Communication methods, and apparatus
By establishing an authentication process confirmation mechanism between the first network element and the second network element, the problem of fraud attacks on unauthenticated network elements is solved, thus ensuring communication security.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- BEIJING XIAOMI MOBILE SOFTWARE CO LTD
- Filing Date
- 2025-01-08
- Publication Date
- 2026-07-16
Smart Images

Figure CN2025071365_16072026_PF_FP_ABST
Abstract
Description
Communication methods and devices Technical Field
[0001] This disclosure relates to the field of communication technology, and in particular to a communication method and apparatus. Background Technology
[0002] In related technologies, when the first network element receives a request message from the second network element requesting the registration of the second network element as a service network element for the terminal, it can register the terminal's service network element as the second network element. However, the first network element does not support confirmation of whether the second network element has successfully completed authentication with the terminal. If the second network element fails to complete authentication with the terminal, it may not be the actual network element serving the terminal. Attackers can easily use the second network element that does not actually serve the terminal to carry out fraudulent attacks. Summary of the Invention
[0003] This disclosure provides a communication method and apparatus for a first network element to confirm whether a second network element has successfully completed authentication with a terminal, and then to decide whether to add the information of the second network element to the context of the terminal and whether to register the second network element as a serving network element of the terminal based on the confirmation result, so as to avoid directly registering the second network element as a serving network element of the terminal, thereby avoiding fraud attacks and ensuring the information security of communication.
[0004] This disclosure presents a communication method and apparatus.
[0005] According to a first aspect of the present disclosure, a communication method is proposed, executed by a first network element, comprising: determining that a second network element requests to register as a service network element of a terminal, and that the second network element has failed to complete authentication with the terminal; sending a first message to the second network element, wherein the first message is used to instruct the second network element to perform an authentication process with the terminal; receiving a second message sent by the second network element, wherein the second message is used to instruct the second network element whether to confirm the execution of the authentication process with the terminal; and determining whether to add information of the second network element to the context of the terminal.
[0006] In the above embodiments, the first network element can confirm whether the second network element has successfully completed authentication with the terminal, and then decide whether to add the information of the second network element in the context of the terminal, and whether to register the second network element as the terminal's service network element, so as to avoid directly registering the second network element as the terminal's service network element, thereby avoiding fraud attacks and ensuring the information security of communication.
[0007] According to a second aspect of the present disclosure, a communication method is proposed, executed by a second network element, comprising: receiving a first message sent by a first network element, wherein the first message is sent by the first network element when it determines that the second network element requests to register as a service network element of a terminal, and the second network element has failed to complete authentication with the terminal, the first message being used to instruct the second network element to perform an authentication process with the terminal; and sending a second message to the first network element, wherein the second message is used to instruct the second network element whether to perform the authentication process with the terminal, and the second message is also used by the second network element to determine whether to add information of the second network element in the context of the terminal.
[0008] In the above embodiments, if the second network element fails to successfully complete authentication with the terminal after registering with the first network element as a serving network element of the terminal, the second network element can receive a first message sent by the first network element, instructing the second network element to perform the authentication process with the terminal. The second network element can also send a second message to the first network element, instructing the second network element whether to proceed with the authentication process with the terminal. Thus, the first network element can determine whether to add the information of the second network element to the context of the terminal and whether to register the second network element as a serving network element of the terminal based on the second message sent by the second network element. This avoids directly registering the second network element as a serving network element of the terminal, prevents fraud attacks, and ensures the information security of communication.
[0009] According to a third aspect of the present disclosure, a communication method is proposed, comprising: a first network element determining that a second network element requests to register as a service network element of a terminal, and the second network element fails to complete authentication with the terminal; the first network element sending a first message to the second network element, wherein the first message is used to instruct the second network element to perform an authentication process with the terminal; the second network element receiving the first message sent by the first network element; the second network element sending a second message to the first network element, wherein the second message is used to instruct the second network element whether to confirm the execution of the authentication process with the terminal; the first network element receiving the second message sent by the second network element; and the first network element determining whether to add information of the second network element to the context of the terminal.
[0010] According to a fourth aspect of the embodiments of this disclosure, a first network element is proposed, comprising: a processing module, configured to determine that a second network element requests to register as a service network element of a terminal, and the second network element has failed to complete authentication with the terminal; a transceiver module, configured to send a first message to the second network element, wherein the first message is used to instruct the second network element to perform an authentication process with the terminal; the transceiver module is further configured to receive a second message sent by the second network element, wherein the second message is used to instruct the second network element whether to confirm the execution of the authentication process with the terminal; and the processing module is further configured to determine whether to add information of the second network element to the context of the terminal.
