Communication methods, communication device, communication system and storage medium
By adding verification of the target network element by the first network element during PLMN handover, the problem of AMF network element fraud attacks is solved, ensuring the security of the communication system.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- BEIJING XIAOMI MOBILE SOFTWARE CO LTD
- Filing Date
- 2025-01-08
- Publication Date
- 2026-07-16
AI Technical Summary
During PLMN handover, existing technologies cannot effectively prevent fraud attacks on AMF network elements, thus affecting communication security.
By verifying whether the third network element can become the service network element of the terminal through the first network element, a target network element verification process is added to prevent any network element from acting as the target network element and to ensure communication security.
It effectively prevents fraud attacks by AMF network elements and ensures the security of the communication system.
Smart Images

Figure CN2025071347_16072026_PF_FP_ABST
Abstract
Description
Communication methods, communication equipment, communication systems, storage media Technical Field
[0001] This disclosure relates to the field of communication technology, and in particular to communication methods, communication devices, communication systems, and storage media. Background Technology
[0002] In a communication system, when a terminal switches between Public Land Mobile Networks (PLMNs), the Access and Mobility Management Function (AMF) network element to which the terminal is connected also switches. Among these, the security of AMF registration during the PLMN handover process has a significant impact on the terminal's communication security. Summary of the Invention
[0003] This disclosure provides communication methods, communication devices, communication systems, and storage media.
[0004] According to a first aspect of the present disclosure, a communication method is proposed, executed by a first network element, comprising: receiving a first request sent by a second network element; wherein the first request includes first information, the first information including relevant information of a third network element, the first request being used to request the first network element to verify whether the third network element can become a serving network element of a terminal, the third network element being the network element to which the terminal will switch, and the second network element being the current serving network element of the terminal; sending a first response to the second network element; the first response being used to indicate whether the third network element can become a serving network element of the terminal.
[0005] According to a second aspect of the present disclosure, a communication method is provided, executed by a second network element, the method comprising: sending a first request to a first network element; wherein the first request includes first information, the first information including relevant information of a third network element, the first request being used to request the first network element to verify whether the third network element can become a serving network element of a terminal, the third network element being the network element to which the terminal will switch, and the second network element being the current serving network element of the terminal; and receiving a first response sent by the first network element, the first response being used to indicate whether the third network element can become a serving network element of the terminal.
[0006] According to a third aspect of the present disclosure, a first network element is provided, comprising: a transceiver module, configured to receive a first request sent by a second network element; wherein the first request includes first information, the first information including relevant information of a third network element, the first request being configured to request the first network element to verify whether the third network element can become a serving network element of a terminal, the third network element being the network element to which the terminal will switch, and the second network element being the current serving network element of the terminal; the transceiver module is further configured to send a first response to the second network element; the first response being configured to indicate whether the third network element can become a serving network element of the terminal.
[0007] According to a fourth aspect of the present disclosure, a second network element is provided, comprising: a transceiver module, configured to send a first request to a first network element; wherein the first request includes first information, the first information including relevant information of a third network element, the first request being configured to request the first network element to verify whether the third network element can become a serving network element of a terminal, the third network element being the network element to which the terminal will switch, and the second network element being the current serving network element of the terminal; the transceiver module is further configured to receive a first response sent by the first network element, the first response being configured to indicate whether the third network element can become a serving network element of the terminal.
[0008] According to a fifth aspect of the embodiments of this disclosure, a communication device is provided, comprising:
[0009] One or more processors;
[0010] The processor is configured to invoke instructions to cause the communication device to execute any of the communication methods described in the first aspect to the second aspect.
[0011] According to a sixth aspect of the present disclosure, a communication system is proposed, including a first network element and a second network element, wherein the first network element is configured to implement the communication method described in the first aspect, and the second network element is configured to implement the communication method described in the second aspect.
[0012] According to a seventh aspect of the present disclosure, a storage medium is provided that stores instructions which, when executed on a communication device, cause the communication device to perform a communication method as described in any of the first to second aspects.
[0013] According to an eighth aspect of the present disclosure, the present disclosure provides a program product including a computer program that, when executed by a communication device, implements the communication method as described in any of the first to second aspects.
[0014] According to a ninth aspect of the present disclosure, the present disclosure provides a computer program that, when run on a computer, causes the computer to perform the communication method as described in any of the first to second aspects.
[0015] It is understood that the aforementioned first network element, second network element, communication equipment, communication system, storage medium, program product, and computer program are all used to execute the methods proposed in the embodiments of this disclosure. Therefore, the beneficial effects that can be achieved can be referred to the beneficial effects in the corresponding methods, and will not be repeated here. Attached Figure Description
[0016] The above and / or additional aspects and advantages of this disclosure will become apparent and readily understood from the following description of the embodiments taken in conjunction with the accompanying drawings, in which:
[0017] Figure 1 is a schematic diagram of the architecture of some communication systems provided in the embodiments of this disclosure;
[0018] Figure 2A is an interactive schematic diagram of a communication method provided in an embodiment of this disclosure;
[0019] Figure 2B is an interactive schematic diagram of a communication method provided in an embodiment of this disclosure;
[0020] Figure 3A is a schematic flowchart of a communication method provided in another embodiment of this disclosure;
[0021] Figure 3B is a flowchart illustrating a communication method provided in another embodiment of this disclosure;
[0022] Figure 3C is a schematic flowchart of a communication method provided in another embodiment of this disclosure;
[0023] Figure 3D is a flowchart illustrating a communication method provided in another embodiment of this disclosure;
[0024] Figure 4A is an interactive schematic diagram of a communication method provided in another embodiment of this disclosure;
[0025] Figure 4B is an interactive schematic diagram of the communication method provided in another embodiment of this disclosure;
[0026] Figure 5A is a schematic diagram of the structure of a first network element provided in an embodiment of this disclosure;
[0027] Figure 5B is a schematic diagram of the structure of a second network element provided in an embodiment of this disclosure;
[0028] Figure 6A is a schematic diagram of the structure of a communication device provided in an embodiment of this disclosure;
[0029] Figure 6B is a schematic diagram of the structure of a chip provided in an embodiment of this disclosure. Detailed Implementation
[0030] This disclosure provides embodiments of a communication method, a communication device, a communication system, and a storage medium.
[0031] In a first aspect, embodiments of this disclosure propose a communication method executed by a first network element. The method includes: receiving a first request sent by a second network element; wherein the first request includes first information, the first information including relevant information of a third network element, the first request being used to request the first network element to verify whether the third network element can become a serving network element of a terminal, the third network element being the network element to which the terminal will switch, and the second network element being the current serving network element of the terminal; sending a first response to the second network element; the first response being used to indicate whether the third network element can become a serving network element of the terminal.
[0032] In the above embodiments, the second network element can request the first network element to verify whether the third network element can become the serving network element of the terminal. Here, the third network element is the network element the terminal will switch to, and the second network element is the terminal's current serving network element. Therefore, when a network element switch occurs, the terminal's source network element (i.e., the second network element) will request the first network element to verify whether the terminal's target network element (i.e., the third network element) can become the terminal's serving network element. In other words, this embodiment adds a process for the first network element to verify the terminal's target network element, thereby preventing any network element from acting as the target network element, avoiding fraud attacks, and ensuring communication security.
[0033] In some embodiments, in conjunction with the first aspect, the method further includes: determining whether the third network element can become the serving network element of the terminal based on a local policy.
[0034] The above embodiments illustrate how the first network element verifies the third network element to ensure the accuracy of the third network element verification.
[0035] In some embodiments, in conjunction with the first aspect, the method further includes: in response to the third network element becoming a serving network element of the terminal, adding the first information to the context information of the terminal.
[0036] In the above embodiments, when the third network element passes the verification, the first network element can add the relevant information of the third network element to the context information of the terminal. Then, the first network element can determine which network elements can be registered as the service network elements of the terminal based on the relevant information of the third network element, thereby preventing any network element from being registered as the service network element of the terminal, avoiding fraud attacks, and ensuring communication security.
[0037] In conjunction with some embodiments of the first aspect, in some embodiments, the method further includes: receiving a second request sent by a fourth network element, the second request including second information, the second information including relevant information of the fourth network element, the second request being used to request the fourth network element to be registered as a serving network element of the terminal; and sending a second response to the fourth network element, the second response being used to indicate whether the fourth network element can be registered as a serving network element of the terminal.
[0038] In some embodiments, in conjunction with the first aspect, the method further includes: determining whether the fourth network element has successfully completed authentication with the terminal.
[0039] In conjunction with some embodiments of the first aspect, in some embodiments, determining whether the fourth network element has successfully completed authentication with the terminal includes: determining the first network information corresponding to the network element that has most recently successfully completed authentication with the terminal; and determining whether the fourth network element has successfully completed authentication with the terminal based on the first network information and the second network information corresponding to the fourth network element.
[0040] In conjunction with some embodiments of the first aspect, in some embodiments, the method further includes: if the fourth network element fails to complete authentication with the terminal, determining whether the fourth network element can register as a serving network element of the terminal based on a local policy.
