication modules, and roadside units with terminal functions, all conforming to the 3GPP (3rd Generation Partnership Project) standard. The device may be a wireless communication unit (RSU), or a device built into the aforementioned device (e.g., a communication module, modem, or chip in the aforementioned device), or other processing devices connected to the wireless modem.
[0153] In addition, the UE can store a long-term key K and related functions. During two-way authentication, the UE can use K and related functions to verify the authenticity of the network.
[0154] For example, in certain scenarios, a UE can also be used as a base station. For instance, a UE can act as a scheduling entity that provides sidelink signaling between UEs in scenarios such as V2X, D2D, or end-to-end.
[0155] In this embodiment, the device for implementing the functions of a terminal device, i.e., the terminal device, can be the terminal device itself, or a device capable of supporting the terminal device in implementing the functions, such as a chip system, chip, circuit, or communication module (i.e., a communication module that performs communication functions). This device can be installed in the terminal device. In this embodiment, the chip system can be composed of chips, or it can include chips and other discrete devices. Furthermore, the device can also be configured with program instructions for performing corresponding communication functions.
[0156] 2. The data network portion can include a Data Network (DN), which provides the network for transmitting data. Examples include carrier service networks (such as IP Multimedia Subsystem (IMS)), the Internet, and third-party service networks. A DN can also be called a Packet Data Network (PDN), and is typically a network located outside the carrier network, such as a third-party network.
[0157] 3. The (R)AN portion may include one or more access network elements or access network devices. The access network provides network access functionality to authorized users in a specific area and includes radio access network (RAN) devices and AN devices. RAN devices are primarily radio network devices within the 3GPP network, while AN devices may be access network devices not defined by 3GPP.
[0158] Access networks can be those employing different access technologies. Currently, there are two types of wireless access technologies: 3GPP access technologies (such as those used in 3G, 4G, or 5G systems) and non-3GPP access technologies.
[0159] Among them, 3GPP access technology refers to access technology that conforms to 3GPP standards and specifications. For example, the access network equipment in a 5G system is called a next-generation NodeB (gNB) or RAN.
[0160] Non-3GPP access technologies refer to access technologies that do not conform to 3GPP standards and specifications. Examples include air interface technologies such as access points (APs) in Wireless Fidelity (WiFi), Worldwide Interoperability for Microwave Access (WiMAX), and Code Division Multiple Access (CDMA) networks. Access network equipment (AN equipment) allows terminal equipment and the 3GPP core network to interconnect using non-3GPP technologies.
[0161] The access network device in this application embodiment can be a device or module with corresponding communication functions. The access network device can be a device used to communicate with terminal devices; it can also be called a network device or a wireless access network device, such as a base station. In this application embodiment, the access network device can refer to a RAN node (or device) that connects terminal devices to a wireless network. A base station can broadly encompass, or be replaced by, various names including: NodeB, evolved NodeB (eNB), gNB, relay station, access point, transmitting and receiving point (TRP), transmitter point, master station, auxiliary station, motor slide retainer (MSR) node, home base station, network controller, access node, wireless node, access point (AP), transmission node, transceiver node, baseband unit (BBU), remote radio unit (RRU), active antenna unit (AAU), remote radio head (RRH), central unit (CU), distributed unit (DU), positioning node, etc. A base station can be a macro base station, micro base station, relay node, donor node, or similar entities, or combinations thereof. A base station can also refer to a communication module, modem, or chip installed within the aforementioned equipment or apparatus. A base station can also be a mobile switching center, a device that performs base station functions in D2D, V2X, and M2M communications, or a device that performs base station functions in future communication systems. A base station can support networks using the same or different access technologies. The embodiments of this application do not limit the specific technologies or device forms used in the network equipment.
[0162] Base stations can be fixed or mobile. For example, a helicopter or drone can be configured to act as a mobile base station, and one or more cells can move depending on the location of the mobile base station. In other examples, a helicopter or drone can be configured as a device to communicate with another base station.
[0163] In some deployments, the access network equipment mentioned in the embodiments of this application may be a device including a CU, or a DU, or a device including both a CU and a DU, or a device with a control plane CU node (central unit-control plane (CU-CP)) and a user plane CU node (central unit-user plane (CU-UP)) and a DU node.
[0164] In some deployments, multiple RAN nodes collaborate to assist terminal devices in achieving wireless access, with different RAN nodes each implementing some of the base station's functions. For example, RAN nodes can be CUs, DUs, CU-CPs, CU-UPs, or radio units (RUs). CUs and DUs can be configured separately or included in the same network element, such as a BBU. RUs can be included in radio equipment or radio units, such as RRUs, AAUs, or RRHs.
[0165] In different systems, CU (or CU-CP and CU-UP), DU, or RU may have different names, but those skilled in the art will understand their meaning. For example, a radio access network can also be an open radio access network (O-RAN) architecture. In an O-RAN system, CU can also be called an open CU (open CU, O-CU), DU can also be called an open DU (open DU, O-DU), CU-CP can also be called an open CU-CP (O-CU-CP), CU-UP can also be called an open CU-UP (O-CU-UP), and RU can also be called an open RU (open RU, O-RU). Any of the units among CU (or CU-CP, CU-UP), DU, and RU in this application can be implemented through software modules, hardware modules, or a combination of software modules and hardware modules.
[0166] In this embodiment, the device for implementing the functions of the access network device can be the access network device itself, or it can be any device capable of supporting the access network device in implementing these functions, such as a chip system, chip, circuit, or communication module (i.e., a communication module that performs communication functions). This device can be installed within the access network device. In this embodiment, the chip system can be composed of chips, or it can include chips and other discrete devices. Furthermore, the device can be configured with program instructions for performing corresponding communication functions. This embodiment only uses the access network device as an example to illustrate the device for implementing the functions of the access network device, and does not limit the solution of this embodiment.
[0167] Access network equipment and terminal equipment can be deployed on land, including indoors or outdoors, handheld or vehicle-mounted; they can also be deployed on water; and they can also be deployed in the air on airplanes, balloons, and satellites. This application does not limit the scenario in which the access network equipment and terminal equipment are located.
[0168] 4. The CN component may include, but is not limited to, the following network functions (NFs): network slice selection function (NSSF), network slice specific authentication and authorization function (NSSAAF), authentication server function (AUSF), unified data management (UDM), network exposure function (NEF), network repository function (NRF), policy control function (PCF), application function (AF), access and mobility management function (AMF), session management function (SMF), user plane function (UPF), and signaling control point (SCP). A brief introduction to each network element follows.
[0169] 1) UPF network element: Used for packet routing and forwarding, as well as quality of service (QoS) processing of user plane data. User data can access the DN through this network element. In the embodiments of this application, it can be used to implement user plane functions.
[0170] 2) AMF network element: mainly used for mobility management and access management, and can be used to implement other functions of the mobility management entity (MME) except for session management, such as mobility state management, assigning temporary user identity identifiers, authenticating and authorizing users, etc.
[0171] AMF network elements can be used for non-access stratum (NAS) connections with terminal devices, possessing the same 5G NAS security context as the UE. The 5G NAS security context includes KAMF, the NAS stratum key and its identical key identification information, UE security capabilities, and uplink and downlink NAS COUNT values. The NAS stratum key includes a NAS encryption key and a NAS integrity protection key, used for confidentiality and integrity protection of NAS messages, respectively.
[0172] AMF network elements may include Security Anchor Function (SEAF) network elements. SEAF network elements are primarily used to initiate authentication requests to AFS network elements, completing the network-side authentication of the UE during the Evolved Packet System Authentication and Key Agreement (EPS-AKA) authentication process. It can be understood that SEAF network elements can also function as independent network elements, i.e., network elements independent of AMF network elements; this is not limited.
[0173] AMF network elements are control plane network functions provided by the operator's network, responsible for access control and mobility management of terminal equipment 110 accessing the operator's network.
[0174] 3) SMF network elements: mainly used for session management, allocation and management of Internet Protocol (IP) addresses for terminal devices, selection and management of user plane functions, endpoints of policy control and billing function interfaces, and downlink data notification, etc.
[0175] 4) PCF network element: A unified policy framework used to guide network behavior, providing policy rule information to network elements (such as AMF network elements, SMF network elements, etc.) or terminal devices.
[0176] In addition, PCF internally stores QoS rules. Furthermore, PCF can generate corresponding QoS rules as required to ensure that the services provided by the network meet the requirements of third parties.
[0177] 5) NRF network element: Used to store network function entities and their description information, as well as support functions such as service discovery and network element entity discovery.
[0178] 6) NEF network element: used to enable third parties to use the services provided by the network, support the network to open its capabilities, events and data analysis, provide security configuration information to the PLMN from external applications, and convert information exchanged between the PLMN and external networks.
[0179] 7) UDM network element: used for unified data management, 5G user data management, processing user identification, access authentication, registration, or mobility management, etc.
[0180] The UDM network element is a control plane function provided by the operator, responsible for storing information such as the SUPI (Subscription Identity Module) of subscribed users in the operator's network, the generic public subscription identifier (GPSI) of subscribed users, and credentials. The SUPI is encrypted during transmission, and the encrypted SUPI is called SUCI. This information stored by the UDM network element can be used for authentication and authorization of terminal devices accessing the operator's network. Specifically, the subscribed users of the aforementioned operator's network can be users of services provided by the operator's network, such as users of China Telecom's subscriber identity module (SIM) cards or China Mobile's SIM cards. The credentials of the subscribed users can be a long-term key stored in the SIM card or a small file containing information related to SIM card encryption, used for authentication and / or authorization. It should be noted that permanent identifiers, credentials, security contexts, authentication data (cookies), and tokens are equivalent to verification / authentication and authorization-related information, and for the sake of convenience, no distinction or limitation is made in this embodiment.
[0181] 8) UDR network element: Used to provide UDM with the function of saving and retrieving subscription data, PCF with the function of saving and retrieving policy data, and saving and retrieving user NF group ID information, etc.
[0182] 9) AF element: Used to provide corresponding services by interacting with other NFs in the PLMN, such as providing network selection information for roaming UE visits, routing data flows, and accessing NEFs.
[0183] 10) AUSF network element: used for Level 1 authentication, i.e. authentication between UE (subscribed user) and operator network.
[0184] The AUSF network element is a control plane function provided by the operator, typically used for Level 1 authentication, i.e., authentication between the terminal device (e.g., a subscriber) and the operator's network. After receiving an authentication request from a subscriber, the AUSF network element can authenticate and / or authorize the subscriber using authentication and / or authorization information stored in the UDM network element, or generate the subscriber's authentication and / or authorization information using the UDM network element. The AUSF network element can then send the authentication and / or authorization information back to the subscriber.
[0185] In addition, the architecture may include other network elements, such as the authentication repository and processing function (ARPF) network element, which is mainly used to store long-term key K; receive authentication vector requests from AUSF network elements; calculate authentication vectors using K; and send authentication vectors to AUSF network elements.
[0186] In Figure 1, Nnssf, Nnef, Nnrf, Npcf, Nudm, Nudr, Naf, Nausf, Namf, Nsmf, Neasdf, Nnssaaf, Nnsacf, N1, N2, N3, N4, and N6 are interface sequence numbers. For example, the meanings of these interface sequence numbers can be found in the 3GPP standard protocols, and this application does not limit the meaning of these interface sequence numbers. It should be noted that the interface names between the various network functions in Figure 1 are merely examples; in specific implementations, the interface names of this system architecture may be other names, and this application does not limit them. Furthermore, the names of the messages (or signaling) transmitted between the various network elements are also merely examples and do not constitute any limitation on the function of the messages themselves.
[0187] It should be noted that in the architecture shown in Figure 1, the interface between (R)AN and CN can also be called the NG interface (not shown in the figure). (R)AN and CN are connected through the NG interface. The NG interface can include the NG-C interface and the NG-U interface. The NG-C interface is the control plane interface, connecting (R)AN and AMF network elements, and is used to transmit control plane data. The NG-U interface is the user plane interface, connecting (R)AN and UPF, and is used to transmit user plane data.
[0188] The network elements shown in Figure 1, such as AMF, SMF, UPF, NEF, AUSF, NRF, PCF, and UDM, can be understood as network elements in the core network used to implement different functions, for example, they can be combined into network slices as needed. These core network elements can be independent devices or integrated into the same device to implement different functions. This application does not limit the specific form of the above network elements. In addition, the above network elements or functions can be physical entities in hardware devices, software instances running on dedicated hardware, or virtualized functions instantiated on a shared platform (e.g., a cloud platform). Simply put, an NF can be implemented by hardware or by software.
[0189] Furthermore, the aforementioned naming is defined solely for the purpose of distinguishing different functions and should not constitute any limitation on this application. This application does not preclude the possibility of using other naming conventions in 5G networks and other future networks. For example, in future communication networks, some or all of the aforementioned network elements may retain the terminology used in 5G, or they may adopt other names, etc.
[0190] To make it easier to understand, let's first introduce a few concepts.
[0191] 1. SUPI:
[0192] SUPI is a globally unique permanent 5G subscription identifier assigned to each user in the 5G system. SUPI is the basis for user authentication and authorization in the 5G system and has the characteristics of uniqueness, permanence and security.
[0193] In the 3GPP system, the identifiers of terminal devices include SUCI and SUPI. Because messages transmitted over the air interface may be obtained or modified by attackers, SUCI can generally be transmitted over the air interface, while SUPI cannot, thus preventing the terminal device from being tracked due to the leakage of SUPI.