[0011] According to a fifth aspect of the present disclosure, a second network element is provided, comprising: a transceiver module, configured to receive a first message sent by a first network element, wherein the first message is sent by the first network element when it determines that the second network element requests to register as a service network element of a terminal, and the second network element has failed to complete authentication with the terminal, and the first message is used to instruct the second network element to perform an authentication process with the terminal; the transceiver module is further configured to send a second message to the first network element, wherein the second message is used to instruct the second network element whether to perform the authentication process with the terminal, and the second message is also used by the second network element to determine whether to add information of the second network element in the context of the terminal.
[0012] According to a sixth aspect of the present disclosure, a first network element is provided, comprising: one or more processors, wherein the first network element is configured to perform the method described in the first aspect.
[0013] According to a seventh aspect of the present disclosure, a second network element is provided, comprising: one or more processors, wherein the second network element is configured to perform the method described in the second aspect.
[0014] According to an eighth aspect of the present disclosure, a communication device is provided, comprising: one or more processors; and a memory coupled to the processors, the memory storing instructions which, when executed by the processors, cause the communication device to perform the method as described in at least one of the first and second aspects.
[0015] According to a ninth aspect of the present disclosure, a communication system is provided, including: a first network element and a second network element; the first network element performs the method as described in the first aspect, and the second network element performs the method as described in the second aspect embodiment.
[0016] According to a tenth aspect of the present disclosure, a computer storage medium is provided, wherein the computer storage medium stores computer-executable instructions; after being executed by a processor, the computer-executable instructions are capable of implementing the method described in at least one aspect of the first aspect and the second aspect.
[0017] According to an eleventh aspect of the present disclosure, a computer program product is provided, wherein the computer program product stores a computer program; after being executed by a processor, the computer program is able to implement the method described in at least one aspect of the first aspect and the second aspect.
[0018] Additional aspects and advantages of this disclosure will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of this disclosure. Attached Figure Description
[0019] To more clearly illustrate the technical solutions in the embodiments of this disclosure, the accompanying drawings required for the description of the embodiments are introduced below. The following drawings are only some embodiments of this disclosure and do not impose specific limitations on the protection scope of this disclosure.
[0020] Figure 1 is an architecture diagram of a communication system provided in an embodiment of this disclosure;
[0021] Figure 2A is a flowchart of a communication method provided in an embodiment of this disclosure;
[0022] Figure 2B is a flowchart of another communication method provided in an embodiment of this disclosure;
[0023] Figure 2C is a flowchart of another communication method provided in an embodiment of this disclosure;
[0024] Figure 2D is a flowchart of another communication method provided in an embodiment of this disclosure;
[0025] Figure 3A is a flowchart of another communication method provided in an embodiment of this disclosure;
[0026] Figure 3B is a flowchart of another communication method provided in an embodiment of this disclosure;
[0027] Figure 3C is a flowchart of another communication method provided in an embodiment of this disclosure;
[0028] Figure 3D is a flowchart of another communication method provided in an embodiment of this disclosure;
[0029] Figure 4A is a flowchart of another communication method provided in an embodiment of this disclosure;
[0030] Figure 4B is a flowchart of another communication method provided in an embodiment of this disclosure;
[0031] Figure 4C is a flowchart of another communication method provided in an embodiment of this disclosure;
[0032] Figure 5 is a flowchart of another communication method provided in an embodiment of this disclosure;
[0033] Figure 6A is a structural diagram of a first network element provided in an embodiment of this disclosure;
[0034] Figure 6B is a structural diagram of a second network element provided in an embodiment of this disclosure;
[0035] Figure 7A is a structural diagram of a communication device provided in an embodiment of this disclosure;
[0036] Figure 7B is a structural diagram of a chip provided in an embodiment of this disclosure. Detailed Implementation
[0037] This disclosure presents a communication method and apparatus.
[0038] In a first aspect, embodiments of this disclosure propose a communication method executed by a first network element, comprising: determining that a second network element requests to register as a service network element of a terminal, and that the second network element has failed to complete authentication with the terminal; sending a first message to the second network element, wherein the first message is used to instruct the second network element to perform an authentication process with the terminal; receiving a second message sent by the second network element, wherein the second message is used to instruct the second network element whether to confirm the execution of the authentication process with the terminal; and determining whether to add information of the second network element to the context of the terminal.