[0041] In conjunction with some embodiments of the first aspect, in some embodiments, the method further includes: if the fourth network element fails to complete authentication with the terminal, determining whether the first information and the second information are consistent; if the first information and the second information are consistent, determining that the fourth network element can register as a service network element of the terminal; if the first information and the second information are inconsistent, determining that the fourth network element cannot register as a service network element of the terminal.
[0042] In the above embodiments, when a fourth network element requests to register as a service network element of a terminal, the first network element will determine whether the fourth network element can register as a service network element of the terminal. Only when the first network element determines that the fourth network element can register as a service network element of the terminal will it allow the fourth network element to register as a service network element of the terminal, thereby preventing any network element from registering as a service network element of the terminal, avoiding fraud attacks, and ensuring communication security.
[0043] Secondly, this disclosure provides a communication method executed by a second network element. The method includes: sending a first request to a first network element; wherein the first request includes first information, the first information including relevant information of a third network element, the first request being used to request the first network element to verify whether the third network element can become a serving network element of the terminal, the third network element being the network element to which the terminal will switch, and the second network element being the current serving network element of the terminal; and receiving a first response sent by the first network element, the first response being used to indicate whether the third network element can become a serving network element of the terminal.
[0044] In conjunction with some embodiments of the second aspect, in some embodiments, sending the first request to the first network element includes: receiving a third request sent by the third network element, the third request being used to request context information of the terminal; performing security verification on the third request; and sending the first request to the first network element after the third request passes the security verification.
[0045] In conjunction with some embodiments of the second aspect, in some embodiments, the method further includes: the first response indicating that the third network element can become a serving network element of the terminal, sending a third response to the third network element, the third response including context information of the terminal; or, the first response including a failure response indicating that the third network element cannot become a serving network element of the terminal, sending a third response to the third network element, the third response including a failure indication.
[0046] Thirdly, this disclosure provides a first network element, including: a transceiver module, configured to receive a first request sent by a second network element; wherein the first request includes first information, the first information including relevant information of a third network element, the first request being configured to request the first network element to verify whether the third network element can become a serving network element of the terminal, the third network element being the network element to which the terminal will switch, and the second network element being the current serving network element of the terminal; the transceiver module is further configured to send a first response to the second network element; the first response being configured to indicate whether the third network element can become a serving network element of the terminal.
[0047] Fourthly, this disclosure proposes a second network element, including: a transceiver module, configured to send a first request to a first network element; wherein the first request includes first information, the first information including relevant information of a third network element, the first request being configured to request the first network element to verify whether the third network element can become a serving network element of the terminal, the third network element being the network element to which the terminal will switch, and the second network element being the current serving network element of the terminal; the transceiver module is further configured to receive a first response sent by the first network element, the first response being configured to indicate whether the third network element can become a serving network element of the terminal.
[0048] Fifthly, embodiments of this disclosure provide a communication device, which includes: one or more processors; one or more memories for storing instructions; wherein the processors are configured to invoke the instructions to cause the communication device to perform the methods described in the first aspect, optional implementations of the first aspect, the second aspect, optional implementations of the second aspect, the third aspect, and optional implementations of the third aspect.
[0049] In a sixth aspect, embodiments of this disclosure provide a communication system comprising: a first network element and a second network element; wherein the first network element is configured to perform the method described in the first aspect and its optional implementations, and the second network element is configured to perform the method described in the second aspect and its optional implementations.
[0050] In a seventh aspect, embodiments of this disclosure provide a storage medium storing instructions that, when executed on a communication device, cause the communication device to perform the method described in the first aspect, an optional implementation of the first aspect, the second aspect, and an optional implementation of the second aspect.
[0051] Eighthly, embodiments of this disclosure provide a program product including a computer program that, when executed by a processor, implements the methods described in the first aspect, optional implementations of the first aspect, the second aspect, and optional implementations of the second aspect.
[0052] In a ninth aspect, embodiments of this disclosure provide a computer program that, when run on a computer, causes the computer to perform the methods described in the first aspect, an optional implementation of the first aspect, the second aspect, and an optional implementation of the second aspect.
[0053] It is understood that the aforementioned first network element, second network element, communication equipment, communication system, storage medium, program product, and computer program are all used to execute the methods proposed in the embodiments of this disclosure. Therefore, the beneficial effects that can be achieved can be referred to the beneficial effects in the corresponding methods, and will not be repeated here.
[0054] This disclosure provides communication methods, communication devices, communication systems, and storage media. In some embodiments, the terms resource selection method, information processing method, and communication method can be used interchangeably.
[0055] This disclosure is not exhaustive, but merely illustrative of some embodiments, and is not intended to limit the scope of protection of this disclosure. Unless otherwise specified, each step in a particular embodiment can be implemented as an independent embodiment, and the steps can be arbitrarily combined. For example, a solution after removing some steps in a particular embodiment can also be implemented as an independent embodiment, and the order of the steps in a particular embodiment can be arbitrarily interchanged. Furthermore, the optional implementation methods in a particular embodiment can be arbitrarily combined; moreover, the embodiments can be arbitrarily combined, for example, some or all steps of different embodiments can be arbitrarily combined, and a particular embodiment can be arbitrarily combined with the optional implementation methods of other embodiments. In all embodiments of this disclosure, unless otherwise specified or logically conflicting, the terminology and / or descriptions between the embodiments are consistent and can be mutually referenced. Technical features in different embodiments can be combined to form new embodiments based on their inherent logical relationships.
[0056] The terminology used in the embodiments of this disclosure is for the purpose of describing particular embodiments only and is not intended to limit the scope of this disclosure.
[0057] In this embodiment of the disclosure, unless otherwise stated, elements expressed in the singular form, such as "a," "an," "the," "the," "the," "the," "the," "the," "this," etc., can mean "one and only one," or "one or more," "at least one," etc. For example, when using articles such as "a," "an," "the," etc. in translation, the noun following the article can be understood as either a singular expression or a plural expression.
[0058] In the embodiments disclosed herein, "multiple" refers to two or more.
[0059] In some embodiments, the terms “at least one of A or B, at least one of A and B”, “one or more”, “a plurality of”, “multiple”, etc., may be used interchangeably.
[0060] In some embodiments, the notation "at least one of A and B", "A and / or B", "A in one case, B in another", "in response to one case A, in response to another case B", etc., may include the following technical solutions depending on the situation: in some embodiments, A (execute A regardless of whether there is a branch B); in some embodiments, B (execute B regardless of whether there is a branch A); in some embodiments, execution is selected from A and B (A and B are selectively executed); in some embodiments, both A and B are executed. The same applies when there are more branches such as A, B, C, etc.
[0061] In some embodiments, the notation "A or B" may include the following technical solutions, depending on the situation: in some embodiments, A (execute A regardless of whether a branch B exists); in some embodiments, B (execute B regardless of whether a branch A exists); in some embodiments, execution is selected from A and B (A and B are selectively executed). The same applies when there are more branches such as A, B, and C.
[0062] The prefixes "first," "second," etc., used in the embodiments of this disclosure are merely for distinguishing different descriptive objects and do not impose restrictions on the position, order, priority, quantity, or content of the descriptive objects. The description of the descriptive objects is found in the claims or the context of the embodiments, and the use of prefixes should not constitute unnecessary restrictions. For example, if the descriptive object is a "field," the ordinal numbers preceding "field" in "first field" and "second field" do not restrict the position or order of the "fields." "First" and "second" do not restrict whether the "fields" they modify are in the same message, nor do they restrict the order of "first field" and "second field." Similarly, if the descriptive object is a "level," the ordinal numbers preceding "level" in "first level" and "second level" do not restrict the priority between "levels." Furthermore, the number of descriptive objects is not limited by ordinal numbers and can be one or more. For example, in "first device," the number of "devices" can be one or more. Furthermore, the objects modified by different prefixes can be the same or different. For example, if the object being described is "device", then "first device" and "second device" can be the same device or different devices, and their types can be the same or different. Similarly, if the object being described is "information", then "first information" and "second information" can be the same information or different information, and their content can be the same or different.
[0063] In some embodiments, “including A,” “containing A,” “for indicating A,” and “carrying A” can be interpreted as directly carrying A or indirectly indicating A.
[0064] In some embodiments, terms such as "time / frequency" and "time-frequency domain" refer to the time domain and / or frequency domain.
[0065] In some embodiments, terms such as “in response to…”, “in response to determining…”, “in the case of…”, “when…”, “when…”, “if…”, etc. can be used interchangeably. These descriptions all refer to the device making a corresponding action under certain objective circumstances. They do not necessarily limit the time, nor do they require the device to make a judgment action when implementing it, nor do they mean that there must be other limitations.
[0066] In some embodiments, the terms “greater than,” “greater than or equal to,” “not less than,” “more than,” “more than or equal to,” “not less than,” “higher than,” “higher than or equal to,” “not lower than,” and “above” can be used interchangeably, as can the terms “less than,” “less than or equal to,” “not greater than,” “less than,” “less than or equal to,” “not more than,” “lower than,” “lower than or equal to,” “not higher than,” and “below”.
[0067] In some embodiments, devices, etc., may be interpreted as physical or virtual, and their names are not limited to those described in the embodiments. Terms such as “device,” “equipment,” “circuit,” “network element,” “network function,” “network device,” “function,” “node,” “unit,” “section,” “system,” “network,” “chip,” “chip system,” “entity,” and “subject” are interchangeable.