[0194] SUPI is used to configure UDM or UDR network elements in the 5G core network, and it is the basis for user authentication and authorization.
[0195] The SUPI is a 15-digit decimal string, identical in format and size to the IMSI (International Mobile Subscriber Identity). The SUPI consists of three parts: the Country Code (MCC, 3 digits), the Carrier Code (MNC, 23 digits), and the Mobile Subscriber Identification Number (MSIN, 910 digits). These three parts collectively represent the subscriber and the carrier.
[0196] Because the SUPI is globally unique, it ensures that each 5G user has a unique identity. The SUPI is a permanent user identifier that, once assigned, accompanies the user throughout their entire 5G lifecycle. Since the SUPI includes the user's privacy information, it is typically not transmitted directly during actual transmission; instead, the SUCI is transmitted. The SUCI is generated using an encryption scheme and a public key to protect the user's privacy.
[0197] 2. SUCI:
[0198] SUCI is an important mechanism for protecting user privacy in 5G systems. It protects user privacy by encrypting the SUPI (Subscription Identity Token) to ensure that the SUPI is not illegally intercepted or tracked during transmission over the radio interface. SUCI is a one-time use subscription identifier; a new SUCI is generated after each use to enhance security.
[0199] Typical anonymous identity identifiers include SUCI and 5G globally unique temporary identity (5G-GUTI). SUCI is calculated by the terminal device using SUPI. Specifically, the terminal device can encrypt SUPI using the public key in the USIM card. SUCI can be in network access identifier (NAI) format (username@realm) or international mobile subscriber identity (IMSI) format.
[0200] In the case of a terminal device's initial network access, the terminal device generates a SUCI and includes it in the registration request message. This SUCI is used by the network for subsequent authentication of the terminal device's identity, thereby preventing the leakage of the SUPI and the resulting degradation of network security performance. After the terminal device successfully accesses the network, core network elements (such as AMF elements) generate a 5G-GUTI and send it to the terminal device for subsequent message transmission between the terminal device and the network.
[0201] Figure 2 is a schematic diagram of a SUCI structure. As shown in Figure 2, this SUCI format can be composed of the following parts:
[0202] 1) SUPI type
[0203] The value of the SUPI type can range from 0 to 7, and the specific value is used to identify the type of SUPI hidden in SUCI.
[0204] For example, when the type of SUPI is 0, the type of SUPI is identified as IMSI; when the type of SUPI is 1, the type of SUPI is identified as NSI; when the type of SUPI is 2, the type of SUPI is identified as GLI; when the type of SUPI is 3, the type of SUPI is identified as GCI; the type of SUPI is 0 to 7, which are reserve values for use in the future when new types of SUPI are added.
[0205] 2) Home network identifier
[0206] When the SUPI type is IMSI, the home network identifier consists of two parts: MCC and MNC.
[0207] The Mobile Country Code (MCC) consists of three decimal digits. The MCC uniquely identifies the country where a mobile user resides.
[0208] The Mobile Network Code (MNC) consists of two or three decimal digits. The MNC identifies the home PLMN or SNPN of the mobile subscription.
[0209] When the SUPI type is NSI, GLI, or GCI, the home network identifier consists of a variable-length string representing the domain name specified in Section 2.2 of IETF RFC 7542
[0126] . For GLI or GCI, the domain name shall correspond to the domain portion specified in the SUPI NAI format of Sections 28.15.2 and 28.16.2.
[0210] 3) Routing indication
[0211] The routing indicator consists of 1 to 4 decimal numbers assigned by the home network operator and provided in the USIM, allowing network signaling with SUCI to be routed, along with the home network identifier, to AUSF and UDM network element instances that can serve the user.
[0212] Each decimal digit appearing in the routing indicator should be considered meaningful (e.g., the value "012" is different from the value "12"). If no routing indicator is configured on the USIM or ME, this data field should be set to 0 (i.e., it should contain only a decimal digit of "0").
[0213] 4) Protection Scheme Identifier
[0214] The protection scheme identifier ranges from 0 to 15. The specific value of this identifier specifies whether an empty scheme, a non-empty scheme, or the protection scheme specified by the home public land mobile network (HPLMN) is used. If the SUPI type is GLI or GCI, then an empty scheme is used.
[0215] For example, the definition of protection scheme identification in existing standards is as follows:
[0216] null-scheme 0x0;
[0217] Profile 0x1;
[0218] Profile 0x2.
[0219] 0x3-0xB are reserved for future standardized protection schemes. 0xC-0xF are reserved for proprietary protection schemes designated by the home operator.
[0220] 5) Home network public key ID
[0221] The home network public key identifier has a value range of 0 to 255. This home network public key identifier represents the public key provided by HPLMN / SNPN and is used to identify the key used for SUPI protection.
[0222] Specifically, this data field should be set to 0 only if the SUCI is determined using the null mechanism; or it can be understood that this data field should be set to 0 only if the null protection scheme is used.
[0223] 6) Scheme output.
[0224] The mechanism output consists of a variable-length string or hexadecimal numbers, depending on the protection scheme used.
[0225] Figure 3 shows the scheme output under a null protection scheme. The Mobile Subscriber Identity (MSIN) or "Username" corresponds to the username portion of the NAI, applicable to Network Specific Identifier (NAI), GLI, or GCI of the SUPI type. If a null protection scheme (or null mechanism) is used, NF network elements can derive SUPIs from SUCIs as needed. When the routing-indicator is 0 and the protection mode is null, AMF network elements derive SUPIs from SUCIs for AUSF network element discovery.
[0226] The generation of a SUCI involves multiple steps and parameters, including encrypting the SUPI using the home network's public key and constructing the SUCI based on parameters such as the SUPI type, home network identifier, and routing identifier. When a user equipment (or terminal equipment, UE) needs to send a SUCI to the network, it generates the SUCI based on these parameters and the selected protection scheme, and includes it in the registration request message before sending it to the network. Upon receiving the SUCI, the network decrypts it using the corresponding private key to obtain the SUPI and perform authentication. This process ensures that the SUPI is not illegally intercepted or tracked during transmission over the radio interface, thus protecting the user's privacy.
[0227] SUCI's security primarily stems from its encryption and one-time use (or time-sensitive, or fresh) characteristics. By encrypting SUPI using a high-security encryption algorithm, SUCI ensures the confidentiality and integrity of SUPI during transmission. Furthermore, because SUCI is a one-time-use identifier, a new SUCI is generated after each use; therefore, even if a SUCI is intercepted or cracked, it cannot be used in subsequent authentication processes.
[0228] Figure 4 is a schematic flowchart of a SUPI privacy protection method. Figure 4 mainly introduces the process of UDM identifying SUCI and converting SUCI into SUPI for UE authentication.
[0229] 401. The UE sends an initial NAS message to the SEAF network element. Correspondingly, the SEAF network element receives the initial NAS message from the UE.
[0230] The initial NAS message includes either SUCI or 5G-GUTI.
[0231] It should be understood that when the UE locally stores the 5G-GUTI, the UE can carry the locally stored 5G-GUTI in the initial NAS message. When the UE does not locally store the 5G-GUTI, but stores the SUPI locally, the UE generates the SUCI based on the SUPI and carries the SUCI in the initial NAS message.
[0232] It should also be understood that the initial NAS message can be a registration request message, such as a Registration Request message.
[0233] It should also be understood that the SEAF network element is a sub-function of the AMF network element.
[0234] 402. The SEAF network element sends a terminal device authentication request message to the AUSF network element. Correspondingly, the AUSF network element receives the terminal device authentication request message from the SEAF network element.
[0235] For example, after receiving the initial NAS message sent by the UE in step 401 above, the SEAF network element sends a terminal device authentication request message to the AUSF network element. This terminal device authentication request message includes either SUCI or 5G-GUTI.
[0236] It should be understood that, assuming the initial NAS message in step 401 includes 5G-GUTI, the SEAF network element can determine the SUPI network element based on the 5G-GUTI and carry the SUPI in the terminal device authentication request message in step 402. Furthermore, assuming the initial NAS message in step 401 includes SUCI, the SEAF network element can directly carry the received SUCI in the terminal device authentication request message in step 402.
[0237] For example, the terminal device authentication request message in step 402 could be a Nausf_UEAuthentication_Authenticate Request message.
[0238] 403, the AUSF network element sends a Nudm_UEAuthentication_Get Request message (requesting to obtain UE authentication information) to network element #1. Correspondingly, network element #1 receives the Nudm_UEAuthentication_Get Request message from the AUSF network element.
[0239] This message is used to obtain the parameters required for authentication, such as the authentication vector.
[0240] For example, after receiving a terminal device authentication request message from a SEAF network element, the AUSF network element sends a Nudm_UEAuthentication_Get Request message to network element #1 based on the received terminal device authentication request message. This Nudm_UEAuthentication_Get Request message includes either SUCI or 5G-GUTI.
[0241] It should be understood that, assuming the terminal device authentication request message in step 402 includes SUPI, the AUSF network element will carry the SUPI in the Nudm_UEAuthentication_Get Request message and transmit it to network element #1. Furthermore, assuming the terminal device authentication request message in step 402 includes SUCI, the AUSF network element will carry the SUCI in the Nudm_UEAuthentication_Get Request message and transmit it to network element #1.
[0242] It should also be understood that when the AUSF network element carries the SUCI in the Nudm_UEAuthentication_Get Request message, the first network element receives the SUCI accordingly, and network element #1 determines the SUPI based on the SUCI.
[0243] It should also be understood that network element #1 can be a UDM network element, an ARPF network element, or a subscription identifier de-concealing function (SIDF) network element, etc.
[0244] It should also be understood that Figure 4 above only shows the function of UDM in decrypting SUCI to obtain SUPI, and is only an exemplary introduction to part of the process.
[0245] 3. UE parameter update (UPU) mechanism
[0246] It should be understood that the UPU mechanism refers to the mechanism by which the UDM updates UE parameters through control plane procedures. Currently, UE parameters include the Routing Identifier (RID) (RID is one of the parameters generated by SUCI). After the UE successfully registers with the 5G network, updated parameters can be securely submitted to the UE through the UDM.
[0247] Figure 5 shows a schematic flowchart of a UPU mechanism.
[0248] 501, the UDM network element determines to update the UE's parameters.
[0249] It should be understood that after a UE registers with the 5G system, the UDM network element will perform UE parameter updates through the control plane at a certain time.
[0250] It should be understood that this specific time can be determined by the UDM network element itself or pre-configured by the system.
[0251] 502, the UDM network element sends a UPU protection message to the AUSF network element.
[0252] For example, if a UDM network element determines that it needs to update the parameters of the UE, the UDM network element sends a UPU protection message to the AUSF network element.
[0253] For example, the UPU protection message could be a Nausf_UPUProtection message.
[0254] The UPU protection message includes UPU data and a UPU message header. The UPU data includes updated UE parameters, such as the UE's RID. If the UDM network element determines that a successful security check requiring a UE response to receive the UPU data is needed, the UDM sets a response indicator in the UE parameter update information and sets the ACK indicator to 1 in the UPU message header. This ACK indicator of 1 indicates that the UDM requires the expected UPU-XMAC-I... UE UDM's expected UPU-XMAC-I UE Allow UDM to verify whether the UE is correctly receiving UPU data.
[0255] 503, the AUSF network element sends a UPU protection response message to the UDM network element.
[0256] For example, the UPU protection response message can be a Nausf_UPUProctection response message.
[0257] It should be understood that the UPU protection response message contains UPU data, a UPU counter, a UPU message header, and a UPU-MAC-I identifier. AUSF Among them, UPU-MAC-I AUSF The UPU counter is the message authentication code (MAC) generated by the AUSF network element after performing integrity protection on the UPU data. The UPU counter is the count value used by AUSF during the integrity protection process of the UPU data. The UPU counter can also be written as CounterUPU. The AUSF network element and the UE will match the UPU counter with the K... AUSF Related. The UPU counter is typically a 16-bit counter. The UPU counter is used to prevent replay attacks. For example, in the UE's derivation of K... AUSF At this time, the UE will set the UPU counter to 0; the AUSF network element derives K. AUSF At this time, AUSF will set the UPU counter to 1.
[0258] Optionally, if the UPU protection message in step 503 includes an ACK indication set to 1, the UPU protection response message also includes UPU-XMAC-I. UE .
[0259] It should be noted that UPU-MAC-I AUSF It is based on UPU data, UPU counter, and K. AUSF This was calculated using UPU-XMAC-I. UE It is based on the ACK instruction, UPU counter, and K. AUSF This was calculated.
[0260] 504, the UDM network element sends an SDM notification message to the AMF network element.
[0261] For example, an SDM notification message can be a Nudm_SDM_Notification message. An SDM notification message includes: UPU data, UPU counter, UPU message header, and UPU-MAC-I. AUSF .
[0262] In one possible implementation, the UDM network element calls the Nudm_SDM_Notification service operation. If the AMF network element supports the UPU transparent container, the operation includes the UPU transparent container; if it does not support the transparent container, the access and mobility subscription data include UE parameter update data and UPU-MAC-I. AUSF A separate information element (IE) for the UPU counter. If the UDM includes an ACK indication set to 1 in the UPU message header, the UDM network element should temporarily store the expected UPU-XMAC-I. UE .