[0039] In the above embodiments, the first network element can confirm whether the second network element has successfully completed authentication with the terminal, and then decide whether to add the information of the second network element in the context of the terminal, and whether to register the second network element as the terminal's service network element, so as to avoid directly registering the second network element as the terminal's service network element, thereby avoiding fraud attacks and ensuring the information security of communication.
[0040] In conjunction with some embodiments of the first aspect, in some embodiments, the above method further includes: a first network element determining to add information of a second network element to the context of the terminal, wherein the second message is used to instruct the second network element to confirm the execution of the authentication process with the terminal.
[0041] In the above embodiments, when the first network element receives the second message sent by the second network element confirming that the second network element is performing the authentication process with the terminal, it can determine to add the information of the second network element in the context of the terminal to register the second network element as a temporary service network element of the terminal.
[0042] In conjunction with some embodiments of the first aspect, in some embodiments the above method further includes: the first network element determining to start a timer.
[0043] In the above embodiments, the first network element adds the information of the second network element to the context of the terminal and starts a timer to monitor whether the second network element has successfully completed authentication with the terminal during the timer's timing period. This can prevent fraud attacks and ensure the information security of communication.
[0044] In conjunction with some embodiments of the first aspect, in some embodiments, the above method further includes: the first network element determining not to delete the information of the third network element in the context of the terminal, wherein the third network element is the serving network element of the current terminal.
[0045] In the above embodiments, the first network element adds the information of the second network element to the context of the terminal. It can determine that the information of the third network element, which is the current service network element of the terminal, will not be deleted. In order to ensure that when it is determined that the second network element cannot serve as the terminal's service network element, the third network element can continue to provide services to the terminal as the terminal's service network element, thus ensuring the accurate execution of communication.
[0046] In conjunction with some embodiments of the first aspect, in some embodiments, the above method further includes: the first network element sending a third message to the second network element, wherein the third message is used to indicate that the second network element has been successfully registered as a serving network element of the terminal.
[0047] In the above embodiments, after the first network element adds the information of the second network element to the context of the terminal, it can send a third message to the second network element to indicate that the second network element has been successfully registered as the terminal's serving network element, so as to instruct the second network element to provide services to the terminal.
[0048] In conjunction with some embodiments of the first aspect, in some embodiments, the above method further includes: the first network element determining that the second network element has successfully completed authentication with the terminal; sending a fourth message to the third network element, wherein the fourth message is used to instruct the third network element to register as the terminal's serving network element.
[0049] In the above embodiments, if the first network element determines that the second network element has successfully completed authentication with the terminal, it can register the third network element as the terminal's serving network element, thereby achieving a successful switch of the terminal's serving network element from the third network element to the second network element.
[0050] In conjunction with some embodiments of the first aspect, in some embodiments, the information of the second network element includes a first identifier indicating that the second network element is a temporary serving network element, and the above method further includes: the first network element determining the first identifier in the context of the deleted terminal, and the information of the third network element, wherein the third network element is the serving network element of the current terminal.
[0051] In the above embodiments, when the first network element determines that the second network element is registered as the service network element of the terminal, and registers the third network element as the service network element of the terminal, it can delete the first identifier in the context of the terminal that indicates that the second network element is a temporary service network element, and delete the information of the third network element, so as to realize the successful switching of the service network element of the terminal from the third network element to the second network element.
[0052] In conjunction with some embodiments of the first aspect, in some embodiments, the above method further includes: the first network element determining that the timer has expired, the second network element failing to complete authentication with the terminal, and deleting the information of the second network element from the context of the terminal.
[0053] In the above embodiments, when the first network element adds the information of the second network element in the context of the terminal, the information of the third network element is not deleted. That is, the second network element is used as a service network element for the temporary service terminal. If the timer expires and the second network element fails to complete the authentication with the terminal, the information of the second network element can be deleted. Since the information of the third network element is still retained in the context of the terminal, the third network element can continue to serve as a service network element for the terminal and provide services to the terminal, thus ensuring communication performance.
[0054] In conjunction with some embodiments of the first aspect, in some embodiments, the above method further includes: the first network element sending a fifth message to the second network element, wherein the second message is used to instruct the second network element to refuse to perform the authentication process with the terminal, and the fifth message is used to instruct to refuse to register the second network element as a service network element of the terminal.