[0068] In some embodiments, "network" can be interpreted as devices included in a network (e.g., access network devices, core network devices, etc.).
[0069] In some embodiments, the terms "access network device (AN device)," "radio access network device (RAN device)," "base station (BS)," "radio base station," "fixed station," "node," "access point," "transmission point (TP)," "reception point (RP)," "transmission / reception point (TRP)," "panel," "antenna panel," "antenna array," "cell," "macro cell," "small cell," "femto cell," "pico cell," "sector," "cell group," "serving cell," "carrier," "component carrier," and "bandwidth part (BWP)" can be used interchangeably.
[0070] In some embodiments, the terms "terminal", "terminal device", "user equipment (UE)", "user terminal", "mobile station (MS)", "mobile terminal (MT)", "subscriber station", "mobile unit", "subscriber unit", "wireless unit", "remote unit", "mobile device", "wireless device", "wireless communication device", "remote device", "mobile subscriber station", "access terminal", "mobile terminal", "wireless terminal", "remote terminal", "handset", "user agent", "mobile client", and "client" can be used interchangeably.
[0071] In some embodiments, access network devices, core network devices, or network devices can be replaced by terminals. For example, embodiments of this disclosure can also be applied to structures where communication between access network devices, core network devices, or network devices and terminals is replaced by communication between multiple terminals (e.g., device-to-device (D2D), vehicle-to-everything (V2X), etc.). In this case, the structure can also be configured such that the terminal has all or part of the functions of the access network device. Furthermore, terms such as "uplink" and "downlink" can be replaced with terms corresponding to communication between terminals (e.g., "sidelink"). For example, uplink channel, downlink channel, etc., can be replaced with sidelink channel, and uplink link, downlink, etc., can be replaced with sidelink link.
[0072] In some embodiments, the terminal may be replaced by an access network device, a core network device, or a network device. In this case, the access network device, core network device, or network device may also be configured to have all or some of the functions of the terminal.
[0073] In some embodiments, the acquisition of data, information, etc., may comply with the laws and regulations of the country where the location is situated.
[0074] In some embodiments, data, information, etc., may be obtained with the user's consent.
[0075] Furthermore, each element, each row, or each column in the table of this disclosure can be implemented as an independent embodiment, and any combination of any element, any row, or any column can also be implemented as an independent embodiment.
[0076] Figure 1 is a schematic diagram of the architecture of a communication system according to an embodiment of the present disclosure. As shown in Figure 1, the communication system 100 may include a terminal and network devices. Optionally, the network devices may include at least one of access network devices and core network devices.
[0077] In some embodiments, the terminal includes, but is not limited to, at least one of the following: mobile phone, wearable device, Internet of Things device, car with communication function, smart car, tablet, computer with wireless transceiver function, virtual reality (VR) terminal device, augmented reality (AR) terminal device, wireless terminal device in industrial control, wireless terminal device in self-driving, wireless terminal device in remote medical surgery, wireless terminal device in smart grid, wireless terminal device in transportation safety, wireless terminal device in smart city, and wireless terminal device in smart home.
[0078] In some embodiments, the access network device is, for example, a node or device that connects a terminal to a wireless network. The access network device may include at least one of the following in a 5G communication system: evolved Node B (eNB), next-generation evolved Node B (ng-eNB), next-generation Node B (gNB), Node B (NB), Home Node B (HNB), Home evolved Node B (HeNB), radio backhaul device, radio network controller (RNC), base station controller (BSC), base transceiver station (BTS), base band unit (BBU), mobile switching center, base station in a 6G communication system, open RAN, cloud RAN, base station in other communication systems, and access node in a Wi-Fi system, but is not limited thereto.
[0079] In some embodiments, the technical solutions of this disclosure can be applied to the Open RAN architecture. In this case, the interfaces between or within access network devices involved in the embodiments of this disclosure can be transformed into internal interfaces of Open RAN. The processes and information interactions between these internal interfaces can be implemented by software or programs.
[0080] In some embodiments, the access network device may be composed of a central unit (CU) and a distributed unit (DU). The CU may also be called a control unit. The CU-DU structure can separate the protocol layer of the access network device. Some protocol layer functions are centrally controlled by the CU, while the remaining part or all protocol layer functions are distributed in the DU and centrally controlled by the CU. However, this is not the only possibility.
[0081] In some embodiments, the core network device may be a single device, including at least one of a first network element, a second network element, a third network element, and a fourth network element. The core network device may also be multiple devices or a group of devices, each including all or part of the aforementioned first network element, second network element, third network element, and fourth network element. Network elements may be virtual or physical. The core network may include, for example, at least one of an Evolved Packet Core (EPC), a 5G Core Network (5GCN), a 6G Core Network (6GCN), and a Next Generation Core (NGC).
[0082] Optionally, in some embodiments, the first network element can be used to provide unified data management functions, and the first network element can be, for example, a unified data management (UDM) network element.
[0083] Optionally, in some embodiments, the second network element, the third network element, and the fourth network element can all be used to provide access and mobility management functions. For example, the second network element, the third network element, and the fourth network element can be access and mobility management function (AMF) network elements.
[0084] In some embodiments, the second network element can be the source network element of the terminal, and the third network element can be the target network element of the terminal. That is, the terminal can switch from the second network element to the third network element, and the fourth network element can be the same as or different from the third network element.
[0085] In some embodiments, the functions implemented by at least one of the first network element, the second network element, the third network element, and the fourth network element described above can also be implemented by the access network device.
[0086] It is understood that the communication system described in this disclosure is for the purpose of more clearly illustrating the technical solutions of this disclosure, and does not constitute a limitation on the technical solutions proposed in this disclosure. As those skilled in the art will know, with the evolution of system architecture and the emergence of new business scenarios, the technical solutions proposed in this disclosure are also applicable to similar technical problems.
[0087] The following embodiments of this disclosure can be applied to the communication system 100 shown in FIG1, or to some of the main bodies, but are not limited thereto. The main bodies shown in FIG1 are illustrative. The communication system may include all or some of the main bodies in FIG1, or may include other main bodies outside of FIG1. The number and form of each main body are arbitrary. The connection relationship between the main bodies is illustrative. The main bodies may not be connected or may be connected. The connection can be in any way, it can be a direct connection or an indirect connection, it can be a wired connection or a wireless connection.
[0088] The embodiments disclosed herein can be applied to Long Term Evolution (LTE), LTE-Advanced (LTE-A), LTE-Beyond (LTE-B), SUPER 3G, IMT-Advanced, 4th Generation mobile communication system (4G), 5th Generation mobile communication system (5G), 5G New Radio (NR), 6th Generation mobile communication system (6G), Future Radio Access (FRA), New-Radio Access Technology (RAT), New Radio (NR), New Radio Access (NX), Future Generation Radio Access (FX), Global System for Mobile communications (GSM), CDMA2000, Ultra Mobile Broadband (UMB), IEEE 802.11 (Wi-Fi), IEEE 802.16 (WiMAX), and IEEE 802.20, Ultra-Wideband (UWB), Bluetooth (a registered trademark), Public Land Mobile Network (PLMN) networks, Device-to-Device (D2D) systems, Machine-to-Machine (M2M) systems, Internet of Things (IoT) systems, Vehicle-to-Everything (V2X) systems, systems utilizing other resource selection methods, and next-generation systems built upon them, etc. Furthermore, multiple systems can be combined (e.g., a combination of LTE or LTE-A with 5G).
[0089] Optionally, during PLMN handover, the terminal may switch from the first AMF to the second AMF. The second AMF can request to register itself as the terminal's serving AMF with the Unified Data Management (UDM) element in the terminal's home network. Optionally, currently the UDM cannot determine whether the second AMF has completed authentication with the terminal or whether it is the network element the terminal is about to switch to. Therefore, any AMF can register as the terminal's serving AMF in the terminal's home network's UDM. This makes it easy for attackers to register an AMF that is not actually serving the terminal as the terminal's serving AMF for fraudulent attacks.
[0090] Figure 2A is an interactive schematic diagram of a communication method according to an embodiment of the present disclosure. As shown in Figure 2A, this embodiment of the disclosure relates to a communication method for a communication system 100; the method includes:
[0091] Step 2101: The terminal sends a fourth request to the third network element.
[0092] In some embodiments, the third network element receives a fourth request sent by the terminal, but is not limited thereto. The third network element may also receive a fourth request sent by other entities other than the terminal, in which case step 2101 may be omitted.
[0093] Optionally, the third network element can be the network element to which the terminal will switch. For example, the third network element can be called the target network element of the terminal. The third network element can include the AMF network element. In some embodiments, the third network element can be called the Target AMF.
[0094] Optionally, the fourth request can be used to request access to the access network where the third network element is located. In some embodiments, the fourth request can be called a registration request or other names, and this disclosure does not specifically limit it.
[0095] In some embodiments, the fourth request may include the terminal's Globally Unique Temporary UE Identity (GUTI). Optionally, the GUTI may be assigned to the terminal by a second network element, which may be, for example, the terminal's current serving network element. This second network element may be referred to as the terminal's source network element, and may include, for example, an AMF network element. In some embodiments, the second network element may be referred to as the Source AMF. Optionally, the second network element may be, for example, a network element belonging to the terminal's home network, and the third network element may be, for example, a network element belonging to the terminal's visited network. Optionally, the second network element may be, for example, a network element belonging to the first visited network, and the third network element may be, for example, a network element belonging to the second visited network.