[0263] The SDM notification message sent by the UDM network element to the AMF network element contains a UPU header. In the UPU header format, registration (or REG) indicates whether a re-authentication process needs to be triggered. When set to a valid value, the UE subsequently needs to trigger the primary authentication process. ACK is used to indicate whether the UE needs to confirm the successful security check of the received UE parameter update data. When ACK is set to a valid value (e.g., 1), the UE needs to confirm the successful security check of the received UE parameter update data.
[0264] 505, the AMF network element sends a downlink (DL) NAS transmission message to the UE.
[0265] The DL NAS transmission messages include UPU data, UPU counter, UPU message header, and UPU-MAC-I. AUSF The UPU message header includes an ACK indicator set to 1, which is used to request (or indicate) the UE to acknowledge successful security checks on the received UPU data. After receiving the SDM notification message, the AMF network element sends a DL NAS transmission message to the UE it serves.
[0266] 506, UE verification UPU-MAC-I AUSF .
[0267] As one possible implementation, after receiving the DL NAS transmission message, the UE calculates the UPU-MAC-I based on the received UPU data and UPU counter, in the same way as the AUSF network element. AUSF And verify the calculated UPU-MAC-I AUSF Is it consistent with the received UPU-MAC-I? AUSF Same. When the calculated UPU-MAC-I AUSF With the received UPU-MAC-I AUSF If they are the same, the verification is successful.
[0268] In UPU-MAC-I AUSF If verification is successful, and the UPU data contains parameters protected by a secure packet, the ME in the UE will send these secure packet parameters to the USIM card in the UE. (In UPU-MAC-I...) AUSF If the verification is successful, and the UPU data does not contain the parameters of the secure data packet, the ME in the UE will update its stored parameters according to the parameters in the UPU data.
[0269] When the UDM network element has requested the UE to confirm the successful security check of the received UPU data (i.e., the ACK in the UPU message header is set to a valid value, such as "1"), and the UE has successfully verified UPU-MAC-I... AUSF After updating the parameters based on the UPU data, the UE should perform the following step S507.
[0270] 507, the UE sends a UL NAS transmission message to the AMF network element.
[0271] Among them, the UL NAS transmission messages include UPU-MAC-I UE .
[0272] It should be understood that UPU-MAC-I UE It is based on K AUSF This is calculated. UE calculates UPU-MAC-I. UE The method of AUSF network element calculation UPU-XMAC-I UE The method is the same; the UL NAS transmission message includes UPU-MAC-I. UE With UPU-XMAC-I carried in the UPU protection response message UE same.
[0273] 508. The AMF network element sends an SDM information request message to the UDM network element.
[0274] For example, the SDM information request message is a Nudm_SDM_Info request message. The SDM information request message includes a transparent container, which includes UPU-MAC-I... UE .
[0275] In one possible implementation, if the AMF network element receives a UPU-MAC-I message in the UL NAS transmission message... UE If a transparent container is provided, the AMF network element sends an SDM information request message with the transparent container to the UDM network element.
[0276] 509, UDM network element compares the received UPU-MAC-I UE and its own stored UPU-XMAC-I UE Are they consistent?
[0277] If the UDM network element instructs the UE to confirm the successful security check of the received UE parameter update data, the UDM network element will send the received UPU-MAC-I... UE With the expected UPU-XMAC-I temporarily stored by UDM in step 304 UE Compare them.
[0278] It should be understood that if the received UPU-MAC-I UE and storage UPU-XMAC-I UE Inconsistencies indicate a security risk on the network.
[0279] It should also be understood that Figure 5 is a simple introduction to the UPU process, and its specific details can be found in existing technologies, which will not be elaborated here.
[0280] Based on the above introduction, SUCI is a necessary parameter for the terminal device to generate a registration request message during the network access process. If SUCI cannot be successfully generated, the registration request message generation will fail, thus affecting the UE's network access. However, currently, there is no solution to address the issue of the terminal device failing to generate SUCI, leading to network access failure.
[0281] In view of this, this application provides a communication method that ensures the terminal device can access the network normally and achieve normal communication when the terminal device fails to determine its identity.
[0282] It should be understood that, in the embodiments of this application, the identity identifier of the terminal device may include a first identity identifier, a second identity identifier, and a third identity identifier. The first identity identifier is an anonymized identity identifier obtained by processing plaintext identity information through encryption; the second identity identifier is an identity identifier different from the first identity identifier obtained based on plaintext identity information; and the third identity identifier is an anonymized identity identifier.
[0283] It should be noted that this encryption method includes both methods using encryption algorithms and methods using empty encryption algorithms. The anonymized identity refers to the permanent identity obtained after being calculated using the aforementioned encryption algorithm. In other words, the third-party identity can be obtained from a permanent identity using an encryption algorithm, or it can be obtained using an empty mechanism algorithm.
[0284] The difference between the second and second identity identifiers can be understood as follows: the device (or module, unit) that generates the first identity identifier is different from the device (or module, unit) that generates the second identity identifier. For example, the anonymized identity identifier obtained by the second module of the terminal device through encryption processing of plaintext identity information is the first identity identifier, and the anonymized identity identifier obtained by the second module of the terminal device through encryption processing of plaintext identity information is the second identity identifier. The encryption method used for the first identity identifier and the encryption method used for the second identity identifier can be the same or different. Another example is that the first and second identity identifiers differ in the timing of their generation. For instance, the system pre-configures the second module of the terminal device to generate the first identity identifier. If the second module fails to generate the first identity identifier due to a lack of relevant parameters, or if the first module (including the second module) lacks the relevant parameters, the first module can generate the second identity identifier based on the error indication (or error reason value, error information) that the second module cannot generate the first identity identifier. Therefore, the difference between the first and second identity identifiers can also indicate a difference in the timing of their generation.
[0285] The encryption methods corresponding to the first and third identity identifiers may be the same or different. For example, both the first and third identity identifiers may be calculated using elliptic algorithm encryption; or the first identity identifier may be calculated using elliptic algorithm encryption while the third identity identifier is calculated using symmetric encryption.
[0286] It should be understood that in this embodiment of the application, the identity identifier is SUCI as an example, and the plaintext identity information is SUPI as an example, for the purpose of description.
[0287] It should also be understood that in the description of the embodiments of this application, it is assumed that the first identity identifier is the first SUCI, the second identity identifier is the second SUCI, and the third identity identifier is the fourth SUCI, as in the embodiments in FIG6, FIG8 and FIG9; it is also assumed that the first identity identifier is the first SUCI and the second SUCI, the second identity identifier is the third SUCI, and the third identity identifier is the fourth SUCI, as in the embodiment in FIG7.
[0288] It should also be understood that in the description of the embodiments of this application, it is assumed that the terminal device includes a first module and a second module, wherein both the first module and the second module are modules used to generate anonymized identity identifiers. The first module is a module within the terminal device, for example, a function implemented through software or a function on a chip card; the second module is a pluggable device or a module within a pluggable device. The first module is exemplified by an ME (Medium-Instrument Machine), and the second module by a USIM (United States Imaging Machine), as shown in the embodiment in Figure 10.
[0289] It should be noted that in the embodiments of this application, there is no limitation on which specific SUCI is indicated (e.g., first SUCI, second SUCI, third SUCI, fourth SUCI). In other words, when referring to SUCI in general, it is described as SUCI in the embodiments of this application.
[0290] It should also be noted that in the embodiments of this application, generating SUCI can also be referred to as calculating SUCI or obtaining SUCI.
[0291] Figure 6 is a flowchart illustrating a communication method provided in this application.
[0292] 601, the UE generates the second SUCI and the first indication information.
[0293] It should be understood that if the UE determines that it cannot generate a first SUCI, the UE generates a second SUCI. The first SUCI can be generated based on a public key; for details on generating the first SUCI, please refer to the description of the relevant content in the SUCI section above. The second SUCI can be generated based on an empty mechanism; for details, please refer to the description of the relevant content in the SUCI section above.
[0294] It should also be understood that if the UE determines that it cannot generate the first SUCI, the UE determines a first indication message. This first indication message is used to inform the first network side that an error has occurred during the UE's acquisition of the SUCI. This first indication message can indicate that an error has occurred, the specific reason for the error, or it can be used to request error handling, etc.
[0295] For example, the first indication information may be used to indicate at least one of the following:
[0296] The reasons why the UE can only use the second SUCI to access the network include: the UE cannot generate the first SUCI; the UE requests all or part of the parameters used to generate the SUCI; the UE requests all or part of the parameters used to generate the first SUCI; the UE fails to calculate the first SUCI; or the UE cannot generate the first SUCI.
[0297] It should also be understood that this application does not limit the timing of the UE generating the first indication information.
[0298] It should also be understood that step 601 is an internal implementation operation of the UE, and in the actual network element interaction process, step 601 is an optional step.
[0299] It should also be understood that step 601 is written from the perspective of the UE. The UE internally includes the ME and the USIM. The UE determines that the generated second SUCI can come from either the USIM or the ME. The first indication information can be determined by the ME based on the first SUCI and / or the second SUCI generated by the USIM, or it can be determined by the ME based on the first SUCI and / or the second SUCI generated by the ME itself. The interaction between the USIM and the ME can be described in detail in subsequent embodiment F, and will not be repeated here.
[0300] 602, the UE sends a registration request message #1 to the AMF network element. Correspondingly, the AMF network element receives the registration request message #1 from the ME.
[0301] For example, the registration request message #1 can be referred to as the initial registration request message. The registration request message #1 includes the second SUCI in step 601 above, or it can be understood that the registration request message #1 includes the second SUCI.
[0302] Optionally, the registration request message #1 may also carry the first indication information determined by the UE in step 601.
[0303] 603. The UE, AMF network element, AUSF network element and UDM network element execute the main authentication process.
[0304] It should be understood that the AMF network element is mainly responsible for forwarding relevant messages in the main authentication process and ultimately obtaining the indication information that the UE authentication is successful, thus confirming that the UE authentication is successful.
[0305] It should also be understood that a detailed description of step 603 can be found in the description of the existing solution, and will not be repeated here.
[0306] 604, the AMF network element sends NAS SMC message #1 to the UE. Correspondingly, the UE receives NAS SMC message #1 from the AMF network element.
[0307] It should be understood that this NAS SMC message #1 is used to activate the NAS security context.
[0308] It should also be understood that after the NAS SMC message #1, the UE successfully accesses the 5G network, meaning that the UE can communicate with the network using messages with security protection features.
[0309] 605, the UE sends NAS SMP message #1 to the AMF network element. Correspondingly, the AMF network element receives NAS SMP message #1 from the ME.
[0310] Optionally, the NAS SMP message #1 may include first indication information.
[0311] It should be understood that the first instruction information is carried in at least one of the registration request message #1 in step 602 and the NAS SMP message #1 in step 605. This first instruction information can also be sent via a newly added separate message, which is not limited in this application.
[0312] [Corrected according to Rule 91, 10.12.2025] It should also be understood that the NAS messages (such as NAS SMC messages and NAS SMP messages) involved in Figure 6 are all 5G NAS messages.
[0313] 606, the AMF network element sends request message #1 to the UDM network element. Correspondingly, the UDM network element receives request message #1 from the AMF network element.
[0314] The request message #1 includes first instruction information.
[0315] It should be understood that the first indication information may be presented in the same or different form (or format) as the request message #1, the registration request message #1, or the NAS SMP message #1, but the function of the first indication information remains unchanged.
[0316] As an example, after receiving the first indication information, the AMF network element can carry the first indication information in a request message #1 and forward it to the UDM network element, that is, the AMF network element does not perform any processing on the first indication information.
[0317] As another example, after receiving the first indication information, the AMF network element carries the first indication information in request message #1, and processes the format or presentation of the first indication information to obtain processed first indication information, but does not modify the function of the first indication information. It should be understood that, for clarity and brevity, this invention does not distinguish the presentation of the first indication information, but only focuses on its specific function. Therefore, the first indication information and the processed first indication information will not be distinguished in the following descriptions, and will be referred to as the first indication information.
[0318] It should also be understood that the request information #1 can be sent during the registration process of the UE requesting access to the first network, or after the registration completion message sent by the AMF network element to the UE. This application does not limit the timing of the execution of step 606.
[0319] It should also be understood that the request message #1 may be a message requesting related operations of the terminal device connection management (nudm user equipment connection management, Nudm_UECM) service, or a newly defined service-oriented message, which is not limited in this application.
[0320] 607. The UDM network element determines the subsequent operation to be performed based on the first instruction information.
[0321] For example, after receiving a request message #1 that includes first indication information, the UDM network element determines the subsequent operation to be performed based on the first indication information.
[0322] It should be understood that subsequent operations involve the UDM network element sending some or all of the relevant parameters for calculating (or generating) the SUCI. After receiving these parameters, the UE can use them to calculate the first or second SUCI, thus resolving the UE error. Furthermore, if the UDM network element sends all or some of the relevant parameters for calculating the SUCI, including those for calculating the first SUCI, then rapidly distributing these parameters reduces the number of SUPI exposures and lowers the probability of the UE being tracked by attackers.
[0323] For example, after receiving the first indication information, the UDM network element can operate in several ways:
[0324] For example, the subsequent execution operation could be that the UDM network element sends all or part of the relevant parameters for generating the SUCI (e.g., the first SUCI and / or the second SUCI) via over-the-air (OTA) download.
[0325] For example, the subsequent operation could be a UDM network element triggering an alarm. A UDM network element triggering an alarm is used to inform operations and maintenance technicians that the user equipment lacks relevant parameters for determining the SUCI. Maintenance technicians can then send some or all of the relevant parameters for the SUCI (e.g., the first SUCI and / or the second SUCI) to the ME / USIM via technical operations (e.g., OTA).