[0055] In the above embodiments, if the second network element refuses to perform the authentication process with the terminal when the first network element instructs the second network element to do so, the first network element can refuse to register the second network element as the terminal's service network element, thereby avoiding fraud attacks and ensuring the information security of communication.
[0056] In conjunction with some embodiments of the first aspect, in some embodiments, the above method further includes: the first network element determining the first network information corresponding to the network element that has most recently successfully completed authentication with the terminal; and determining whether the second network element has successfully completed authentication with the terminal based on the first network information and the second network information corresponding to the second network element.
[0057] In the above embodiments, the first network element can determine whether the first network information corresponding to the network element that has recently successfully completed authentication with the terminal corresponds to the second network information of the second network element, thereby confirming whether the second network element has successfully completed authentication with the terminal. Based on the confirmation result, it can then decide whether to register the second network element as a service network element of the terminal, thus avoiding direct registration of the second network element as a service network element of the terminal, preventing fraud attacks, and ensuring the information security of communication.
[0058] Secondly, embodiments of this disclosure propose a communication method executed by a second network element, comprising: receiving a first message sent by a first network element, wherein the first message is sent by the first network element when it determines that the second network element requests to register as a service network element of the terminal, and the second network element has failed to complete authentication with the terminal, the first message being used to instruct the second network element to perform an authentication process with the terminal; and sending a second message to the first network element, wherein the second message is used to instruct the second network element whether to perform the authentication process with the terminal, and the second message is also used by the second network element to determine whether to add the information of the second network element in the context of the terminal.
[0059] In the above embodiments, if the second network element fails to successfully complete authentication with the terminal after registering with the first network element as a serving network element of the terminal, the second network element can receive a first message sent by the first network element, instructing the second network element to perform the authentication process with the terminal. The second network element can also send a second message to the first network element, instructing the second network element whether to proceed with the authentication process with the terminal. Thus, the first network element can determine whether to add the information of the second network element to the context of the terminal and whether to register the second network element as a serving network element of the terminal based on the second message sent by the second network element. This avoids directly registering the second network element as a serving network element of the terminal, prevents fraud attacks, and ensures the information security of communication.
[0060] In conjunction with some embodiments of the second aspect, in some embodiments, the above method further includes: the second network element receiving a third message sent by the first network element, wherein the second message is used to instruct the second network element to confirm the execution of the authentication process with the terminal, and the third message is used to indicate that the second network element has been successfully registered as the service network element of the terminal.
[0061] In conjunction with some embodiments of the second aspect, in some embodiments, the above method further includes: the second network element receiving a fifth message sent by the first network element, wherein the second message is used to instruct the second network element to refuse to perform the authentication process with the terminal, and the fifth message is used to instruct the device that refuses to register the second network element as a service terminal.
[0062] In conjunction with some embodiments of the second aspect, in some embodiments, the above method further includes: the second network element sending a sixth message to the third network element, wherein the sixth message is used to indicate that the terminal's serving network element failed to switch from the third network element to the second network element, or that the terminal's serving network element failed to be updated from the third network element to the second network element.
[0063] Thirdly, embodiments of this disclosure propose a communication method, comprising: a first network element determining that a second network element requests to register as a service network element of a terminal, and the second network element has failed to complete authentication with the terminal; the first network element sending a first message to the second network element, wherein the first message is used to instruct the second network element to perform an authentication process with the terminal; the second network element receiving the first message sent by the first network element; the second network element sending a second message to the first network element, wherein the second message is used to instruct the second network element whether to confirm the execution of the authentication process with the terminal; the first network element receiving the second message sent by the second network element; and the first network element determining whether to add the information of the second network element in the context of the terminal.
[0064] Fourthly, embodiments of this disclosure propose a first network element, comprising: a processing module, configured to determine that a second network element requests to register as a service network element of a terminal, and that the second network element has failed to complete authentication with the terminal; a transceiver module, configured to send a first message to the second network element, wherein the first message is used to instruct the second network element to perform an authentication process with the terminal; the transceiver module is further configured to receive a second message sent by the second network element, wherein the second message is used to instruct the second network element whether to confirm the execution of the authentication process with the terminal; and the processing module is further configured to determine whether to add information of the second network element to the context of the terminal.