[0096] Step 2102: The third network element sends a third request to the second network element.
[0097] Optionally, the third network element can determine the second network element based on the terminal's GUTI and send a third request to the determined second network element. Optionally, the third request can be used to request the terminal's context information. Optionally, the third request can be, for example, called a context request. In some embodiments, the third request can include at least one of the following: GUTI, a first indication, the aforementioned fourth request, and first information. Optionally, the first indication can be used to indicate the terminal's access type, which can include, for example, 3GPP access or non-3GPP access. The first information can include, for example, relevant information of the third network element, which can include, for example, at least one of the following: the third network element's network element identifier, transport address, PLMN information, and PLMN identifier (ID).
[0098] Step 2103: The second network element performs security verification on the third request.
[0099] Optionally, the second network element can verify the integrity of the third request based on the terminal's context information, thereby performing security verification on the third request.
[0100] Step 2104: After the third request passes security verification, the second network element sends the first request to the first network element.
[0101] Optionally, when the second network element and the third network element are not in the same PLMN, the second network element sends a first request to the first network element. Optionally, the first network element may include a UDM network element, for example, a network element belonging to the terminal's home network.
[0102] Optionally, the first request includes the first information described above. Optionally, the first request can be used to request the first network element to verify whether the third network element can become the serving network element of the terminal. For example, the first request can be called a Mobility Registration Verification Request or other names, and this disclosure does not specifically limit it in this regard.
[0103] Optionally, the second network element and the first network element can communicate through the Authentication Server Function (AUSF) network element.
[0104] Optionally, in some embodiments, when the third request fails the security verification, the second network element may send a rejection response or a failure response to the third network element, and the third network element may send a registration rejection indication or a registration failure indication to the terminal.
[0105] Step 2105: The first network element determines whether the third network element can become the serving network element of the terminal.
[0106] Optionally, in some embodiments, the first network element can determine whether the third network element has successfully completed authentication with the terminal. When the third network element successfully completes authentication with the terminal, the first network element can determine that the third network element can become the terminal's serving network element. When the third network element fails to complete authentication with the terminal, the first network element can determine that the third network element cannot become the terminal's serving network element.
[0107] In some embodiments, the first network element stores network information corresponding to the network element that has successfully completed authentication with the terminal. This network information may include at least one of the following: network element identifier, transmission address, PLMN information, PLMN ID, etc. Optionally, the terminal can determine the first network information corresponding to the latest network element that has successfully completed authentication with the terminal, and determine whether the third network element has successfully completed authentication with the terminal by comparing the first network information with the third network information corresponding to the third network element (i.e., the first information mentioned above). Specifically, when the first network information includes the third network information corresponding to the third network element, it is determined that the third network element has successfully completed authentication with the terminal; when the first network information does not include the third network information corresponding to the third network element, it is determined that the third network element has not successfully completed authentication with the terminal.
[0108] In some embodiments, the first network element can also determine whether the third network element can become the serving network element of the terminal based on a local policy. Optionally, when the third network element fails to complete authentication with the terminal, the first network element can determine whether the third network element can become the serving network element of the terminal based on the local policy. For example, the local policy configured on the first network element determines that the handover between the third network element and the second network element can skip the authentication process with the terminal, or determines whether the third network element is trustworthy based on the local policy configured on the first network element, that is, it is still trustworthy even if the authentication process with the terminal is skipped.
[0109] Step 2106: The first network element sends a first response to the second network element.
[0110] Optionally, the first response can be used to indicate whether the third network element can become a serving network element of the terminal. In some embodiments, the first response may include an acknowledgment response or a success response, in which case the first response is used to indicate that the third network element can become a serving network element of the terminal. In some embodiments, the first response may include a rejection response or a failure response, in which case the first response is used to indicate that the third network element cannot become a serving network element of the terminal.
[0111] Step 2107: The second network element sends a third response to the third network element.
[0112] Optionally, in some embodiments, when the first response in step 2106 indicates that the third network element can become a serving network element of the terminal, for example, when the first response includes an acknowledgment response or a success response, the third response may include the terminal's context information. For example, the third response may include the key Kamf or the key Kamf*. In some embodiments, when the first response in step 2106 indicates that the third network element cannot become a serving network element of the terminal, for example, when the first response includes a failure response or a rejection response, the third response may include a failure indication or a rejection indication.
[0113] Step 2108: The fourth network element sends a second request to the first network element.
[0114] Optionally, the second request can be used to request the fourth network element to be registered as a serving network element of the terminal. Optionally, the second request can include second information, which includes relevant information about the fourth network element. The relevant information about the fourth network element can include at least one of the following: network element identifier, transmission address, PLMN information, PLMN ID, etc.
[0115] Optionally, the fourth network element can be the third network element mentioned above, or the fourth network element can be different from the third network element mentioned above.
[0116] Optionally, when the fourth network element is the third network element, the fourth network element (or the third network element) may send the second request to the first network element only when the third response in step 2107 includes the terminal's context information. It should be noted that in some embodiments, when the third response in step 2107 includes a failure indication or a rejection indication, the fourth network element (or the third network element) may send a registration rejection indication or a registration failure indication to the terminal.
[0117] Optionally, if the fourth network element is not the third network element, it indicates that the fourth network element is a malicious network element and may be carrying out a fraud attack.
[0118] Step 2109: The first network element determines whether the fourth network element can be registered as a service network element for the terminal.
[0119] In some embodiments, the first network element can determine whether the fourth network element has successfully completed authentication with the terminal. When the fourth network element successfully completes authentication with the terminal, the first network element can determine that the fourth network element can register as a serving network element of the terminal. When the fourth network element fails to complete authentication with the terminal, the first network element can determine that the fourth network element cannot register as a serving network element of the terminal. The method by which the first network element determines whether the fourth network element has successfully completed authentication with the terminal is similar to the method in step 2105 above, where the first network element determines whether the third network element has successfully completed authentication with the terminal, and will not be repeated here.
[0120] In some embodiments, the first network element can also determine whether the fourth network element can register as a serving network element of the terminal based on local policies. For example, when the fourth network element fails to complete authentication with the terminal, the first network element can determine whether the fourth network element can register as a serving network element of the terminal based on local policies.
[0121] Step 2110: The first network element sends a second response to the fourth network element.
[0122] Optionally, the second response is used to indicate whether the fourth network element can register as a serving network element of the terminal. In some embodiments, the second response may include an acknowledgment response or a success response, in which case the second response is used to indicate that the fourth network element can register as a serving network element of the terminal. In some embodiments, the second response may include a rejection response or a failure response, in which case the second response is used to indicate that the fourth network element cannot register as a serving network element of the terminal.
[0123] Optionally, in some embodiments, when the second response includes an acknowledgment response or a success response, the first network element may store relevant information of the fourth network element (such as at least one of the network element identifier, transmission address, PLMN information, PLMN ID, etc. of the fourth network element), use the fourth network element as the service network element of the terminal, and register the second network element, such as deleting relevant information of the second network element. Optionally, the relevant information of the second network element may include at least one of the network element identifier, transmission address, PLMN information, PLMN ID, etc. of the second network element.
[0124] Optionally, in some embodiments, when the second response includes a rejection response or a failure response, the first network element may not store the relevant information of the fourth network element and retain the second network element as the serving network element of the terminal.
[0125] Step 2111: The fourth network element performs the first operation based on the second response.
[0126] Optionally, when the second response indicates that the fourth network element can register as a serving network element of the terminal, the fourth network element can proceed with the subsequent registration process. When the second response indicates that the fourth network element cannot register as a serving network element of the terminal, if the fourth network element is the aforementioned third network element, the fourth network element can send a registration rejection indication or a registration failure indication to the terminal.
[0127] In summary, in the above embodiments, the second network element can request the first network element to verify whether the third network element can become the serving network element of the terminal. Here, the third network element is the network element the terminal will switch to, and the second network element is the terminal's current serving network element. Therefore, when a network element switch occurs, the terminal's source network element (i.e., the second network element) will request the first network element to verify whether the terminal's target network element (i.e., the third network element) can become the terminal's serving network element. That is, this embodiment adds a process for the first network element to verify the terminal's target network element, thereby preventing any network element from acting as the target network element, avoiding fraud attacks, and ensuring communication security. Furthermore, in the above embodiments, when the fourth network element requests to register as the terminal's serving network element, the first network element will determine whether the fourth network element can register as the terminal's serving network element. Only when the first network element determines that the fourth network element can register as the terminal's serving network element will it allow the fourth network element to register as the terminal's serving network element, thereby preventing any network element from registering as the terminal's serving network element, avoiding fraud attacks, and ensuring communication security.
[0128] The communication method involved in the embodiments of this disclosure may include at least one of steps 2101 to 2111. For example, step 2102 may be implemented as a separate embodiment, and steps 2102+2103 may be implemented as separate embodiments, but are not limited thereto.
[0129] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.
[0130] Figure 2B is an interactive schematic diagram of a communication method according to an embodiment of the present disclosure. As shown in Figure 2B, this embodiment of the disclosure relates to a communication method for a communication system 100; the method includes:
[0131] Step 2201: The terminal sends a fourth request to the third network element.