[0326] For example, the subsequent operation could be that the UDM sends relevant parameters for generating the SUCI to the UE via 5G network signaling procedures, such as through the UPU procedure. Some or all of the relevant parameters for generating the SUCI (e.g., the first SUCI and / or the second SUCI) can be carried in the UPU data sent by the UDM network element.
[0327] When a UDM network element sends relevant parameters for generating a SUCI to a UE using 5G network signaling procedures, there are multiple methods for the UDM network element to determine the relevant parameters for generating a SUCI.
[0328] In one possible implementation, if the first indication information is used to indicate that the UE cannot generate a SUCI (regardless of whether it is the first SUCI or the second SUCI), the subsequent execution operation includes the UDM network element sending all relevant parameters for generating the first SUCI.
[0329] In one possible implementation, if the first indication information is used to indicate the specific reason why the UE cannot generate the first SUCI, the subsequent execution operation includes the UDM network element sending all relevant parameters for generating the first SUCI.
[0330] In one possible implementation, if the first indication information is used to indicate the specific reason why the UE cannot generate the second SUCI, the subsequent execution operation includes the UDM network element sending all relevant parameters for generating the second SUCI.
[0331] In one possible implementation, if the first indication information is missing specific parameters for generating the first SUCI in the UE, the subsequent execution operation includes the UDM network element sending some relevant parameters for generating the first SUCI.
[0332] In one possible implementation, if the first indication information is used to indicate that the specific parameters for generating the second SUCI are missing from the USIM, the subsequent execution operation includes the UDM network element sending a portion of the relevant parameters for generating the second SUCI, which includes the specific parameters for generating the first SUCI indicated by the first indication information.
[0333] As an example, if the first indication information indicates that the UE lacks a routing representation among the parameters used to generate the SUCI (e.g., the first SUCI and / or the second SUCI), then in subsequent operations, the UDM network element will send some or all of the relevant parameters used to generate the SUCI, including the routing representation.
[0334] Optionally, the UDM network element can also determine second indication information, which is used to instruct the UE to generate SUCI, or the second indication information is used to instruct a certain module (e.g., the first module or the second module) in the UE to generate SUCI, that is, the second indication information is used to indicate the location where the UE generates SUCI.
[0335] For example, the first module can be the ME (Mechanical Equipment) in the UE, and the second module can be the USIM (United States Imaging System) in the UE. Alternatively, the first module can be a module in the UE that has ME functionality, or the second module can be a module in the UE that has USIM functionality.
[0336] For example, if the first instruction information instructs the first module to calculate the SUCI, it can be understood that the first module stores some or all of the relevant parameters of the first SUCI after receiving them, and uses them in subsequent processes. If the second instruction information instructs the second module to calculate the SUCI, it can be understood that after the first module receives some or all of the relevant parameters of the SUCI, the first module sends the received SUCI parameters to the second module, which stores them and uses them in subsequent processes. The first module may or may not store the received SUCI parameters.
[0337] Scenario 1
[0338] Assuming that the UDM network element determines in step 607 to send all or part of the relevant parameters for generating SUCI in the UPU process, the method can also include the following steps:
[0339] 608. The UDM network element sends a response message #1-0 to the AMF network element. Correspondingly, the AMF network element receives the response message #1-0 from the UDM network element.
[0340] It should be understood that this response message #1-0 is used in response to request message #1 in step 609.
[0341] 609, UDM network element initiates UPU process.
[0342] For example, in the UPU process initiated by the UDM network element, the UPU data sent by the UDM network element includes all or part of the relevant parameters for generating the SUCI. For instance, the SDM notification message in step 504 of Figure 5 above contains UPU data that includes all or part of the relevant parameters for generating the SUCI.
[0343] For example, in the UPU process initiated by the UDM network element, after the AMF network element receives the SDM notification message, the AMF network element determines the DL NAS to transmit UPU data based on the SDM notification message. The UPU data in the DL NAS transmission message includes all or part of the relevant parameters used to generate SUCI.
[0344] For example, the user-generated SUCI parameters sent by the UDM network element may be the relevant parameters for generating the SUCI that the UE is missing, as indicated by the first indication information, or the user-generated SUCI parameters may be sent by the UDM network element in the UPU data, carrying all the parameters for generating the SUCI.
[0345] Optionally, the UPU data may also include a second indication information.
[0346] It should also be understood that the UDM network element initiates the UPU process in a similar manner to the existing UPU process, as described in Figure 5 above, and will not be repeated here.
[0347] Scenario 2
[0348] Assuming that the UDM network element can determine in step 607 to send some or all of the relevant parameters for generating SUCI through the response message of request message #1 (e.g., response message #1-1), the method may include the following steps:
[0349] 610. The UDM network element sends a response message #1-1 to the AMF network element. Correspondingly, the AMF network element receives the response message #1-1 from the UDM network element.
[0350] It should be understood that response message #1-1 is used to respond to request message #1 in step 606. Response message #1-1 includes some or all of the relevant parameters used to generate SUCI.
[0351] Optionally, the response message #1-1 may also include a second indication message.
[0352] 611, the AMF network element sends the first NAS message to the UE. Correspondingly, the UE receives the first NAS message from the AMF network element.
[0353] For example, the AMF network element determines the first NAS message based on the response message #1-1, which includes all or part of the relevant parameters used to generate SUCI.
[0354] Optionally, if the response message #1 also includes the second indication information, the first NAS message may also include the second indication information.
[0355] For example, the first NAS message belongs to the 5G NAS message category. This first NAS message can be a configuration update command message or other messages; this application does not limit the specific name of the first NAS message.
[0356] 612, the UE sends a second NAS message to the AMF network element. Correspondingly, the AMF network element receives the second NAS message from the UE.
[0357] For example, the second NAS message is a response message to the first NAS message. The second NAS message belongs to the 5G NAS message category.
[0358] It should be understood that this second NAS message is optional to send.
[0359] 613, UE stores relevant parameters used to generate SUCI.
[0360] For example, after the UE receives all or part of the relevant parameters for generating the SUCI from the UDM network element, the UE can store all or part of the relevant parameters for generating the SUCI locally on the UE.
[0361] As an example, suppose that after the ME in the UE receives all or part of the relevant parameters for generating the SUCI from the UDM network element, the ME can store all or part of the relevant parameters for generating the SUCI locally, or send all or part of the relevant parameters for generating the SUCI to the USIM, and the USIM will store all or part of the received relevant parameters for generating the SUCI locally.
[0362] For example, the UE may also receive second indication information from the UDM. Based on the second indication information, the UE determines the storage location of all or part of the relevant parameters used to generate the SUCI.
[0363] As an example, suppose the ME in the UE receives a second indication message, and the ME can determine the storage location of all or part of the relevant parameters received for generating the SUCI based on the second indication message.
[0364] For example, assuming the second instruction information is used to instruct the ME to calculate the SUCI, upon receiving the second instruction information, the ME can update its local configuration accordingly. For instance, the ME can delete the locally stored SUCI. Another example is to overwrite the old instruction information used to instruct the USIM to calculate the SUCI with the second instruction information. Yet another example is to modify the configuration information for USIM to calculate the SUCI to allow the ME to calculate the SUCI. The specific implementation method is not limited in this application.
[0365] For example, suppose the second instruction information is used to instruct SUCI to calculate USIM. The ME receives the second instruction information and sends the received SUCI-related parameters to the USIM. Correspondingly, the USIM receives the SUCI-related parameters and updates its local configuration. For instance, the USIM updates the locally stored SUCI-related parameters based on the received SUCI-related parameters.
[0366] It should be noted that if the ME or USIM already has the relevant parameters for calculating SUCI stored locally, the ME or USIM will delete the locally stored SUCI-related parameters, or the ME or USIM will use the newly received SUCI-related parameters to overwrite the old SUCI-related parameters, or the ME or USIM will store the newly received SUCI-related parameters locally. If duplicate parameters exist, the old parameters will be deleted and the new parameters will be retained.
[0367] For example, assuming that all or part of the relevant parameters for generating SUCI sent by the UDM network element are carried in the security data packet, then all or part of the relevant parameters for generating SUCI may be stored in the USIM in the UE; assuming that all or part of the relevant parameters for generating SUCI sent by the UDM network element are not carried in the security data packet, then all or part of the relevant parameters for generating SUCI may be stored in the ME in the UE.
[0368] 614, the UE requests access to the 5G network based on the fourth SUCI request.
[0369] The fourth SUCI is generated by the UE based on the relevant parameters for generating the SUCI stored in step 613. This fourth SUCI is an anonymized identity identifier.
[0370] It should be understood that, considering the time-sensitive nature of SUCI, assuming that step 602 of the UE network access process is executed in the first time period, step 614 can be executed in the second time period. Specifically, at the start of the second time period or at a point before that start, assuming the network access requested by the UE through step 602 in the first time period has been disconnected, the UE can execute step 614 in the second time period. Alternatively, if the UE's UE context information does not contain a 5G GUTI and SUCI, the UE can re-register using the fourth SUCI through step 614. At some uncertain point in subsequent processes (e.g., the point at which the UE needs to re-enter the network, or the point at which the UE re-registers), if the UE needs to carry an anonymized identity in the registration request message, the UE will use the fourth SUCI.
[0371] For example, the UE sends a registration request message to request access to the network, and the registration request message carries the fourth SUCI; or, the UE may also respond to an inquiry from the network side and carry the fourth SUCI in the response message.
[0372] Figure 7 is a flowchart illustrating another communication method provided in this application.
[0373] 701, UE generates a third SUCI.
[0374] It should be understood that if the UE determines that it cannot generate the first SUCI and the second SUCI, the UE generates a third SUCI. Both the first and second SUCIs are anonymized identity identifiers obtained by processing plaintext identity information through encryption. For example, the first SUCI is an identity identifier obtained by processing plaintext identity information using an elliptic cryptography algorithm; the second SUCI is an identity identifier obtained by processing the protection mechanism corresponding to the first protection mechanism identifier in the null mechanism; and the third SUCI is an identity identifier obtained by the protection mechanism corresponding to the second protection mechanism identifier.
[0375] In one possible implementation, the UE may have a security protection mechanism priority list configured by the operator. This priority list can contain both non-empty and empty mechanisms, or only empty mechanisms. This priority list is a priority list of security protection mechanism identifiers. Security protection mechanisms corresponding to higher-priority security protection mechanism identifiers should be used first. For example, if a non-empty mechanism has a high priority, and the UE cannot obtain the first SUCI (indicating that all non-empty mechanisms have been attempted in the priority list), the UE attempts to calculate the second SUCI based on the first protection mechanism identifier associated with the empty mechanism in the configured priority list. If the UE fails to generate the second SUCI, the UE calculates the third SUCI based on the second protection mechanism identifier.
[0376] As an example, the first protection mechanism identifier is a pre-configured identifier by the operator when using the empty mechanism normally; for example, the first protection mechanism identifier is 0x0. The second protection mechanism identifier is an identifier used in abnormal situations; for example, the second protection mechanism identifier is 0x3 or 0xF. The second protection mechanism identifier can be a pre-configured, less flexible security protection mechanism, such as using a default key and / or algorithm to protect the privacy of SUPI, or using the empty mechanism to protect the privacy of SUPI to obtain an anonymized identity.
[0377] It should be understood that this embodiment does not limit the protection mechanism corresponding to the second protection mechanism identifier. The second protection mechanism identifier can be newly added for use in abnormal scenarios. For example, if the UE cannot calculate the first SUCI, nor can it use 0x0 to calculate the second SUCI, the UE can use the second protection mechanism identifier to calculate the third SUCI. Since the second protection mechanism identifier is used in abnormal scenarios, to ensure that the second protection mechanism identifier is always available, it can be pre-configured in the UE, and the parameters related to SUCI calculation may not be stored together. Alternatively, the second protection mechanism identifier can be automatically filled in when the UE calculates the third SUCI, etc. The specific method of obtaining the second protection mechanism identifier is not limited in this application.
[0378] For example, the third SUCI includes first indication information, which can be used to indicate at least one of the following:
[0379] The UE can only use the third SUCI to access the first network; the UE cannot generate a SUCI (without distinguishing between the first and second SUCIs); the UE cannot generate the first SUCI; the UE cannot generate the second SUCI; the specific reason why the UE cannot generate the first SUCI; the specific reason why the UE cannot generate the second SUCI; the UE requests parameters for generating the SUCI; the UE fails to calculate the first SUCI; the UE fails to calculate the first SUCI; the UE fails to calculate the second SUCI; the UE fails to calculate the second SUCI; the UE fails to calculate the second SUCI.
[0380] It should be understood that the third SUCI includes a second protection mechanism identifier, which may have the function of the first indication information mentioned above, that is, the second protection mechanism identifier may be used to indicate one or more of the above.
[0381] It should also be understood that the UE generating a third SUCI can include the following implementations: For example, if the USIM in the UE determines that it cannot generate the first SUCI and the second SUCI, the USIM can generate the third SUCI, meaning the third SUCI generated by the UE originates from the USIM in the UE; or, for another example, if the USIM in the UE determines that it cannot generate the first, second, and third SUCI, the ME in the UE cannot generate the first and second SUCI, but the ME can generate the third SUCI, meaning the third SUCI generated by the UE originates from the ME in the UE. The detailed interaction between the USIM and ME in the UE can be found in Figure 10, and will not be elaborated upon here.