[0065] Fifthly, this disclosure provides a second network element, comprising: a transceiver module, configured to receive a first message sent by a first network element, wherein the first message is sent by the first network element when it determines that the second network element requests to register as a service network element of the terminal, and the second network element has failed to complete authentication with the terminal, and the first message is used to instruct the second network element to perform an authentication process with the terminal; the transceiver module is further configured to send a second message to the first network element, wherein the second message is used to instruct the second network element whether to perform the authentication process with the terminal, and the second message is also used by the second network element to determine whether to add the information of the second network element in the context of the terminal.
[0066] In a sixth aspect, a first network element is proposed, comprising: one or more processors, wherein the first network element is used to execute the method described in the first aspect.
[0067] In a seventh aspect, a second network element is proposed, comprising: one or more processors, wherein the second network element is used to execute the method described in the second aspect.
[0068] Eighthly, this disclosure provides a communication device comprising: one or more processors; and a memory coupled to the processors, the memory storing instructions which, when executed by the processors, cause the communication device to perform the method described in at least one of the first and second aspects.
[0069] Ninthly, embodiments of this disclosure provide a communication system comprising: a first network element and a second network element; wherein the first network element is configured to perform the method as described in the first aspect, and the second network element is configured to perform the method as described in the second aspect.
[0070] In a tenth aspect, embodiments of this disclosure provide a storage medium storing instructions that, when executed on a communication device, cause the communication device to perform the method as described in at least one of the first and second aspects.
[0071] In one aspect, embodiments of this disclosure provide a program product that, when executed by a communication device, causes the communication device to perform the method as described in at least one of the first and second aspects.
[0072] In a twelfth aspect, embodiments of this disclosure provide a computer program that, when run on a computer, causes the computer to perform the method as described in at least one of the first and second aspects.
[0073] In a thirteenth aspect, embodiments of this disclosure provide a chip or chip system. The chip or chip system includes processing circuitry configured to perform the methods described in at least one of the first and second aspects described above.
[0074] It is understood that the aforementioned communication equipment, communication system, storage medium, program product, etc., are all used to execute the methods proposed in the embodiments of this disclosure. Therefore, the beneficial effects they can achieve can be referred to the beneficial effects in the corresponding methods, and will not be repeated here.
[0075] This disclosure provides a communication method and apparatus. In some embodiments, the terms "communication method" and "information processing method" or "information transmission method" can be used interchangeably.
[0076] This disclosure is not exhaustive, but merely illustrative of some embodiments, and is not intended to limit the scope of protection of this disclosure. Unless otherwise specified, each step in a particular embodiment can be implemented as an independent embodiment, and the steps can be arbitrarily combined. For example, a solution after removing some steps in a particular embodiment can also be implemented as an independent embodiment, and the order of the steps in a particular embodiment can be arbitrarily interchanged. Furthermore, the optional implementation methods in a particular embodiment can be arbitrarily combined; moreover, the embodiments can be arbitrarily combined, for example, some or all steps of different embodiments can be arbitrarily combined, and a particular embodiment can be arbitrarily combined with the optional implementation methods of other embodiments. In all embodiments of this disclosure, unless otherwise specified or logically conflicting, the terminology and / or descriptions between the embodiments are consistent and can be mutually referenced. Technical features in different embodiments can be combined to form new embodiments based on their inherent logical relationships.
[0077] The terminology used in the embodiments of this disclosure is for the purpose of describing particular embodiments only and is not intended to limit the scope of this disclosure.
[0078] In this disclosure, unless otherwise stated, elements expressed in the singular form, such as "a," "an," "the," "the," "the," "the," "the," "the," "this," etc., can mean "one and only one," or "one or more," "at least one," etc. For example, when using articles such as "a," "an," "the," etc. in translation, the noun following the article can be understood as either a singular or a plural expression.
[0079] In the embodiments disclosed herein, "multiple" refers to two or more.
[0080] In some embodiments, the terms “at least one of A or B, at least one of A and B”, “one or more”, “a plurality of”, “multiple”, etc., may be used interchangeably.
[0081] In some embodiments, the notation "at least one of A and B", "A and / or B", "A in one case, B in another", "in response to one case A, in response to another case B", etc., may include the following technical solutions depending on the situation: in some embodiments, A (execute A regardless of whether there is a branch B); in some embodiments, B (execute B regardless of whether there is a branch A); in some embodiments, execution is selected from A and B (A and B are selectively executed); in some embodiments, both A and B are executed. The same applies when there are more branches such as A, B, C, etc.