[0132] Step 2202: The third network element sends a third request to the second network element.
[0133] Step 2203: The second network element performs security verification on the third request.
[0134] Step 2204: After the third request passes security verification, the second network element sends the first request to the first network element.
[0135] Step 2205: The first network element determines whether the third network element can become the serving network element of the terminal.
[0136] For a detailed description of steps 2201-2205, please refer to the embodiment described in Figure 2A above.
[0137] Step 2206: The third network element can become the serving network element of the terminal, and the first network element adds the first information to the context information of the terminal.
[0138] Optionally, in some embodiments, when the first network element determines that the third network element can become the serving network element of the terminal, the first network element can add the first information to the context information of the terminal to update the context information of the terminal.
[0139] Optionally, after the first network element adds the first information (i.e., the relevant information of the third network element), the relevant information of the second network element will not be deleted, nor will the third network element be added as a serving network element of the terminal. Optionally, a first identifier can be associated with the relevant information of the third network element to indicate that the third network element is a serving network element that the terminal may switch to.
[0140] Optionally, the relevant information of the third network element can be temporarily stored or deleted after the timer configured by the operator expires. Optionally, the start time of the timer can be, for example, the time when the first network element stores the relevant information of the third network element.
[0141] Step 2207: The first network element sends a first response to the second network element.
[0142] Optionally, the order of steps 2206 and 2207 can be interchanged.
[0143] Step 2208: The second network element sends a third response to the third network element.
[0144] Step 2209: The fourth network element sends a second request to the first network element.
[0145] For a detailed description of steps 2207-2209, please refer to the embodiment described in Figure 2A above.
[0146] Step 2210: The first network element determines whether the fourth network element can be registered as a service network element for the terminal.
[0147] In some embodiments, the first network element can determine whether the fourth network element has successfully completed authentication with the terminal. When the fourth network element successfully completes authentication with the terminal, the first network element can determine that the fourth network element can register as a serving network element of the terminal. When the fourth network element fails to complete authentication with the terminal, the first network element can determine that the fourth network element cannot register as a serving network element of the terminal. The method by which the first network element determines whether the fourth network element has successfully completed authentication with the terminal can be referred to the embodiment described in Figure 2A above.
[0148] In some embodiments, the first network element can also determine whether the fourth network element can register as a serving network element of the terminal based on local policies. For example, when the fourth network element fails to complete authentication with the terminal, the first network element can determine whether the fourth network element can register as a serving network element of the terminal based on local policies.
[0149] In some embodiments, the first network element can determine whether the fourth network element can register as a service network element of the terminal by comparing the first information stored in the terminal context with the second information in the second request. For example, when the fourth network element fails to complete authentication with the terminal, the first network element can determine whether the fourth network element can register as a service network element of the terminal by comparing the first information with the second information. Optionally, when the first information and the second information are consistent, it indicates that the fourth network element is the third network element. Since the third network element has been verified in the aforementioned step 2205, and when the fourth network element is the third network element, the execution premise of step 2209 and subsequent steps is that the third network element has passed the verification. Therefore, it can be inferred that the fourth network element has also passed the verification, that is, the fourth network element is trustworthy. Then, the first network element can determine that the fourth network element can register as a service network element of the terminal. Optionally, when the first information and the second information are inconsistent, it indicates that the fourth network element is not the third network element, that is, the fourth network element is not the target network element of the terminal. In this case, the fourth network element is considered to be a malicious network element, and it is determined that the fourth network element cannot register as a service network element of the terminal.
[0150] Step 2211: The first network element sends a second response to the fourth network element.
[0151] Optionally, the second response is used to indicate whether the fourth network element can register as a serving network element of the terminal. In some embodiments, the second response may include an acknowledgment response or a success response, in which case the second response is used to indicate that the fourth network element can register as a serving network element of the terminal. In some embodiments, the second response may include a rejection response or a failure response, in which case the second response is used to indicate that the fourth network element cannot register as a serving network element of the terminal.
[0152] Optionally, in some embodiments, when the second response includes a confirmation response or a success response, the first network element may delete the first information stored in step 2206 above, and store the relevant information of the fourth network element (such as at least one of the network element identifier, transmission address, PLMN information, PLMN ID, etc. of the fourth network element), use the fourth network element as the service network element of the terminal, and register the second network element, such as deleting the relevant information of the second network element, etc. Optionally, the relevant information of the second network element may include at least one of the network element identifier, transmission address, PLMN information, PLMN ID, etc. of the second network element.
[0153] Optionally, in some embodiments, when the second response includes a rejection response or a failure response, the first network element may not store the relevant information of the fourth network element, but retain the first information stored in step 2206 above, and retain the second network element as the serving network element of the terminal.
[0154] Step 2212: The fourth network element performs the first operation based on the second response.
[0155] For a detailed description of steps 2211-2212, please refer to the embodiment described in Figure 2A above.
[0156] In summary, in the above embodiments, the second network element can request the first network element to verify whether the third network element can become the serving network element of the terminal. Here, the third network element is the network element the terminal will switch to, and the second network element is the terminal's current serving network element. Therefore, when a network element switch occurs, the terminal's source network element (i.e., the second network element) will request the first network element to verify whether the terminal's target network element (i.e., the third network element) can become the terminal's serving network element. That is, this embodiment adds a process for the first network element to verify the terminal's target network element, thereby preventing any network element from acting as the target network element, avoiding fraud attacks, and ensuring communication security. Furthermore, in the above embodiments, when the fourth network element requests to register as the terminal's serving network element, the first network element will determine whether the fourth network element can register as the terminal's serving network element. Only when the first network element determines that the fourth network element can register as the terminal's serving network element will it allow the fourth network element to register as the terminal's serving network element, thereby preventing any network element from registering as the terminal's serving network element, avoiding fraud attacks, and ensuring communication security.
[0157] The communication method involved in the embodiments of this disclosure may include at least one of steps 2201 to 2212. For example, step 2202 may be implemented as a separate embodiment, and steps 2202+2203 may be implemented as separate embodiments, but are not limited thereto.
[0158] Optionally, the order of steps 2206 and 2207 can be interchanged.
[0159] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.
[0160] Figure 3A is a flowchart illustrating a communication method according to an embodiment of the present disclosure. As shown in Figure 3A, this embodiment of the present disclosure relates to a communication method for a first network element, the method comprising:
[0161] Step 3101: Receive the first request sent by the second network element.
[0162] Step 3102: Send the first response to the second network element.
[0163] Optionally, the first request includes first information, which includes relevant information about the third network element. The first request is used to request the first network element to verify whether the third network element can become the serving network element of the terminal. The third network element is the network element to which the terminal will switch, and the second network element is the current serving network element of the terminal.
[0164] Optionally, the first response is used to indicate whether the third network element can become the serving network element of the terminal.
[0165] Optionally, the method further includes: determining whether the third network element can become the serving network element of the terminal based on a local policy.
[0166] Optionally, the method further includes: in response to the third network element becoming a serving network element of the terminal, adding the first information to the context information of the terminal.
[0167] Optionally, the method further includes: receiving a second request sent by a fourth network element, the second request including second information, the second information including relevant information of the fourth network element, the second request being used to request the fourth network element to be registered as a serving network element of the terminal;
[0168] A second response is sent to the fourth network element, the second response being used to indicate whether the fourth network element can register as a serving network element of the terminal.
[0169] Optionally, the method further includes: determining whether the fourth network element has successfully completed authentication with the terminal.
[0170] Optionally, determining whether the fourth network element has successfully completed authentication with the terminal includes:
[0171] Determine the first network information corresponding to the network element that has recently successfully completed authentication with the terminal;
[0172] Based on the first network information and the second network information corresponding to the fourth network element, it is determined whether the fourth network element has successfully completed authentication with the terminal.
[0173] Optionally, the method further includes: if the fourth network element fails to complete authentication with the terminal, determining whether the fourth network element can register as a serving network element of the terminal based on a local policy.
[0174] Optionally, the method further includes: if the fourth network element fails to complete authentication with the terminal, determining whether the first information and the second information are consistent;
[0175] The first information is consistent with the second information, confirming that the fourth network element can be registered as a serving network element of the terminal;
[0176] Since the first information is inconsistent with the second information, it is determined that the fourth network element cannot be registered as a service network element of the terminal.
[0177] For a detailed description of steps 3101-3102, please refer to the above embodiment description.
[0178] The communication method involved in the embodiments of this disclosure may include at least one of steps 3101 to 3102. For example, step 3102 may be implemented as a standalone embodiment, and steps 3102+3102 may be implemented as standalone embodiments, but are not limited thereto.
[0179] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.
[0180] Figure 3B is a flowchart illustrating a communication method according to an embodiment of the present disclosure. As shown in Figure 3B, this embodiment of the present disclosure relates to a communication method for a first network element, the method comprising:
[0181] Step 3201: Receive the first request sent by the second network element.
[0182] Step 3202: Determine whether the third network element can become the serving network element of the terminal.
[0183] Step 3203: Send the first response to the second network element.
[0184] Step 3204: Receive the second request sent by the fourth network element.