[0382] 702, the UE sends a registration request message #2 to the AMF network element. Correspondingly, the AMF network element receives the registration request message #2 from the UE.
[0383] The registration request message #2 includes a third SUCI. Alternatively, it can be understood that the registration request message #2 is generated based on the third SUCI, or that the registration request message #3 carries the third SUCI.
[0384] For example, the registration request message #2 can be referred to as the initial registration request message. The registration request message #2 includes the third SUCI in step 701 above, or it can be understood that the registration request message #2 is generated based on the third SUCI.
[0385] For example, the first indication information can be indicated by the second protection mechanism identifier in the third SUCI, or carried separately in the registration request message #2.
[0386] 703. The UE, AMF network element, AUSF network element and UDM network element execute the main authentication process.
[0387] For example, after the AMF network element receives the UE's registration request message #2, the AMF network element can send a Nausf_UEAuthentication_Authenticate Request message to the AUSSF network element, as shown in step 402 of Figure 4. This message includes the third SUCI from the registration request message #2, or the third SUCI and the first indication information. The AUSSF network element then sends the third SUCI from the Nausf_UEAuthentication_Authenticate Request message, or the third SUCI and the first indication information, to the UDM network element via a Nudm_UEAuthentication_Get Request message, as shown in step 403 of Figure 4.
[0388] For example, after receiving a Nausf_UEAuthentication_Authenticate Request message, and if the Nausf_UEAuthentication_Authenticate Request message includes a third SUCI, or a third SUCI and first indication information, the AUSF network element sends a message including the third SUCI, or a third SUCI and first indication information, to the UDM network element. After receiving the message from the AUSF network element including the third SUCI, or a third SUCI and first indication information, the UDM network element determines the SUPI based on the third SUCI and authenticates the ME. The UDM network element determines the subsequent execution operation based on the second protection mechanism identifier and / or the first indication information in the third SUCI.
[0389] 704, UDM network element determines subsequent execution operations.
[0390] For example, after a UDM network element receives a message including a third SUCI, or a third SUCI and a first indication information, the UDM determines the subsequent operation to be performed based on the second protection mechanism identifier of the third SUCI and / or the first indication information.
[0391] It should be understood that subsequent operations are used by the UDM network element to send some or all of the relevant parameters for calculating (or generating) SUCI.
[0392] For example, after receiving some or all of the relevant parameters for calculating the SUCI, the UE can use these parameters to calculate the first SUCI or the second SUCI, thereby resolving the UE error. Furthermore, if the relevant parameters sent by the UDM network element for calculating the SUCI include all or some of the relevant parameters for calculating the first SUCI, rapidly distributing the relevant parameters for calculating the first SUCI can reduce the number of SUPI exposures and lower the probability of the UE being tracked by attackers.
[0393] For example, the UDM may operate in a variety of ways based on the second protection mechanism identifier and / or first instruction information received in the third SUCI.
[0394] For example, the subsequent execution operation may be that the UDM network element sends all or part of the relevant parameters for generating the SUCI (e.g., the first SUCI and / or the second SUCI) via the OTA function.
[0395] For example, the subsequent operation could be a UDM network element triggering an alarm. A UDM network element triggering an alarm is used to inform operation and maintenance technicians that the user equipment lacks relevant parameters for determining the SUCI. Maintenance technicians can then send some or all of the relevant parameters for the SUCI (e.g., the first SUCI and / or the second SUCI) to the UE via technical operations (e.g., OTA).
[0396] For example, the subsequent operation could be that the UDM network element sends relevant parameters for generating the SUCI during the UPU process. These relevant parameters for generating the SUCI (e.g., the first SUCI and / or the second SUCI) can be carried in the UPU data sent by the UDM network element.
[0397] When the UDM sends relevant parameters for generating SUCI to the UE using 5G network signaling procedures, there are multiple methods for the UDM to determine the relevant parameters for generating SUCI.
[0398] In one possible implementation, if the second protection mechanism identifier and / or the first indication information are used to indicate that the USIM cannot generate a SUCI (without distinguishing between the first SUCI, the second SUCI, and the third SUCI), the subsequent execution operation includes the UDM network element sending all relevant parameters for generating the first SUCI.
[0399] In one possible implementation, if the second protection mechanism identifier indicates that the UE cannot generate the first SUCI, or the specific reason why the UE cannot generate the first SUCI, the subsequent execution operation includes the UDM network element sending all relevant parameters for generating the first SUCI.
[0400] In one possible implementation, if the second protection mechanism identifier and / or the first indication information are used to indicate the specific reason why the UE cannot generate the second SUCI, the subsequent execution operation includes the UDM network element sending all relevant parameters for generating the second SUCI.
[0401] In one possible implementation, if the second protection mechanism identifier and / or the first indication information are used to indicate that the UE lacks specific parameters for generating the first SUCI, the subsequent execution operation includes the UDM network element sending some relevant parameters for generating the first SUCI.
[0402] In one possible implementation, if the second protection mechanism identifier and / or the first indication information are used to indicate that the UE lacks specific parameters for generating the second SUCI, the subsequent execution operation includes the UDM network element sending some relevant parameters for generating the second SUCI, which include the specific parameters for generating the second SUCI indicated by the second protection mechanism identifier and / or the first indication information.
[0403] As an example, if the second protection mechanism identifier and / or the first indication information indicates that the UE lacks a routing representation among the parameters for generating the SUCI (e.g., the first SUCI, the second SUCI), then subsequent operations include the UDM network element sending some or all of the relevant parameters for generating the SUCI, which include the routing representation.
[0404] Optionally, the UDM network element can also determine second indication information, and a detailed description of the second indication information can be found in the detailed description of step 607 in Figure 6 above.
[0405] Scenario 3
[0406] Assuming that the UDM network element determines in step 704 to send all or part of the relevant parameters for generating SUCI in the UPU process, the method can also include the following steps:
[0407] 705, the UDM network element sends response message #2-1 to the AMF network element. Correspondingly, the AMF network element receives response message #2-1 from the UDM network element.
[0408] For example, the response message #2-1 is used to respond to the Nudm_UEAuthentication_Get Request message in step 703.
[0409] 706, UDM network element initiates UPU process.
[0410] For example, in the UPU process initiated by the UDM network element, the UPU data sent by the UDM network element includes all or part of the relevant parameters for generating the SUCI. For instance, the SDM notification message in step 504 of Figure 5 above contains UPU data that includes all or part of the relevant parameters for generating the SUCI.
[0411] For example, in the UPU process initiated by the UDM network element, after the AMF network element receives the SDM notification message, the AMF network element sends a DL NAS message to the UE. The DL NAS message carries UPU data, and the UPU data in the DL NAS transmission message includes all or part of the relevant parameters used to generate SUCI.
[0412] For example, the parameters sent by the UDM network element for generating the SUCI may be the relevant parameters for generating the SUCI that are missing from the USIM or ME as indicated by the second instruction information, or the UDM network element may send all the parameters for generating the SUCI in the UPU data according to the second instruction information.
[0413] Optionally, the UPU data may also include a second indication information.
[0414] It should be understood that the UDM network element initiates the UPU process in a similar manner to the existing UPU process, as described in Figure 5 above, and will not be repeated here.
[0415] Scenario 4
[0416] Assuming that the UDM network element can determine in step 704 the response message of the Nudm_UEAuthentication_Get Request message (e.g., response message #2-2) and send some or all of the relevant parameters for generating SUCI, the method may include the following steps:
[0417] 707, the UDM network element sends a response message #2-2 to the AMF network element. Correspondingly, the AMF network element receives the response message #2-2 from the UDM network element.
[0418] For example, response message #2-2 is used to respond to the Nudm_UEAuthentication_Get Request message in step 703. Response message #2-2 includes some or all of the relevant parameters used to generate the SUCI.
[0419] Optionally, the response message #2-2 may also include a second instruction message.
[0420] For example, the response message #2-2 could be a Nudm_UEAuthentication_Get Response message.
[0421] 708, the AMF network element sends the first NAS message to the ME. Correspondingly, the ME receives the first NAS message from the AMF network element.
[0422] For example, the AMF network element determines the first NAS message based on response message #2-2, which includes all or part of the relevant parameters used to generate SUCI.
[0423] Optionally, if the response message #2-2 also includes the second indication information, the first NAS message may also include the second indication information.
[0424] For example, the first NAS message belongs to the 5G NAS message category. This first NAS message can be a configuration update command message or other messages; this application does not limit the specific name of the first NAS message.
[0425] 709. The ME sends a second NAS message to the AMF network element. Correspondingly, the AMF network element receives the second NAS message from the ME.
[0426] It should be understood that step 712 is optional.
[0427] For example, the second NAS message is a response message to the first NAS message. The second NAS message belongs to the 5G NAS message category.
[0428] 710, The UE stores the relevant parameters used to generate the SUCI.
[0429] It should be understood that this step is similar to step 613 in Figure 6 above. For details, please refer to the description in Figure 6 above. 711, the UE requests access to the 5G network according to the fourth SUCI request.
[0430] It should be understood that step 711 is similar to step 614 in Figure 6 above. For a detailed explanation, please refer to the description in Figure 6.
[0431] Figure 8 is a schematic flowchart of another communication method provided in an embodiment of this application.
[0432] 801, UE determines the first indication information.
[0433] For example, if the UE determines that it cannot generate a SUCI, the UE further determines the first indication information, which is to inform the network side that an error occurred during the UE's acquisition of the SUCI.
[0434] The first instruction information can indicate that an error has occurred, the specific reason for the error, or request error handling, etc.
[0435] For example, the first indication information may be used to indicate at least one of the following:
[0436] The following are possible reasons why a UE cannot generate a SUCI: UE cannot generate a SUCI, UE SUCI generation is abnormal, UE cannot generate the first SUCI, UE requests all or part of the parameters used to generate the SUCI, UE requests all or part of the parameters used to generate the first SUCI, UE fails to calculate the first SUCI, or the reason why a UE cannot generate the first SUCI. The following are possible reasons why a UE cannot generate a second SUCI: UE cannot generate a third SUCI, UE requests all or part of the parameters used to generate the third SUCI, UE requests all or part of the parameters used to generate the third SUCI, UE fails to calculate the third SUCI, or the reason why a UE cannot generate the third SUCI.
[0437] It should be understood that this application does not limit the timing of the UE generating the first indication information.
[0438] It should be understood that step 601 is an internal implementation operation of the UE, and in the actual network element interaction process, step 601 is an optional step.
[0439] It should also be understood that step 601 is written from the perspective of the UE. The UE includes the ME and the USIM. The UE determines that the second SUCI of the generation layer can come from the USIM or the ME. The first indication information can be determined by the ME based on the first SUCI and / or the second SUCI generated by the USIM. The interaction between the USIM and the ME can be described in detail in the subsequent embodiment 10, and will not be repeated here.
[0440] 802, UE confirms access to the second network.
[0441] For example, the UE determines to access a second network based on a first condition. This second network is a 4G network. The first condition includes a combination of one or more of the following events:
[0442] UE cannot generate SUCI, UE cannot generate first SUCI, UE cannot generate second SUCI, UE cannot generate third SUCI, UE is missing all or part of the parameters for generating SUCI, UE is missing all or part of the parameters for generating first SUCI, UE is missing all or part of the parameters for generating second SUCI, UE is missing all or part of the parameters for generating third SUCI, UE SUCI generation is abnormal, UE first SUCI generation is abnormal, UE second SUCI generation is abnormal, UE third SUCI generation is abnormal, etc.
[0443] It should be understood that step 802 is an internal implementation operation of the UE, and is an optional step in the actual interaction process.
[0444] 803, the UE sends an attach request message to the MME network element. Correspondingly, the MME network element receives the attach request message from the UE.
[0445] It should be understood that this attach request message can also be called the initial attach request message.
[0446] It should be understood that the attach request message includes a plaintext identity identifier, such as SUPI, or an International Mobile Subscriber Identity (IMSI) obtained based on SUPI.
[0447] The SUPI can be provided to the ME by the USIM in the terminal device.
[0448] Optionally, the attach request message may also carry the first indication information determined in step 801.
[0449] 804, UE and MME network elements perform master authentication process.
[0450] It should be understood that the main authentication process between the UE and MME is similar to existing technologies, and will not be elaborated here.
[0451] 805, the MME network element sends NAS SMC message #2 to the UE. Correspondingly, the UE receives NAS SMC message #2 from the MME network element.
[0452] It should be understood that, upon successful authentication, the MME sends a NAS SMC message #2 to the ME. This NAS SMC message #2 is used to activate the NAS security context.
[0453] It should also be understood that after this NAS SMC message #2, the UE successfully accessed the 4G network.
[0454] 806, the UE sends NAS SMP message #2 to the MME network element. Correspondingly, the MME network element receives NAS SMP message #2 from the UE.
[0455] For example, the NAS SMP message #2 includes first indication information.
[0456] For example, the first indication information may be carried in at least one message, either the attach request message in step 803 or the NAS SMP message #2 in step 806. The first indication information may also be sent via a separate, newly added message; this application does not limit its scope.
[0457] 807, the MME network element sends request message #2 to the UDM network element. Correspondingly, the UDM network element receives request message #2 from the MME network element.
[0458] For example, the request message #2 includes first instruction information.
[0459] For example, the first indication information may be presented in the same or different form (or format) as in request message #2, NAS SMP message #2, or attachment request message, but the function of the first indication information remains unchanged.