[0082] In some embodiments, the notation "A or B" may include the following technical solutions, depending on the situation: in some embodiments, A (execute A regardless of whether a branch B exists); in some embodiments, B (execute B regardless of whether a branch A exists); in some embodiments, execution is selected from A and B (A and B are selectively executed). The same applies when there are more branches such as A, B, and C.
[0083] The prefixes "first," "second," etc., used in the embodiments of this disclosure are merely for distinguishing different descriptive objects and do not impose restrictions on the position, order, priority, quantity, or content of the descriptive objects. The description of the descriptive objects is found in the claims or the context of the embodiments, and the use of prefixes should not constitute unnecessary restrictions. For example, if the descriptive object is a "field," the ordinal numbers preceding "field" in "first field" and "second field" do not restrict the position or order of the "fields." "First" and "second" do not restrict whether the "fields" they modify are in the same message, nor do they restrict the order of "first field" and "second field." Similarly, if the descriptive object is a "level," the ordinal numbers preceding "level" in "first level" and "second level" do not restrict the priority between "levels." Furthermore, the number of descriptive objects is not limited by ordinal numbers and can be one or more. For example, in "first device," the number of "devices" can be one or more. Furthermore, the objects modified by different prefixes can be the same or different. For example, if the object being described is "device", then "first device" and "second device" can be the same device or different devices, and their types can be the same or different. Similarly, if the object being described is "information", then "first information" and "second information" can be the same information or different information, and their content can be the same or different.
[0084] In some embodiments, “including A,” “containing A,” “for indicating A,” and “carrying A” can be interpreted as directly carrying A or indirectly indicating A.
[0085] In some embodiments, terms such as "time / frequency" and "time-frequency domain" refer to the time domain and / or frequency domain.
[0086] In some embodiments, terms such as “in response to…”, “in response to determining…”, “in the case of…”, “when…”, “when…”, “if…”, etc. can be used interchangeably. These descriptions all refer to the device making a corresponding action under certain objective circumstances. They do not necessarily limit the time, nor do they require the device to make a judgment action when implementing it, nor do they mean that there must be other limitations.
[0087] In some embodiments, the terms “greater than,” “greater than or equal to,” “not less than,” “more than,” “more than or equal to,” “not less than,” “higher than,” “higher than or equal to,” “not lower than,” and “above” can be used interchangeably, as can the terms “less than,” “less than or equal to,” “not greater than,” “less than,” “less than or equal to,” “not more than,” “lower than,” “lower than or equal to,” “not higher than,” and “below”.
[0088] In some embodiments, devices, etc., may be interpreted as physical or virtual, and their names are not limited to those described in the embodiments. Terms such as “device,” “equipment,” “circuit,” “network element,” “network function,” “network device,” “function,” “node,” “unit,” “section,” “system,” “network,” “chip,” “chip system,” “entity,” and “subject” are interchangeable.
[0089] In some embodiments, "network" can be interpreted as devices included in a network (e.g., access network devices, core network devices, etc.).
[0090] In some embodiments, the terms "access network device (AN device)," "radio access network device (RAN device)," "base station (BS)," "radio base station," "fixed station," "node," "access point," "transmission point (TP)," "reception point (RP)," "transmission / reception point (TRP)," "panel," "antenna panel," "antenna array," "cell," "macro cell," "small cell," "femto cell," "pico cell," "sector," "cell group," "serving cell," "carrier," "component carrier," and "bandwidth part (BWP)" can be used interchangeably.
[0091] In some embodiments, the terms "terminal", "terminal device", "user equipment (UE)", "user terminal", "mobile station (MS)", "mobile terminal (MT)", "subscriber station", "mobile unit", "subscriber unit", "wireless unit", "remote unit", "mobile device", "wireless device", "wireless communication device", "remote device", "mobile subscriber station", "access terminal", "mobile terminal", "wireless terminal", "remote terminal", "handset", "user agent", "mobile client", and "client" can be used interchangeably.
[0092] In some embodiments, access network devices, core network devices, or network devices can be replaced by terminals. For example, embodiments of this disclosure can also be applied to structures where communication between access network devices, core network devices, or network devices and terminals is replaced by communication between multiple terminals (e.g., device-to-device (D2D), vehicle-to-everything (V2X), etc.). In this case, the structure can also be configured such that the terminal has all or part of the functions of the access network device. Furthermore, terms such as "uplink" and "downlink" can be replaced with terms corresponding to communication between terminals (e.g., "sidelink"). For example, uplink channel, downlink channel, etc., can be replaced with sidelink channel, and uplink link, downlink, etc., can be replaced with sidelink link.