[0185] Step 3205: Determine whether the fourth network element can be registered as a service network element of the terminal.
[0186] Step 3206: Send the second response to the fourth network element.
[0187] For a detailed description of steps 3201-3206, please refer to the embodiment described in Figure 2A above.
[0188] The communication method involved in the embodiments of this disclosure may include at least one of steps 3201 to 3206. For example, step 3202 may be implemented as a standalone embodiment, and steps 3202+3202 may be implemented as standalone embodiments, but are not limited thereto.
[0189] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.
[0190] Figure 3C is a flowchart illustrating a communication method according to an embodiment of the present disclosure. As shown in Figure 3C, this embodiment of the present disclosure relates to a communication method for a first network element, the method comprising:
[0191] Step 3301: Receive the first request sent by the second network element.
[0192] Step 3302: Determine whether the third network element can become the serving network element of the terminal.
[0193] Step 3303: The third network element can become the serving network element of the terminal and add the first information to the context information of the terminal.
[0194] Step 3304: Send the first response to the second network element.
[0195] Step 3305: Receive the second request sent by the fourth network element.
[0196] Step 3306: Determine whether the fourth network element can be registered as a service network element for the terminal.
[0197] Step 3307: Send the second response to the fourth network element.
[0198] For a detailed description of steps 3301-3307, please refer to the embodiment described in Figure 2B above.
[0199] The communication method involved in the embodiments of this disclosure may include at least one of steps 3301 to 3307. For example, step 3302 may be implemented as a separate embodiment, and steps 3302+3302 may be implemented as separate embodiments, but are not limited thereto.
[0200] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.
[0201] Figure 3D is a flowchart illustrating a communication method according to an embodiment of the present disclosure. As shown in Figure 3B, this disclosure relates to a communication method for a second network element, the method comprising:
[0202] Step 3401: Send the first request to the first network element.
[0203] Step 3402: Receive the first response sent by the first network element.
[0204] Optionally, the first request includes first information, which includes relevant information about the third network element. The first request is used to request the first network element to verify whether the third network element can become the serving network element of the terminal. The third network element is the network element to which the terminal will switch, and the second network element is the current serving network element of the terminal.
[0205] Optionally, the first response is used to indicate whether the third network element can become the serving network element of the terminal.
[0206] Optionally, sending the first request to the first network element includes:
[0207] Receive a third request sent by the third network element, the third request being used to request the context information of the terminal;
[0208] Perform security verification on the third request;
[0209] The third request, after passing security verification, sends the first request to the first network element.
[0210] Optionally, the method further includes:
[0211] The first response indicates that the third network element can become the serving network element of the terminal, and a third response is sent to the third network element, the third response including the context information of the terminal; or
[0212] The first response includes a failure response, which indicates that the third network element cannot become the serving network element of the terminal. A third response is then sent to the third network element, which includes a failure indication.
[0213] For a detailed description of steps 3401-3402, please refer to the above embodiment description.
[0214] The communication method involved in the embodiments of this disclosure may include at least one of steps 3401 to 3402. For example, step 3402 may be implemented as a standalone embodiment, and steps 3402+3402 may be implemented as standalone embodiments, but are not limited thereto.
[0215] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.
[0216] The following is an exemplary description of the above method:
[0217] Compared to 4G, 5G offers enhanced security by adding a home network to prevent certain types of fraud. When the home network receives a request from the accessing network, i.e., the serving network (SN), the characteristics of the home network enable it to verify whether the device is indeed provided by the accessing network.
[0218] This enhanced home network takes the following forms in 5GS:
[0219] - In the case of EAP-AKA', when the EAP-Response / AKA'-Challenge received by the AUSF has been successfully verified, the AUSF in the home network determines that the UE has been successfully authenticated through a certain serving network.
[0220] - In the case of 5G AKA, when the authentication confirmation received by the AUSF in the Nausf_UE authentication_Authenticate request message has been successfully verified, the AUSF in the home network determines that the UE has been successfully authenticated through a certain serving network.
[0221] Enhanced home control features are useful in preventing certain types of fraud, such as when a fraudulent AMF sends a fraudulent Nudm_UECM_Registration request to the home network's UDM, claiming it is serving a terminal that is not actually in the access network. However, the authentication protocol itself does not provide protection against this type of fraud. The authentication result needs to be linked and synchronized to subsequent processes in some way, such as the Nudm_UECM_Registration process from the AMF, to achieve the desired protection.
[0222] However, such fraudulent attacks can still be launched during PLMN handovers. During a PLMN handover, the new AMF can obtain the UE security context from the old AMF without performing a re-authentication process and register itself as the terminal's serving AMF in the UDM. Without performing a re-authentication process, entities in the home network (e.g., ASF, UDM) cannot link the authentication result to the serving network to which the registered AMF belongs. Therefore, any AMF can successfully register as the terminal's serving AMF in the terminal's UDM, which can be easily exploited by attackers to carry out fraudulent attacks.
[0223] The method described in this disclosure can prevent fraud attacks during handover between PLMNs and ensure that the home network can determine the legitimacy of the AMF.
[0224] Figure 4A is an interactive schematic diagram of a communication method according to an embodiment of the present disclosure. As shown in Figure 4A, the method includes the following steps:
[0225] 1. The UE sends a registration request for mobility registration update, which includes a GUTI published by the Source AMF.
[0226] 2. The target AMF uses the UE's GUTI to determine the source AMF. The target AMF sends a context request to the source AMF, which includes the GUTI, access type, and received registration request.
[0227] 3. The source AMF checks the integrity of the registration request using the UE security context. If the verification passes, the source AMF sends a mobile registration verification request to the UDM containing the target AMF information (i.e., the first information mentioned above).
[0228] Based on local policies, the UDM determines whether the target AMF is trusted to serve the UE without re-authentication. If the UDM can confirm that the target AMF is trusted, steps 4a-6a can be performed. Otherwise, steps 4b-6b can be performed.
[0229] Successful cases (i.e., UDM successfully validates the target AMF):
[0230] 4a. UDM returns an acknowledgment message to the source AMF.
[0231] 5a. The source AMF can provide Kamf / Kamf* to the target AMF by sending a context response.
[0232] 6a. The target AMF performs the subsequent mobility registration process. During the Nudm_UECM_registration process, if there is no authentication result associated with the service network to which the registered AMF belongs, the UDM determines its trustworthiness based on local policies. If the UDM confirms that the AMF is trustworthy, the UDM returns confirmation. Otherwise, the UDM will reject the AMF's registration.
[0233] Failure case (i.e., UDM fails to validate the target AMF).
[0234] 4b. UDM returns a failure message to the source AMF.
[0235] 5b. The source AMF sends a context response message containing a failure indication to the target AMF.
[0236] 6b. The target AMF returns a registration rejection message to the UE.
[0237] Figure 4B is an interactive schematic diagram of a communication method according to an embodiment of the present disclosure. As shown in Figure 4B, the method includes the following steps:
[0238] 1. The UE sends a registration request for mobility registration update, which includes a GUTI published by the Source AMF.
[0239] 2. The target AMF uses the UE's GUTI to determine the source AMF. The target AMF sends a context request to the source AMF, which includes the GUTI, access type, and received registration request.
[0240] 3. The source AMF checks the integrity of the registration request using the UE security context. If the verification passes, the source AMF sends a mobile registration verification request containing the target AMF information to the UDM.
[0241] 4. Based on local policies, the UDM determines whether the target AMF is trusted to serve the UE without re-authentication. If the target AMF is trustworthy, the UDM updates the UE context by including the target AMF information. If not, the UDM rejects the response and skips steps 5-8.
[0242] Optionally: The target AMF information is not stored as a serving network element of the terminal in the terminal context of the UDM.
[0243] 5. UDM returns an acknowledgment message to the source AMF.
[0244] 6. The source AMF can provide Kamf / Kamf* to the target AMF by sending a context response.
[0245] 7. The target AMF invokes the Nudm_UECM_Registration service operation to the UDM. By checking the UE context, the UDM determines whether the target AMF can register in the UDM.
[0246] Successful cases (i.e., UDM determines that the target AMF can register in UDM):
[0247] If the target AMF information matches the information received from the source AMF, the UDM can return an acknowledgment without needing to connect and synchronize the authentication result with the target AMF.
[0248] 8. If a confirmation message is received, proceed with the subsequent mobility registration process. Otherwise, this step can be skipped.
[0249] Failure case (i.e., UDM determines that the target AMF cannot be registered in UDM):
[0250] If the target AMF information does not match the information received from the source AMF, and no successful authentication process is performed between the target AMF and the UE, the UDM may return a failure response.
[0251] In the embodiments of this disclosure, with respect to the source AMF:
[0252] If the registration request is verified, the source AMF should be able to send a mobile registration verification request to the UDM.
[0253] The source AMF should be able to receive acknowledgment or failure responses from the UDM.
[0254] If a failure response is received from the UDM, the source AMF should be able to include the failure indication in the target AMF.
[0255] If an acknowledgment is received from the UDM, the source AMF should be able to include the UE security context in the target AMF.
[0256] In the embodiments of this disclosure, with respect to UDM:
[0257] The UDM should be able to receive mobility registration verification requests from the source AMF, which include the target AMF information.
[0258] UDM should be able to return an acknowledgment or failure response to the source AMF.