[0460] As an example, after receiving the first indication information, the MME network element can carry the first indication information in request message #2 and forward it to the UDM network element, that is, the MME network element does not perform any processing on the first indication information.
[0461] As another example, after receiving the first instruction information, the MME network element carries the first instruction information in the request message #2, and processes the format or presentation of the first instruction information, but does not modify the function of the first instruction information.
[0462] For example, the request information #2 can be sent during the registration process of the UE requesting access to the second network, or after the registration completion message sent by the MME network element to the UE. This application does not limit the timing of the execution of step 807.
[0463] It should also be understood that the request message #2 can be an existing message or a newly defined service-oriented message, and this application does not limit this.
[0464] 808, the UDM network element determines the subsequent operation to be performed based on the first instruction information.
[0465] [Corrected according to Rule 91 to 10.12.2025] For example, when a UDM network element receives a message including first indication information to determine subsequent operations, please refer to the description in Figures 6 and 7 above, which will not be repeated here.
[0466] As an example, assuming the UE is currently registered to a 4G network, the UDM network element can determine in step 808 to send relevant parameters for generating SUCI through the response message of request message #2 (e.g., response message #3), as shown in step 809.
[0467] 809, the UDM network element sends response message #3 to the MME network element. Correspondingly, the MME network element receives the response message #3 from the UDM network element.
[0468] For example, response message #3 is used to respond to request message #2 in step 807. Response message #3 includes relevant parameters for generating SUCI.
[0469] Optionally, the response message #3 may also include a second instruction message.
[0470] For example, after receiving response message #3, the MME network element can send the relevant parameters for generating SUCI in response message #3, or the relevant parameters for generating SUCI and the second indication information, to the UE via DL NAS message; or, after receiving response message #3, the MME network element can send the relevant parameters for generating SUCI in response message #3, or the relevant parameters for generating SUCI and the second indication information, to the UE via NAS message with NAS security protection (such as NAS SMP message, or other NAS message), so that the UE can determine the fourth SUCI when accessing the 5G network, thereby ensuring that the UE can access the network normally, while avoiding the number of times SUPI is exposed on the air interface.
[0471] For example, if response message #3 does not carry the relevant parameters for generating SUCI and / or third indication information, then step 809 may occur before 808.
[0472] The process by which the UE receives parameters for generating the SUCI, or parameters for generating the SUCI and a second indication information, from the MME network element is similar to the process of the AMF network element sending a NAS message to the UE in Figure 6. The UE receives the parameters for generating the SUCI, or the parameters for generating the SUCI and the third indication information, stores them locally without processing. When the UE subsequently requests access to the 5G network, it generates a fourth SUCI to ensure normal network access. This process is similar to steps 613 and 614 in Figure 6. For a detailed explanation, please refer to the detailed explanation of similar steps in Figure 6.
[0473] Figure 9 is a schematic flowchart of another communication method provided in an embodiment of this application.
[0474] 901, UE determines the first indication information.
[0475] 902, UE accesses the second network.
[0476] 903, the UE sends an attach request message to the MME network element. Correspondingly, the MME network element receives the attach request message from the UE.
[0477] 904, UE and MME network elements perform master authentication process.
[0478] 905, the MME network element sends NAS SMC message #2 to the UE. Correspondingly, the UE receives NAS SMC message #2 from the MME network element.
[0479] 906, the UE sends NAS SMP message #2 to the MME network element. Correspondingly, the MME network element receives NAS SMP message #2 from the UE.
[0480] [Correction 10.12.2025 based on Rule 91] It should be understood that steps 901 to 906 above are similar to steps 801 to 806 in Figure 8. For details, please refer to the description in Figure 8 above.
[0481] 907, MME network element stores first indication information.
[0482] For example, after receiving the first indication information in step 903 or step 906, the MME network element stores the first indication information locally on the MME network element.
[0483] For example, the MME network element can store the first indication information in the UE context information, or it can be understood that the MME network element updates the UE context information, and the updated UE context information includes the first indication information.
[0484] 908, the MME network element sends the updated UE context information to the AMF network element.
[0485] For example, in the case of 4G access network interconnection to 5G access network, or when the UE registers to the 5G network due to UE movement, the MME network element can send updated UE context information to the AMF network element in the 5G network.
[0486] For example, step 908 can be actively triggered by the MME network element. For instance, if the MME network element determines that the 4G access network accessed by the UE is interconnected with the 5G access network, the MME network element will send the updated UE context to the AMF network element. Alternatively, step 908 can be triggered by existing technology, such as when the UE moves to the 5G network, the MME network element sends the updated UE context information to the AMF.
[0487] It should be noted that after step 907 and before step 908, steps 807 to 809 in Figure 8 can be executed. That is, if the MME network element receives the relevant parameters and / or second indication information for generating the SUCI through step 809, the MME network element can store the relevant parameters and / or second indication information for generating the SUCI in the UE's context information. At this time, the first indication information may or may not be stored. If the MME network element does not store the first indication information, the AMF network element determines the subsequent process based on the relevant parameters and / or second indication information for generating the SUCI; if the MME network element stores the first indication information, the AMF network element determines the subsequent process based on the first indication information.
[0488] 909, the AMF network element sends request message #3 to the UDM network element. Correspondingly, the UDM network element receives request message #3 from the AMF network element.
[0489] For example, the request message #3 includes first instruction information. The first instruction information in the request message #3 may be the same as or different from the first instruction information received by the AMF. This application does not limit this.
[0490] For example, the request information #3 can be sent during the UE's registration process, or after the AMF network element sends a registration completion message to the UE. This application does not limit the timing of sending 909.
[0491] It should be understood that if steps 807 to 809 were executed before step 909, then step 909 may not be executed.
[0492] 910, UDM network element determines subsequent execution operations.
[0493] For example, when a UDM network element receives a request message #3 that includes first indication information, the UDM network element determines the subsequent operation to be performed based on the first indication information.
[0494] It should be understood that if steps 807 to 809 were executed before step 909, then step 910 may not be executed.
[0495] [Correction 10.12.2025 according to Rule 91] It should be understood that step 910 is similar to step 607 in Figure 6, step 704 in Figure 7, and step 808 in Figure 8. For details, please refer to the descriptions in Figures 6, 7 and 8.
[0496] Case 5
[0497] Assuming that the UDM network element determines in step 910 to send all or part of the relevant parameters for generating SUCI in the UPU process, the method can also include the following steps:
[0498] 911, the UDM network element sends a response message #4-0 to the AMF network element. Correspondingly, the AMF network element receives the response message #4-0 from the UDM network element.
[0499] It should be understood that if steps 807 to 809 were executed before step 909, then step 911 may not be executed.
[0500] For example, the response message #4-0 is used to respond to the request message #3 in step 909.
[0501] 912, UDM network element initiates UPU process.
[0502] [Correction 10.12.2025 according to Rule 91] It should be understood that step 912 is similar to 609 in Figure 6, and a detailed description can be found in the description in Figure 6.
[0503] It should be understood that if steps 807 to 809 were executed before step 909, then step 912 may not be executed.
[0504] Case 6
[0505] Assuming that the UDM network element can determine in step 910 to send some or all of the relevant parameters for generating SUCI through the response message of request message #3 (e.g., response message #4-1), the method may include the following steps:
[0506] 913, the UDM network element sends response message #4-1 to the AMF network element. Correspondingly, the AMF network element receives response message #4-1 from the UDM network element.
[0507] For example, response message #4-1 is used to respond to request message #3 in step 909. Response message #4-1 includes some or all of the relevant parameters for generating SUCI.
[0508] Optionally, the response message #4-1 may also include a second instruction message.
[0509] It should be understood that if steps 807 to 809 were executed before step 909, then step 913 may not be executed.
[0510] 914, the AMF network element sends the first NAS message to the UE. Correspondingly, the UE receives the first NAS message from the AMF network element.
[0511] For example, the AMF network element determines the first NAS message based on response message #4-1, which includes all or part of the relevant parameters used to generate SUCI.
[0512] Optionally, if the response message #4-1 also includes the second indication information, the first NAS message may also include the second indication information.
[0513] For example, the first NAS message belongs to the 5G NAS message category. This first NAS message can be a UE configuration update message or other messages; this application does not limit the specific name of the first NAS message.
[0514] At 915, the UE sends a second NAS message to the AMF network element. Correspondingly, the AMF network element receives the UE's second NAS message.
[0515] For example, the second NAS message is a response message to the first NAS message. The second NAS message belongs to the 5G NAS message category.
[0516] 916, UE stores relevant parameters used to generate SUCI.
[0517] For example, after the UE receives all or part of the relevant parameters for generating the SUCI from the UDM network element, the UE can store all or part of the relevant parameters for generating the SUCI locally on the UE.
[0518] 917, the UE requests access to the 5G network based on the fourth SUCI request.
[0519] It should be understood that steps 916 to 917 above are similar to steps 613 to 614 in Figure 6 above. For a detailed explanation, please refer to the description in Figure 6.
[0520] For example, the terminal device includes a first module and a second module. The following description, using the first module as the ME and the second module as the USIM, illustrates the interaction between the ME and the USIM during the process where the UE determines it cannot generate a CUSI.
[0521] It should also be understood that Figures 10 and 11 below show example diagrams of the internal interaction flow of the UE. The methods shown in Figures 10 and 11 can be applied to any of the methods in Figures 6 to 9 above, and are executed before the first step in any of the above methods. This application will not provide further examples of each method.
[0522] Figure 10 is a schematic flowchart of another communication method provided in an embodiment of this application.
[0523] 1001, ME sends a command to USIM to retrieve identity information. Correspondingly, USIM receives the command from ME to retrieve identity information.
[0524] The command to obtain identity information is used by the ME to obtain an identity identifier (e.g., SUCI) from the USIM. This command is not limited to obtaining a first SUCI, a second SUCI, or a third SUCI from the USIM. The definitions of the first SUCI, second SUCI, and third SUCI can be found in Figures 6-9 above.
[0525] In one possible implementation, step 1001 can be executed upon triggering of the second condition.
[0526] The second condition could be that the ME receives certain configuration information before step 1001, which indicates that the ME needs to obtain the SUCI generated by the USIM from the USIM. For example, the operator decides that the USIM should instruct the SUCI, that is, the USIM should generate the SUCI, and accordingly, the ME needs to obtain the SUCI generated by the USIM from the USIM; or, the second condition could be a preset period for the ME to obtain the SUCI generated by the USIM from the USIM, for example, the system is configured for the ME to obtain the SUCI generated by the USIM from the USIM within the same certain time interval, that is, the ME needs to periodically execute step 1001; or, the second condition could also be that the ME executes step 1001 by default.
[0527] In another possible implementation, step 1001 can be executed upon the triggering of a third condition.
[0528] The system is pre-configured to calculate the SUCI using the ME. The third condition can be: the ME cannot calculate the identity identifier; or there is an anomaly in the ME's identity identifier calculation, in which case the ME executes step 1001. Specifically, the ME determines that it is currently missing some or all of the parameters used to calculate the identity identifier.
[0529] For example, the system configures the ME to generate a SUCI, and the priority list of protection mechanisms for calculating the SUCI requires the use of a public key to determine the SUCI. That is, suppose the system requires the ME to generate the first SUCI, but because the ME lacks the relevant parameters (e.g., the public key) for generating the SUCI, the ME cannot generate the first SUCI or there is an anomaly in the ME's generation of the first SUCI. The ME then executes step 1001. Specifically, the ME determines that it is currently missing some or all of the parameters used to calculate the first SUCI. When the ME confirms that it cannot generate the SUCI, it sends a command #1 to the USIM to obtain an identity message. This command #1 is used to request the USIM to obtain the first SUCI generated by the USIM.
[0530] In another possible implementation, under the triggering of the fourth condition, ME does not need to (or rather, skips) execute step 1001. ME can directly execute step 1003, or steps 1002 and 1003. Step 1002, which is related to the triggering of the fourth condition, is also an optional step.
[0531] The system is pre-configured to calculate the SUCI using the ME. The fourth condition can be: the ME cannot calculate the identity identifier; or there is an anomaly in the ME's identity identifier calculation, in which case the ME executes step 1001. Specifically, the ME determines that it is currently missing some or all of the parameters used to calculate the identity identifier.
[0532] For example, the system configures the ME to generate a SUCI, and the priority list of protection mechanisms for calculating the SUCI requires the use of a public key to determine the SUCI. That is, suppose the system requires the ME to generate the first SUCI, but because the ME lacks the relevant parameters (e.g., the public key) for generating the SUCI, the ME cannot generate the first SUCI or there is an anomaly in the ME's generation of the first SUCI. In this case, the ME can execute step 1001. Alternatively, if the ME determines that it is missing some or all of the parameters for calculating the first SUCI, the ME can skip step 1001 and directly execute step 1003.
[0533] It should be understood that the generation of a SUCI involves multiple parameters, such as the public key of the home network, the SUPI type, the home network identifier, and the routing identifier. This application does not list all the relevant parameters for generating a SUCI; however, existing technologies can be consulted.
[0534] At 1002, USIM sends an Acquire Identity Response Message to ME. Correspondingly, ME receives the Acquire Identity Response Message from USIM.