[0093] In some embodiments, the terminal may be replaced by an access network device, a core network device, or a network device. In this case, the access network device, core network device, or network device may also be configured to have all or some of the functions of the terminal.
[0094] In some embodiments, the acquisition of data, information, etc., may comply with the laws and regulations of the country where the location is situated.
[0095] In some embodiments, data, information, etc., may be obtained with the user's consent.
[0096] Furthermore, each element, each row, or each column in the table of this disclosure can be implemented as an independent embodiment, and any combination of any element, any row, or any column can also be implemented as an independent embodiment.
[0097] Figure 1 is a schematic diagram of the architecture of a communication system according to an embodiment of the present disclosure.
[0098] Figure 1 is an architecture diagram of a communication system provided in an embodiment of this disclosure.
[0099] As shown in Figure 1, the communication system 100 includes multiple terminals 101 and network devices 102.
[0100] In some embodiments, terminal 101 includes, but is not limited to, at least one of the following: mobile phone, wearable device, Internet of Things device, car with communication function, smart car, tablet computer, computer with wireless transceiver function, virtual reality (VR) terminal, augmented reality (AR) terminal, wireless terminal in industrial control, wireless terminal in self-driving, wireless terminal in remote medical surgery, wireless terminal in smart grid, wireless terminal in transportation safety, wireless terminal in smart city, and wireless terminal in smart home.
[0101] In some embodiments, network device 102 may include at least one of access network device and core network device.
[0102] In some embodiments, the access network device is, for example, a node or device that connects a terminal to a wireless network. The access network device may include, but is not limited to, at least one of the following in a 5G communication system: evolved Node B (eNB), next-generation eNB (ng-eNB), next-generation Node B (gNB), node B (NB), home node B (HNB), home evolved node B (HeNB), radio backhaul device, radio network controller (RNC), base station controller (BSC), base transceiver station (BTS), base band unit (BBU), mobile switching center, base station in a 6G communication system, open RAN, cloud RAN, base station in other communication systems, and access node in a Wi-Fi system.
[0103] In some embodiments, the access network device may be a satellite.
[0104] In some embodiments, the core network equipment may be a single device, multiple devices, or a group of devices, including all or part of a first network element, a second network element, a third network element, a fourth network element, etc. Network elements may be virtual or physical. The core network may include, for example, at least one of an Evolved Packet Core (EPC), a 5G Core Network (5GCN), a 6G Core Network (6GCN), and a Next Generation Core (NGC).
[0105] In some embodiments, the first network element is used to manage terminal identifiers, subscription data, authentication data, etc., and is also responsible for the service network element registration management of the terminal, and stores the terminal's subscription information. In this embodiment of the disclosure, the terminal's context is also stored.
[0106] In some embodiments, the second network element is used for access control and mobility management of the terminal in the access network (e.g., public land mobile network, PLMN) where the second network element is located, including mobility state management, assigning temporary user identity identifiers, authenticating and authorizing users, etc.
[0107] In some embodiments, the third network element and the second network element have the same function, but handle different access networks.
[0108] In some embodiments, the first network element is, for example, a unified data management (UDM) network element.
[0109] In some embodiments, the second network element is, for example, an access and mobility management function (AMF) network element.
[0110] In some embodiments, the third network element is, for example, an AMF network element.
[0111] In some embodiments, at least one of the first network element, the second network element, and the third network element can be independent of the core network equipment.
[0112] In some embodiments, at least one of the first network element, the second network element, and the third network element may be part of the core network equipment.
[0113] It is understood that the communication system described in this disclosure is for the purpose of more clearly illustrating the technical solutions of this disclosure, and does not constitute a limitation on the technical solutions proposed in this disclosure. As those skilled in the art will know, with the evolution of system architecture and the emergence of new business scenarios, the technical solutions proposed in this disclosure are also applicable to similar technical problems.
[0114] The following embodiments of this disclosure can be applied to the communication system 100 shown in FIG1, or to some of the main bodies, but are not limited thereto. The main bodies shown in FIG1 are illustrative. The communication system may include all or some of the main bodies in FIG1, or may include other main bodies outside of FIG1. The number and form of each main body are arbitrary. Each main body may be physical or virtual. The connection relationship between the main bodies is illustrative. The main bodies may not be connected or may be connected. The connection can be in any way, it can be a direct connection or an indirect connection, it can be a wired connection or a wireless connection.