[0259] Once the confirmation is sent to the source AMF, the UDM will be able to include the target AMF information in the UE context.
[0260] If no re-authentication process was performed previously, UDM should be able to compare the stored AMF information with the requested AMF information.
[0261] UDM can determine whether a target AMF can become a serving AMF of the UE.
[0262] This disclosure also proposes an apparatus (also referred to as a communication device, etc.) for implementing any of the above methods. For example, an apparatus is proposed that includes units or modules for implementing the steps performed by the terminal in any of the above methods. Furthermore, another apparatus is proposed that includes units or modules for implementing the steps performed by a network device (e.g., an access network device, a core network functional node, a core network device, etc.) in any of the above methods.
[0263] It should be understood that the division of units or modules in the above device is only a logical functional division. In actual implementation, they can be fully or partially integrated into a single physical entity, or they can be physically separated. Furthermore, the units or modules in the device can be implemented by a processor calling software: for example, the device includes a processor connected to a memory containing instructions. The processor calls the instructions stored in the memory to implement any of the above methods or to implement the functions of the units or modules in the above device. The processor can be, for example, a general-purpose processor, such as a Central Processing Unit (CPU) or a microprocessor, and the memory can be internal or external to the device. Alternatively, the units or modules in the device can be implemented in the form of hardware circuits. The functionality of some or all of the units or modules can be achieved through the design of these hardware circuits, which can be understood as one or more processors. For example, in one implementation, the hardware circuit is an application-specific integrated circuit (ASIC). The functionality of some or all of the units or modules is achieved through the design of the logical relationships between the components within the circuit. In another implementation, the hardware circuit can be implemented using a programmable logic device (PLD). Taking a field-programmable gate array (FPGA) as an example, it can include a large number of logic gates. The connection relationships between the logic gates are configured through configuration files, thereby achieving the functionality of some or all of the units or modules. All units or modules of the above device can be implemented entirely through processor-called software, entirely through hardware circuits, or partially through processor-called software with the remaining parts implemented through hardware circuits.
[0264] In this embodiment, the processor is a circuit with signal processing capabilities. In one implementation, the processor can be a circuit with instruction read and execute capabilities, such as a Central Processing Unit (CPU), a microprocessor, a graphics processing unit (GPU) (which can be understood as a microprocessor), or a digital signal processor (DSP). In another implementation, the processor can implement certain functions through the logical relationships of hardware circuits. The logical relationships of the aforementioned hardware circuits are fixed or reconfigurable. For example, the processor is a hardware circuit implemented using an application-specific integrated circuit (ASIC) or a programmable logic device (PLD), such as an FPGA. In a reconfigurable hardware circuit, the process of the processor loading a configuration document and configuring the hardware circuit can be understood as the process of the processor loading instructions to implement the functions of some or all of the above units or modules. Furthermore, it can also be a hardware circuit designed for artificial intelligence, which can be understood as an ASIC, such as a Neural Network Processing Unit (NPU), a Tensor Processing Unit (TPU), or a Deep Learning Processing Unit (DPU).
[0265] Figure 5A is a schematic diagram of the structure of the first network element proposed in an embodiment of this disclosure. The first network element is used to perform any of the above methods. In some embodiments, as shown in Figure 5A, the first network element may include at least one of a transceiver module, a processing module, etc. The transceiver module is used to send a first request to the first network element; wherein, the first request includes first information, the first information includes relevant information of a third network element, the first request is used to request the first network element to verify whether the third network element can become a serving network element of the terminal, the third network element is the network element to which the terminal will switch, and the second network element is the current serving network element of the terminal; the transceiver module is also used to receive a first response sent by the first network element, the first response is used to indicate whether the third network element can become a serving network element of the terminal.
[0266] Optionally, the transceiver module is used to perform at least one of the communication steps, such as sending and / or receiving, performed by the first network element in any of the above methods, which will not be elaborated here. Optionally, the processing module is used to perform at least one of the other steps performed by the first network element in any of the above methods, which will not be elaborated here.
[0267] Optionally, the processing module is further configured to: determine whether the third network element can become the serving network element of the terminal based on a local policy.
[0268] Optionally, the processing module is further configured to: in response to the third network element becoming a serving network element of the terminal, add the first information to the context information of the terminal.
[0269] Optionally, the transceiver module is further configured to: receive a second request sent by a fourth network element, the second request including second information, the second information including relevant information of the fourth network element, the second request being used to request the fourth network element to be registered as a serving network element of the terminal;
[0270] A second response is sent to the fourth network element, the second response being used to indicate whether the fourth network element can register as a serving network element of the terminal.
[0271] Optionally, the processing module is further configured to: determine whether the fourth network element has successfully completed authentication with the terminal.
[0272] Optionally, the processing module is further configured to: determine the first network information corresponding to the network element that has most recently successfully completed authentication with the terminal;
[0273] Based on the first network information and the second network information corresponding to the fourth network element, it is determined whether the fourth network element has successfully completed authentication with the terminal.
[0274] Optionally, the processing module is further configured to: if the fourth network element fails to complete authentication with the terminal, determine whether the fourth network element can be registered as a service network element of the terminal based on a local policy.
[0275] Optionally, the processing module is further configured to: if the fourth network element fails to complete authentication with the terminal, determine whether the first information and the second information are consistent;
[0276] The first information is consistent with the second information, confirming that the fourth network element can be registered as a serving network element of the terminal;
[0277] Since the first information is inconsistent with the second information, it is determined that the fourth network element cannot be registered as a service network element of the terminal.
[0278] Figure 5B is a schematic diagram of the structure of the second network element proposed in an embodiment of this disclosure. The second network element is used to perform any of the above methods. In some embodiments, as shown in Figure 5B, the second network element may include at least one of a transceiver module, a processing module, etc. The transceiver module is used to send a first request to the first network element; wherein, the first request includes first information, the first information includes relevant information of the third network element, the first request is used to request the first network element to verify whether the third network element can become the serving network element of the terminal, the third network element is the network element to which the terminal will switch, and the second network element is the current serving network element of the terminal; the transceiver module is also used to receive a first response sent by the first network element, the first response is used to indicate whether the third network element can become the serving network element of the terminal.
[0279] Optionally, the transceiver module is used to perform at least one of the communication steps such as sending and / or receiving performed by the second network element in any of the above methods, which will not be elaborated here. Optionally, the processing module is used to perform at least one of the other steps performed by the second network element in any of the above methods, which will not be elaborated here.
[0280] Optionally, the transceiver module is further configured to: receive a third request sent by the third network element, the third request being used to request context information of the terminal;
[0281] Perform security verification on the third request;
[0282] The third request, after passing security verification, sends the first request to the first network element.
[0283] Optionally, the transceiver module is further configured to: indicate to the first response that the third network element can become the serving network element of the terminal, and send a third response to the third network element, the third response including the context information of the terminal; or
[0284] The first response includes a failure response, which indicates that the third network element cannot become the serving network element of the terminal. A third response is then sent to the third network element, which includes a failure indication.
[0285] Figure 6A is a schematic diagram of the structure of the communication device 6100 proposed in an embodiment of this disclosure. The communication device 6100 can be a network device (e.g., access network device, core network device, etc.), a terminal (e.g., user equipment, etc.), a chip, chip system, or processor that supports the network device in implementing any of the above methods, or a chip, chip system, or processor that supports the terminal in implementing any of the above methods. The communication device 6100 can be used to implement the methods described in the above method embodiments; for details, please refer to the descriptions in the above method embodiments.
[0286] As shown in Figure 6A, the communication device 6100 is used to execute any of the above methods. In some embodiments, the communication device 6100 includes one or more processors 6101. The processor 6101 may be a general-purpose processor or a special-purpose processor, such as a baseband processor or a central processing unit. The baseband processor may be used to process communication protocols and communication data, and the central processing unit may be used to control communication devices (e.g., base stations, baseband chips, terminal devices, terminal device chips, DUs or CUs, etc.), execute programs, and process program data. Optionally, the communication device 6100 is used to execute any of the above methods. Optionally, one or more processors 6101 are used to invoke instructions to cause the communication device 6100 to execute any of the above methods.
[0287] In some embodiments, the communication device 6100 further includes one or more transceivers 6102. When the communication device 6100 includes one or more transceivers 6102, the transceiver 6102 performs at least one of the communication steps such as sending and / or receiving in the above-described method, and the processor 6101 performs at least one of the other steps. In optional embodiments, the transceiver may include a receiver and / or a transmitter, which may be separate or integrated. Optionally, the terms transceiver, transceiver unit, transceiver, transceiver circuit, interface circuit, interface, etc., can be used interchangeably; the terms transmitter, transmitting unit, transmitter, transmitting circuit, etc., can be used interchangeably; the terms receiver, receiving unit, receiver, receiving circuit, etc., can be used interchangeably.
[0288] In some embodiments, the communication device 6100 further includes one or more memories 6103 for storing data and / or instructions. Optionally, one or more processors 6101 are used to invoke instructions stored in the memory 6103 to cause the communication device 6100 to perform any of the above methods. Optionally, all or part of the memory 6103 may also be located outside the communication device 6100. In an optional embodiment, the communication device 6100 may include one or more interface circuits 6104. Optionally, the interface circuit 6104 is connected to the memory 6103 and can be used to receive data and / or instructions from the memory 6103 or other devices, and can be used to send data and / or instructions to the memory 6103 or other devices. For example, the interface circuit 6104 can read data and / or instructions stored in the memory 6103 and send the data and / or instructions to the processor 6101.