[0535] For example, the identity retrieval response message is triggered under the fifth condition. The fifth condition includes one or more of the following:
[0536] USIM cannot generate SUCI, USIM SUCI generation error, USIM SUCI generation error, USIM cannot generate first SUCI, USIM cannot generate second SUCI, USIM cannot generate third SUCI, USIM error occurred, reasons why USIM cannot generate first SUCI, reasons why USIM cannot generate second SUCI, reasons why USIM cannot generate third SUCI, USIM lacks parameters for generating first SUCI, USIM lacks parameters for generating second SUCI, USIM lacks parameters for generating third SUCI, USIM requests to retrieve missing parameters for generating first SUCI, USIM requests to retrieve missing parameters for generating second SUCI, USIM requests to retrieve... Missing parameters for generating the third SUCI, ME cannot generate SUCI, ME generates SUCI abnormally, ME generates SUCI error, ME cannot generate the first SUCI, ME cannot generate the second SUCI, ME cannot generate the third SUCI, USIM error, reason why ME cannot generate the first SUCI, reason why ME cannot generate the second SUCI, reason why ME cannot generate the third SUCI, ME lacks parameters for generating the first SUCI, ME lacks parameters for generating the second SUCI, ME lacks parameters for generating the third SUCI, ME requests to retrieve missing parameters for generating the first SUCI, ME requests to retrieve missing parameters for generating the second SUCI, ME requests to retrieve missing parameters for generating the third SUCI, etc.
[0537] In one possible implementation, suppose the system has not configured the public key for determining the first SUCI to the USIM, causing the USIM to be unable to generate the first SUCI. After receiving command #1 from the ME for the retrieval of identity message, the USIM, unable to generate the first SUCI, sends the retrieval of identity response message to the MR, which can be used to indicate that the USIM failed to generate the first SUCI.
[0538] In another possible implementation, assuming the system has not configured the public key for determining the first SUCI to the USIM, causing the USIM to fail to generate the first SUCI, the USIM can generate a second SUCI using an empty mechanism based on a first protection mechanism identifier pre-configured by the system. After receiving the retrieval identity message command from the ME, the USIM sends the retrieval identity response message to the MR. This retrieval identity response message may include the second SUCI and can also be used to indicate that the USIM failed to generate the first SUCI.
[0539] In another possible implementation, suppose the system does not configure the USIM with a public key for determining the first SUCI, causing the USIM to fail to generate the first SUCI. Alternatively, the USIM may lack a protection mechanism identifier; for example, if the USIM lacks a first protection mechanism identifier, then the USIM cannot generate the second SUCI. After receiving the retrieval identity message command from the ME, the USIM sends the retrieval identity response message to the ME. This retrieval identity response message can be used to indicate that the USIM failed to generate both the first and second SUCIs.
[0540] In another possible implementation, suppose the system does not configure the public key for determining the first SUCI in the USIM, causing the USIM to fail to generate the first SUCI. Simultaneously, the USIM does not obtain the first protection mechanism identifier, preventing it from generating the second SUCI. The USIM is pre-configured with a second protection mechanism identifier, and based on this identifier, generates a third SUCI. The USIM then sends an identity acquisition response message to the MR, which includes the third SUCI. This identity acquisition response message can also be used to indicate that the USIM failed to generate both the first and second SUCIs.
[0541] Optionally, the identity acquisition response message may also carry an error reason value, at least one of a second SUCI, a third SUCI, and a SUPI. The SUPI can be used by the ME to determine the SUCI, or by the ME to determine an attach request message for requesting access to a second network. For example, if the USIM receives an identity acquisition message command from the ME and determines that it cannot generate a SUCI (e.g., a first SUCI, a second SUCI, or a third SUCI), the USIM sends an error reason value to the ME.
[0542] For example, the error reason value can be used to indicate at least one of the following: USIM failed to generate SUCI (regardless of which specific SUCI), USIM failed to generate the first SUCI, USIM failed to generate the second SUCI, USIM failed to generate the third SUCI, or USIM is missing certain parameters that cause USIM to fail to generate SUCI (first SUCI, second SUCI, third SUCI).
[0543] For example, if the identity retrieval response message itself serves to indicate the reason for the error, then it is not necessary to carry an additional error reason value.
[0544] It should be understood that, referring to Figure 6 above, after receiving the identity acquisition response message, the ME determines the first indication information and the second SUCI, and sends a registration request message #1 to the AMF. Detailed explanations and subsequent steps can be found in Figure 6 above. Referring to Figure 7 above, after receiving the identity acquisition response message, the ME determines the third SUCI, or the third SUCI and the first indication information, and sends a registration request message #2 to the AMF. Detailed explanations and subsequent steps can be found in Figure 7 above. Referring to Figures 8 and 9 above, after receiving the identity acquisition response message, the ME accesses the second network. Detailed explanations and subsequent steps can be found in Figures 8 and 9 above.
[0545] It should be understood that, based on the description of steps 1001 and 1002 above, the method may further include the following steps:
[0546] 1003, ME confirms the first instruction information.
[0547] It should be understood that the first instruction information is similar to the first instruction information in Figures 6 to 9 above, and the content of the first instruction information can be found in the descriptions in Figures 6 to 9 above.
[0548] In one possible implementation, ME determines the first indication information based on the fifth condition in step 1002 above. This first indication information can be used to indicate the next item or more of the fifth condition.
[0549] In one possible implementation, the ME determines first indication information based on the triggering of the fourth or sixth condition, and the first indication information can be used to indicate one or more of the fourth or sixth conditions.
[0550] For example, if the ME triggers step 1003 based on the fourth or sixth condition, the ME does not need to execute step 1001.
[0551] The sixth condition may include at least one of the following:
[0552] The following are possible reasons why a UE can only use the second SUCI to access the network: ME cannot obtain the SUCI generated by the USIM from the USIM; USIM does not send a SUCI to the ME; USIM cannot generate a SUCI (regardless of whether it is the first or second SUCI); USIM cannot generate the first SUCI; USIM cannot generate the second SUCI; ME cannot generate the first SUCI; specific reasons why USIM and ME cannot generate the first SUCI; specific reasons why USIM cannot generate the second SUCI; or USIM and ME are missing specific parameters for generating the first SUCI; USIM is missing specific parameters for generating the second SUCI; ME cannot obtain the first SUCI; parameters required for ME and / or USIM to generate the SUCI; parameters required to generate the SUCI (this parameter does not specify whether it is required by USIM or ME); failure to calculate the first SUCI, etc.
[0553] In another possible implementation, the ME determines the flag bit based on the fourth or sixth condition, and then generates the first indication information based on the flag bit. Specifically, after the ME receives the message in step 602, or after the ME determines to generate the second SUCI, the ME can set the flag bit to a valid value. The ME will execute the relevant code logic based on the information in the identity response message #1. Because this logic is different from normal logic, i.e., it is an exception handling, an internal prompt can be triggered by setting a flag bit to a valid value to remind that there is an exception that needs to be handled. When the exception is resolved, the value of the flag bit will be set to invalid again (for example, after executing step 613, or after executing step 611 and before executing step 613). Before the UE sends the message in step 605 or the message in step 608, when the ME determines that the flag bit is a valid value, the ME then determines the first indication information. It can be understood that as long as the flag bit is valid, the ME will generate the first indication information, and the ME will send the first indication information to the core network side in an appropriate message (or at an appropriate time).
[0554] It should be understood that, triggered by the fourth or sixth condition, the method may further include step 1004:
[0555] 1004, ME generates the third SUCI.
[0556] For example, if the ME determines that it cannot generate the first SUCI and the second SUCI, the ME generates the third SUCI.
[0557] It should be understood that the generation of the third SUCI by the ME is similar to the generation of the third SUCI by the UE as described in step 701 of Figure 7 above. For details, please refer to the detailed description in step 701 above, which will not be repeated here.
[0558] It is understood that the steps in the above figures are merely illustrative and are not intended to be strictly limited. Furthermore, the sequence numbers of the processes described above do not imply a specific order of execution; the execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of this application.
[0559] It is also understood that some optional features in the various embodiments of this application may not depend on other features in some scenarios, or may be combined with other features in some scenarios, without limitation.
[0560] It is also understood that, in the above-described method embodiments, the methods and operations implemented by communication devices (such as target access network devices or terminal devices) can also be implemented by components of the devices (such as chips or circuits), without limitation.
[0561] The method embodiments provided in this application have been described in detail above with reference to Figures 1 to 10. The apparatus embodiments of this application will be described below with reference to Figures 11 and 12. It is understood that, in order to implement the functions in the above embodiments, the apparatuses in Figures 11 and 12 include hardware structures and / or software modules corresponding to the execution of each function. Those skilled in the art should readily recognize that, based on the units and method steps of the various examples described in conjunction with the embodiments disclosed in this application, this application can be implemented in hardware or a combination of hardware and computer software. It is understood that the technical features described in the above method embodiments are also applicable to the following apparatus embodiments.
[0562] Figures 11 and 12 are schematic diagrams of possible apparatus structures provided in embodiments of this application. These apparatuses can be used to implement the functions of the target access network device or terminal device in the above method embodiments, and thus can also achieve the beneficial effects of the above method embodiments.
[0563] Figure 11 is a schematic block diagram of a communication device 1100 provided in an embodiment of this application. As shown in Figure 11, the device 1100 may include a communication unit 1110 and a processing unit 1120. The communication unit 1110 can communicate with the outside world, and the processing unit 1120 is used for data processing. The communication unit 1110 may also be referred to as a communication interface or a transceiver unit.
[0564] In one possible design, the device 1100 can implement the steps or processes performed by the terminal device (e.g., UE, ME, USIM) in the above method embodiments, wherein the processing unit 1120 is used to perform processing-related operations of the terminal device in the above method embodiments, and the communication unit 1110 is used to perform transmission-related operations of the terminal device in the above method embodiments.
[0565] In another possible design, the device 1100 can implement the steps or processes corresponding to the first network element (e.g., AMF network element, MME network element) in the above method embodiment, wherein the communication unit 1110 is used to perform the receiving-related operations of the first network element in the above method embodiment, and the processing unit 1120 is used to perform the processing-related operations of the first network element in the above method embodiment.
[0566] In another possible design, the device 1100 can implement the steps or processes corresponding to the second network element (e.g., UDM network element) in the above method embodiment, wherein the communication unit 1110 is used to perform the receiving-related operations of the second network element in the above method embodiment, and the processing unit 1120 is used to perform the processing-related operations of the second network element in the above method embodiment.
[0567] It is understood that the device 1100 here is embodied in the form of a functional unit. The term "unit" here can refer to an application-specific integrated circuit (ASIC), electronic circuitry, a processor (e.g., a shared processor, a proprietary processor, or a group processor, etc.) and memory for executing one or more software or firmware programs, integrated logic circuitry, and / or other suitable components supporting the described functions. In an alternative example, those skilled in the art will understand that the device 1100 may specifically be the target access network device in the above embodiments, and may be used to execute the various processes and / or steps corresponding to the target access network device in the above method embodiments; or, the device 1100 may specifically be the terminal device in the above embodiments, and may be used to execute the various processes and / or steps corresponding to the terminal device in the above method embodiments. To avoid repetition, further details are omitted here.
[0568] The apparatus 1100 of each of the above-described schemes has the function of implementing the corresponding steps performed by the target access network device in the above-described method, or the apparatus 1100 of each of the above-described schemes has the function of implementing the corresponding steps performed by the terminal device in the above-described method. The function can be implemented by hardware or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above functions; for example, the communication unit can be replaced by a transceiver (e.g., the sending unit in the communication unit can be replaced by a transmitter, and the receiving unit in the communication unit can be replaced by a receiver), and other units, such as processing units, can be replaced by a processor, respectively executing the transmission and reception operations and related processing operations in each method embodiment.
[0569] Furthermore, the aforementioned communication unit can also be a transceiver circuit (e.g., it may include a receiving circuit and a transmitting circuit), and the processing unit can be a processing circuit. In the embodiments of this application, the device in FIG11 can be the terminal device or target access network device in the foregoing embodiments, or it can be a chip or a chip system, such as a system on chip (SoC). The communication unit can be an input / output circuit or a communication interface; the processing unit is a processor, microprocessor, or integrated circuit integrated on the chip. No limitations are imposed here.
[0570] Figure 12 is a schematic block diagram of a communication device 1200 provided in an embodiment of this application. The device 1200 includes a processor 1210 and a transceiver 1220. The processor 1210 and the transceiver 1220 communicate with each other through an internal connection path. The processor 1210 is used to execute instructions to control the transceiver 1220 to send and / or receive signals.
[0571] Optionally, the device 1200 may further include a memory 1230, which communicates with the processor 1210 and the transceiver 1220 via an internal connection path. The memory 1230 stores instructions, and the processor 1210 can execute the instructions stored in the memory 1230. In one possible implementation, the device 1200 is used to implement the various processes and steps corresponding to the target access network device in the above method embodiments. In another possible implementation, the device 1200 is used to implement the various processes and steps corresponding to the terminal device in the above method embodiments.
[0572] Optionally, the memory 1230 may be integrated into the processor 1210.
[0573] In one possible scenario, the device 1200 includes at least one processor with integrated memory, and other memory besides the memory integrated on the processor.
[0574] It is understood that the device 1200 can specifically be the terminal-side device, the first network element, or the second network element in the above embodiments, or it can be a chip or a chip system. Correspondingly, the transceiver 1220 can be the transceiver circuit of the chip, which is not limited here. Specifically, the device 1200 can be used to execute the various steps and / or processes corresponding to the terminal-side device, the first network element, and the second network element in the above method embodiments.