[0289] The communication device 6100 described in the above embodiments may be a network device or a terminal, but the scope of the communication device 6100 described in this disclosure is not limited thereto, and the structure of the communication device 6100 may not be limited by FIG. 6A. The communication device may be a standalone device or a part of a larger device. For example, the communication device may be: (1) a standalone integrated circuit IC, or chip, or chip system or subsystem; (2) a collection of one or more ICs, optionally, the IC collection may also include storage components for storing data, programs and / or instructions; (3) an ASIC, such as a modem; (4) a module that can be embedded in other devices; (5) a receiver, terminal device, smart terminal device, cellular phone, wireless device, handheld device, mobile unit, vehicle device, network device, cloud device, artificial intelligence device, etc.; (6) others, etc.
[0290] Figure 6B is a schematic diagram of the structure of chip 6200 according to an embodiment of this disclosure. For cases where the communication device 6100 can be a chip or a chip system, please refer to the schematic diagram of chip 6200 shown in Figure 6B, but it is not limited thereto.
[0291] Chip 6200 includes one or more processors 6201. Chip 6200 is used to perform any of the methods described above.
[0292] In some embodiments, chip 6200 further includes one or more interface circuits 6202. Optionally, terms such as interface circuit, interface, and transceiver pin can be used interchangeably. In some embodiments, chip 6200 further includes one or more memories 6203 for storing data and / or instructions. Optionally, all or part of the memories 6203 may be located outside of chip 6200. Optionally, interface circuit 6202 is connected to memory 6203, and interface circuit 6202 can be used to receive data and / or instructions from memory 6203 or other devices, and interface circuit 6202 can be used to send data and / or instructions to memory 6203 or other devices. For example, interface circuit 6202 can read data and / or instructions stored in memory 6203 and send the data and / or instructions to processor 6201.
[0293] In some embodiments, the interface circuit 6202 performs at least one of the communication steps, such as sending and / or receiving, in the above-described method. For example, the interface circuit 6202 performing the communication steps, such as sending and / or receiving, in the above-described method means that the interface circuit 6202 performs data and / or instruction interaction between the processor 6201, the chip 6200, the memory 6203, or the transceiver device. In some embodiments, the processor 6201 performs at least one of the other steps.
[0294] The modules and / or devices described in the various embodiments, such as virtual devices, physical devices, and chips, can be combined or separated arbitrarily as needed. Optionally, some or all steps can also be performed collaboratively by multiple modules and / or devices, which is not limited here.
[0295] This disclosure also proposes a storage medium storing instructions that, when executed on a communication device, cause the communication device to perform any of the above methods. Optionally, the storage medium is an electronic storage medium. Optionally, the storage medium is a computer-readable storage medium, but not limited thereto; it may also be a storage medium readable by other devices. Optionally, the storage medium may be a non-transitory storage medium, but not limited thereto; it may also be a temporary storage medium.
[0296] This disclosure also proposes a program product, including a program and / or instructions, which, when executed by a communication device, cause the communication device to perform any of the above methods. Optionally, the program product is a computer program product. Optionally, the program product is stored on the storage medium.
[0297] This disclosure also proposes a computer program that, when run on a computer, causes the computer to perform any of the above methods.
[0298] In the above embodiments, implementation can be achieved, in whole or in part, through software, hardware, firmware, or any combination thereof. When implemented in software, it can be implemented, in whole or in part, as a computer program product. The computer program product includes one or more computer programs. When the computer program is loaded and executed on a computer, all or part of the processes or functions described in the embodiments of this disclosure are generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer program can be stored in a computer-readable storage medium or transferred from one computer-readable storage medium to another. For example, the computer program can be transferred from one website, computer, server, or data center to another via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium accessible to a computer or a data storage device such as a server or data center that integrates one or more available media. The available media may be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., high-density digital video discs (DVDs)), or semiconductor media (e.g., solid-state drives (SSDs)).
[0299] Those skilled in the art will recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this disclosure.
[0300] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.
[0301] The above description is merely a specific embodiment of this disclosure, but the scope of protection of this disclosure is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this disclosure should be included within the scope of protection of this disclosure. Therefore, the scope of protection of this disclosure should be determined by the scope of the claims.
Claims
1. A communication method, characterized in that, The method, executed by the first network element, includes: Receive a first request sent by a second network element; wherein the first request includes first information, the first information includes relevant information of a third network element, the first request is used to request the first network element to verify whether the third network element can become a serving network element of the terminal, the third network element is the network element to which the terminal will switch, and the second network element is the current serving network element of the terminal; Send a first response to the second network element; the first response is used to indicate whether the third network element can become the serving network element of the terminal.
2. The method as described in claim 1, characterized in that, The method further includes: The local policy determines whether the third network element can become the serving network element of the terminal.
3. The method as described in claim 1 or 2, characterized in that, The method further includes: In response to the third network element becoming a serving network element of the terminal, the first information is added to the context information of the terminal.
4. The method according to any one of claims 1-3, characterized in that, The method further includes: The terminal receives a second request sent by a fourth network element. The second request includes second information, which includes relevant information about the fourth network element. The second request is used to request the fourth network element to be registered as a service network element of the terminal. A second response is sent to the fourth network element, the second response being used to indicate whether the fourth network element can register as a serving network element of the terminal.
5. The method as described in claim 4, characterized in that, The method further includes: Determine whether the fourth network element has successfully completed authentication with the terminal.
6. The method as described in claim 5, characterized in that, Determining whether the fourth network element has successfully completed authentication with the terminal includes: Determine the first network information corresponding to the network element that has recently successfully completed authentication with the terminal; Based on the first network information and the second network information corresponding to the fourth network element, it is determined whether the fourth network element has successfully completed authentication with the terminal.
7. The method according to any one of claims 4-6, characterized in that, The method further includes: If the fourth network element fails to complete authentication with the terminal, a local policy is used to determine whether the fourth network element can be registered as a service network element for the terminal.
8. The method according to any one of claims 4-6, characterized in that, The method further includes: If the fourth network element fails to complete authentication with the terminal, it is determined whether the first information and the second information are consistent. The first information is consistent with the second information, confirming that the fourth network element can be registered as a serving network element of the terminal; Since the first information is inconsistent with the second information, it is determined that the fourth network element cannot be registered as a service network element of the terminal.
9. A communication method, characterized in that, The method, executed by the second network element, includes: Send a first request to the first network element; wherein the first request includes first information, the first information includes relevant information of the third network element, the first request is used to request the first network element to verify whether the third network element can become the serving network element of the terminal, the third network element is the network element to which the terminal will switch, and the second network element is the current serving network element of the terminal; The system receives a first response from the first network element, wherein the first response is used to indicate whether the third network element can become a serving network element of the terminal.
10. The method as described in claim 9, characterized in that, Sending the first request to the first network element includes: Receive a third request sent by the third network element, the third request being used to request the context information of the terminal; Perform security verification on the third request; The third request, after passing security verification, sends the first request to the first network element.
11. The method as described in claim 9 or 10, characterized in that, The method further includes: The first response indicates that the third network element can become the serving network element of the terminal, and a third response is sent to the third network element, the third response including the context information of the terminal; or The first response includes a failure response, which indicates that the third network element cannot become the serving network element of the terminal. A third response is then sent to the third network element, which includes a failure indication.
12. A first network element, characterized in that, include: The transceiver module is used to receive a first request sent by a second network element; wherein the first request includes first information, the first information includes relevant information of a third network element, the first request is used to request the first network element to verify whether the third network element can become the serving network element of the terminal, the third network element is the network element to which the terminal will switch, and the second network element is the current serving network element of the terminal; The transceiver module is also used to send a first response to the second network element; The first response is used to indicate whether the third network element can become the serving network element of the terminal.
13. A second network element, characterized in that, include: The transceiver module is used to send a first request to a first network element; wherein the first request includes first information, the first information includes relevant information of a third network element, the first request is used to request the first network element to verify whether the third network element can become the serving network element of the terminal, the third network element is the network element to which the terminal will switch, and the second network element is the current serving network element of the terminal; The transceiver module is further configured to receive a first response sent by the first network element, the first response being used to indicate whether the third network element can become a serving network element of the terminal.
14. A first network element, characterized in that, include: One or more processors; The network device is used to perform the method according to any one of claims 1 to 8.
15. A second network element, characterized in that, include: One or more processors; The terminal is used to execute the method according to any one of claims 9 to 11.
16. A communication system, characterized in that, It includes a first network element and a second network element, wherein the first network element is configured to implement the method according to any one of claims 1 to 8, and the second network element is configured to implement the method according to any one of claims 9 to 11.
17. A storage medium storing instructions, characterized in that, When the instructions are executed on a communication device, the communication device performs the method as claimed in any one of claims 1 to 8 or claims 9 to 11.
18. A program product, characterized in that, It includes a computer program that, when executed by a communication device, implements the method as claimed in any one of claims 1 to 8 or 9 to 11.