[0575] Optionally, the memory 1230 may include read-only memory and random access memory, and provide instructions and data to the processor. The memory may include non-volatile random access memory. For example, the memory may also store device type information. The processor 1210 may be used to execute instructions stored in the memory, and when the processor 1210 executes instructions stored in the memory, the processor 1210 is used to perform the various steps and / or processes of the method embodiments corresponding to the terminal-side device, the first network element, and the second network element described above.
[0576] In implementation, each step of the above method can be completed by integrated logic circuits in the processor's hardware or by instructions in software. The steps of the method disclosed in the embodiments of this application can be directly implemented by a hardware processor, or by a combination of hardware and software modules in the processor. The software modules can reside in random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, or other mature storage media in the art. This storage medium is located in memory, and the processor reads information from the memory and, in conjunction with its hardware, completes the steps of the above method. To avoid repetition, detailed descriptions are omitted here.
[0577] It should be noted that the processor in the embodiments of this application can be an integrated circuit chip with signal processing capabilities. During implementation, each step of the above method embodiments can be completed by the integrated logic circuitry in the processor's hardware or by instructions in software form. The processor can be a general-purpose processor, digital signal processing (DSP), ASIC, field-programmable gate array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. The processor in the embodiments of this application can implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of this application. The general-purpose processor can be a microprocessor or any conventional processor. The steps of the methods disclosed in the embodiments of this application can be directly embodied as being executed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software modules can be located in random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, or other mature storage media in the art. This storage medium is located in memory, and the processor reads the information in the memory and, in conjunction with its hardware, completes the steps of the above methods.
[0578] It is understood that the memory in the embodiments of this application can be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. The non-volatile memory can be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), or flash memory. The volatile memory can be random access memory (RAM), which is used as an external cache. By way of example, but not limitation, many forms of RAM are available, such as static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), double data rate synchronous dynamic random access memory (DDR SDRAM), enhanced synchronous dynamic random access memory (ESDRAM), synchronous linked dynamic random access memory (SLDRAM), and direct rambus RAM (DR RAM). It should be noted that the memory used in the systems and methods described herein is intended to include, but is not limited to, these and any other suitable types of memory.
[0579] Optionally, the memory (e.g., 1130) in this embodiment may be integrated into the processor (e.g., 1110).
[0580] In addition, this application also provides a computer-readable storage medium storing computer instructions, which, when executed on a computer, cause the operations and / or processes performed by a terminal-side device, a first network element, or a second network element in the various method embodiments of this application to be executed.
[0581] This application also provides a computer program product, which includes computer program code or instructions. When the computer program code or instructions are run on a computer, the operations and / or processes performed by the terminal-side device, the first network element, or the second network element in the various method embodiments of this application are executed.
[0582] Furthermore, this application also provides a chip including a processor. A memory for storing a computer program is provided independently of the chip, and the processor is used to execute the computer program stored in the memory, such that operations and / or processes performed by a terminal-side device, a first network element, or a second network element in any method embodiment are executed.
[0583] Furthermore, the chip may also include a communication interface. The communication interface may be an input / output interface or an interface circuit, etc. Furthermore, the chip may also include a memory.
[0584] In addition, this application also provides a communication system, including one or more of the terminal-side device, the first network element, and the second network element in the embodiments of this application.
[0585] It should also be noted that the memory described herein is intended to include, but is not limited to, these and any other suitable types of memory.
[0586] Those skilled in the art will recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application. Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here. In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods can be implemented in other ways. For example, the device embodiments described above are merely illustrative; for example, the division of units is merely a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the displayed or discussed mutual coupling or direct coupling or communication connection may be through some interfaces; the indirect coupling or communication connection of devices or units may be electrical, mechanical, or other forms. The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs. Furthermore, the functional units in the various embodiments of this application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
[0587] If the aforementioned functions are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, ROM, RAM, magnetic disks, or optical disks.
[0588] It is understood that the term "embodiment" used throughout the specification means that a specific feature, structure, or characteristic related to an embodiment is included in at least one embodiment of this application. Therefore, various embodiments throughout the specification do not necessarily refer to the same embodiment. Furthermore, these specific features, structures, or characteristics can be combined in any suitable manner in one or more embodiments.
[0589] It can also be understood that in this application, "when," "if," and "if" all refer to the network element making corresponding processing under certain objective circumstances, and are not time-limited, nor do they require the network element to make a judgment when it is implemented, nor do they mean that there are other limitations.
[0590] It can also be understood that in the various embodiments of this application, "B corresponding to A" means that B is associated with A, and B can be determined based on A. However, it can also be understood that determining B based on A does not mean that B is determined solely based on A; B can also be determined based on A and / or other information.
[0591] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
Claims
1. A communication method applied to a terminal-side device, characterized in that, include: If it is determined that a first identity identifier for accessing the first network cannot be generated, a second identity identifier is used to access the first network; wherein, the first identity identifier is an anonymized identity identifier obtained by processing plaintext identity information in an encrypted manner; the second identity identifier is an identity identifier different from the first identity identifier obtained based on the plaintext identity information. as well as Send a first indication message to the first network, the first indication message being used to indicate at least one of the following: Unable to generate the first identity identifier; Request some or all of the parameters used to generate the anonymized identity; or The reason why the first identity identifier could not be generated.
2. The method according to claim 1, characterized in that, The method further includes: The first parameter is received from the first network, the first parameter including some or all of the parameters for generating an anonymous identity.
3. The method according to claim 2, characterized in that, The method further includes: Based on the first parameter, an anonymized third identity identifier is generated; and Use the third identity identifier to access the first network.
4. The method according to claim 2 or 3, characterized in that, Receiving the first parameter from the first network includes: The first parameter is received from the first network through the UPU update process based on user parameters or the UCU update process based on user configuration.
5. The method according to any one of claims 2-4, characterized in that, The first parameter includes one or more of the following: a public key for encrypted communication between the terminal device and the first network, routing indication information, and a protection mechanism identifier.
6. The method according to any one of claims 1-5, characterized in that, Before sending the first indication information to the first network, the method further includes: It was determined that the first identity identifier for accessing the first network could not be generated.
7. The method according to claim 6, characterized in that, The determination that the first identity identifier for accessing the first network cannot be generated includes: The terminal device determines that it needs to access the first network; The first module in the terminal device requests the second module in the terminal-side device to generate the first identity identifier; The first module receives an error response from the second module; and Based on the error response, the first module determines that the second module is unable to generate the first identity identifier.
8. The method according to claim 7, characterized in that, The method further includes: The first module generates the second identity identifier based on the plaintext identity information.
9. The method according to claim 8, characterized in that, The first module generates the second identity identifier based on the plaintext identity information, including: The first module processes the plaintext identity information using an empty mechanism to generate the second identity identifier.
10. The method according to claim 9, characterized in that, The method further includes: The first module obtains the plaintext identity information from the second module.
11. The method according to claim 10, characterized in that, The error response includes the plaintext identity information; The first module obtains the plaintext identity information from the second module, including: The first module obtains the plaintext identity information from the error response.
12. The method according to any one of claims 7 to 11, characterized in that, The first module is the mobile device ME, and the second module is the global user identity module USIM.
13. The method according to any one of claims 1-12, characterized in that, The plaintext identity information is the user's permanent identity identifier SUPI.
14. The method according to any one of claims 1-13, characterized in that, The step of accessing the first network using a second identity includes: Send an initial registration request message to the first network for requesting access to the first network, the initial registration request message including the second identity identifier.
15. The method according to claim 14, characterized in that, Sending the first indication information to the first network includes: Send a NAS message with non-access stratum NAS security protection to the first network, wherein the NAS message includes the first indication information.
16. The method according to claim 14, characterized in that, The NAS message is a Non-Access Stratum Security Mode Command (NAS SMP) message.
17. The method according to any one of claims 1-16, characterized in that, The second identity identifier is different from the first identity identifier and is obtained based on the plaintext identity information, including: The first identity identifier and the second identity identifier are generated by different modules of the terminal device.
18. A communication method applied to a terminal-side device, characterized in that, include: If it is determined that a first identity identifier for accessing the first network cannot be generated, a second identity identifier different from the first identity identifier is generated based on plaintext identity information. Access to the first network is achieved using a second identity identifier; wherein the first identity identifier is an anonymized identity identifier obtained by encrypting plaintext identity information; the second identity identifier information includes first indication information, which indicates at least one of the following: Unable to generate the first identity identifier; Request some or all of the parameters used to generate the anonymized identity; or The reason why the first identity identifier could not be generated.
19. The method according to claim 18, characterized in that, The second identity identifier is an identity identifier obtained based on the plaintext identity information and the first identifier, which is different from the first identity identifier. The first identifier is an identifier other than the protection scheme identifier specified by the null mechanism.
20. A communication method applied to a terminal-side device, characterized in that, include: If it is determined that a first identity identifier for accessing the first network cannot be generated, plaintext identity information is used to access the second network; wherein, the first identity identifier is an anonymized identity identifier obtained by processing the plaintext identity information in an encrypted manner; and Send a first indication message to the second network, the first indication message being used to indicate at least one of the following: Unable to generate the first identity identifier; Request some or all of the parameters used to generate the anonymized identity; or The reason why the first identity identifier could not be generated.
21. The method according to claim 20, characterized in that, The method of accessing the second network using plaintext identity information includes: Send an initial attach request message to the second network to request access to the second network, the initial attach request message including the plaintext identity information.
22. The method according to claim 21, characterized in that, The initial attach request message also includes the first indication information.
23. A communication method applied to a first network element, characterized in that, include: Receive the first instruction information from the terminal device; Send the first instruction information to the second network element. Wherein, the first indication information is used to indicate at least one of the following: Unable to generate a first identity identifier, which is an anonymized identity identifier obtained by encrypting plaintext identity information; Request some or all of the parameters used to generate the anonymized identity; or The reason why the first identity identifier could not be generated.
24. The method according to claim 23, characterized in that, Before receiving the first indication information from the terminal device, the method further includes: The terminal device receives an initial registration request message for requesting access to a first network. The initial registration request message includes a second identity identifier, which is an identity identifier obtained based on the plaintext identity information and is different from the first identity identifier.
25. The method according to claim 23, characterized in that, The receipt of the first indication information from the terminal device includes: The terminal device receives an initial registration request message for requesting access to the first network, the initial registration request message including the first indication information.
26. The method according to claim 23, characterized in that, Before receiving the first indication information from the terminal device, the method further includes: The terminal device receives an initial attach request message for requesting access to the second network, the initial attach request message including the plaintext identity information of the terminal device.
27. The method according to claim 23, characterized in that, The receipt of the first indication information from the terminal device includes: The terminal device receives an initial attach request message for requesting access to the second network, the initial attach request message including the first indication information.
28. The method according to claim 26 or 27, characterized in that, After receiving the first indication information, the method further includes: Updating the context information of the terminal device, wherein updating the context information of the device includes: storing the first indication information in the context of the terminal device; Sending the first indication information to the second network element includes: The updated context information of the terminal device is sent to the third network element.
29. A communication method applied to a second network element, characterized in that, Receive the first instruction information for the terminal device; The system sends a first parameter to the terminal device according to the first instruction information. The first parameter includes some or all of the parameters used to generate an anonymous identity identifier. Wherein, the first indication information is used to indicate at least one of the following: Unable to generate a first identity identifier, which is an anonymized identity identifier obtained by encrypting plaintext identity information; Request some or all of the parameters used to generate the anonymized identity; or The reason why the first identity identifier could not be generated.
30. The method according to claim 29, characterized in that, The sending of the first parameter includes: The first parameter is sent through the first operation. The first operation includes one or more of the following: The first parameter is sent via over-the-air (OTA) download; or... An alarm is triggered, which is used to enable the terminal device to obtain the first parameter; Send the first parameter along with the UPU data in the UPU process; or... The first parameter is sent to the first network element.
31. The method according to claim 29 or 30, characterized in that, The method further includes: Send a second instruction message, which is used to instruct the first module or the second module in the terminal-side device to generate an anonymous third identity identifier.
32. A communication device, characterized in that, It includes modules or units for performing the method of any one of claims 1 to 17; or, it includes modules or units for performing the method of any one of claims 18 to 19; or, it includes modules or units for performing the method of any one of claims 20 to 22; or, it includes modules or units for performing the method of any one of claims 23 to 28; or, it includes modules or units for performing the method of any one of claims 29 to 31.
33. A communication device, characterized in that, The device includes a processor configured to cause the communication device to perform the method of any one of claims 1 to 17; or, configured to cause the communication device to perform the method of any one of claims 18 to 19; or, configured to cause the communication device to perform the method of any one of claims 20 to 22; or, configured to cause the communication device to perform the method of any one of claims 23 to 28; or, configured to cause the communication device to perform the method of any one of claims 29 to 31.
34. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program or instructions that, when executed on a communication device, cause the communication device to perform the method as described in any one of claims 1 to 17; or, cause the communication device to perform the method as described in any one of claims 18 to 19; or, cause the communication device to perform the method as described in any one of claims 20 to 22; or, cause the communication device to perform the method as described in any one of claims 23 to 28; or, cause the communication device to perform the method as described in any one of claims 29 to 31.
35. A computer program product, characterized in that, The computer program product includes a computer program or instructions that, when executed on a communication device, cause the communication device to perform the method as described in any one of claims 1 to 17; or, cause the communication device to perform the method as described in any one of claims 18 to 19; or, cause the communication device to perform the method as described in any one of claims 20 to 22; or, cause the communication device to perform the method as described in any one of claims 23 to 28; or, cause the communication device to perform the method as described in any one of claims 29 to 31.