[0115] The embodiments disclosed herein can be applied to Long Term Evolution (LTE), LTE-Advanced (LTE-A), LTE-Beyond (LTE-B), Super 3G, IMT-Advanced, 4th Generation Mobile Communication System (4G), 5th Generation Mobile Communication System (5G), 5G New Radio (NR), 6th Generation Mobile Communication System (6G), Future Radio Access (FRA), New-Radio Access Technology (RAT), New Radio (NR), New Radio Access (NX), Future Generation Radio Access (FX), Global System for Mobile Communications (GSM), CDMA2000, Ultra Mobile Broadband (UMB), IEEE 802.11 (Wi-Fi), IEEE 802.16 (WiMAX), and IEEE 802.20, ultra-wideband (UWB), Bluetooth (a registered trademark), public land mobile network (PLMN) networks, device-to-device (D2D) systems, machine-to-machine (M2M) systems, internet of things (IoT) systems, vehicle-to-everything (V2X) systems, systems utilizing other communication methods, and next-generation systems built upon them. Furthermore, multiple systems can be combined (e.g., a combination of LTE or LTE-A with 5G).
[0116] In related technologies, when the first network element receives a request message from the second network element requesting the second network element to register the second network element as a service network element of the terminal, it can register the terminal's service network element as the second network element. However, the first network element does not support confirmation of whether the second network element has successfully completed authentication with the terminal. If the second network element fails to complete authentication with the terminal, it may not be the actual network element serving the terminal. Attackers can easily use the second network element that does not actually serve the terminal to carry out fraudulent attacks.
[0117] Based on this, embodiments of this disclosure provide a communication method and apparatus. The method includes: a first network element determining that a second network element requests to register as a serving network element of a terminal, and the second network element has failed to complete authentication with the terminal; sending a first message to the second network element, wherein the first message instructs the second network element to perform an authentication process with the terminal; receiving a second message sent by the second network element, wherein the second message instructs the second network element whether to confirm the execution of the authentication process with the terminal; and determining whether to add information of the second network element to the context of the terminal. Thus, the first network element can confirm whether the second network element has successfully completed authentication with the terminal, and then decide whether to add information of the second network element to the context of the terminal and whether to register the second network element as a serving network element of the terminal based on the confirmation result. This avoids directly registering the second network element as a serving network element of the terminal, prevents fraud attacks, and ensures information security in communication.
[0118] Figure 2A is an interactive schematic diagram illustrating a communication method according to an embodiment of the present disclosure. As shown in Figure 2A, the embodiments of the present disclosure relate to a communication method, which includes:
[0119] S201A, the first network element determines that the second network element requests to register as a service network element of the terminal, and the second network element fails to complete authentication with the terminal.
[0120] In some embodiments, when a first network element receives a first request message sent by a second network element requesting to register the second network element as a serving network element of a terminal, the first network element can determine that the second network element requests to register as a serving network element of the terminal.
[0121] In some embodiments, when the first network element receives a second request message sent by the terminal's current serving network element, requesting to register the current serving network element and register the second network element as the terminal's serving network element, the first network element can determine that the second network element requests to register as the terminal's serving network element.
[0122] In this embodiment of the disclosure, when the first network element determines that the second network element requests to register as a service network element of the terminal, it can confirm whether the second network element has successfully completed authentication with the terminal.
[0123] In some embodiments, the first network element determines the first network information corresponding to the network element that has most recently successfully completed authentication with the terminal; based on the first network information and the second network information corresponding to the second network element, it determines whether the second network element has successfully completed authentication with the terminal.
[0124] It is understandable that when a network element successfully completes authentication with the terminal, the first network element stores the network information corresponding to the network element that most recently successfully completed authentication with the terminal. Optionally, the first network element stores the network information corresponding to the network element that most recently successfully completed authentication with the terminal in the context of the terminal, so that the first network element can determine whether the second network element has successfully completed the authentication process with the terminal based on the stored network information corresponding to the network element that most recently successfully completed authentication with the terminal, and the network information corresponding to the second network element. In some embodiments, the network information is information about the PLMN, such as the PLMN's identifier (ID). Optionally, when a network element successfully completes authentication with the terminal, the first network element stores the network element information corresponding to the network element that most recently successfully completed authentication with the terminal. The first network element stores the network element information corresponding to the network element that most recently successfully completed authentication with the terminal in the context of the terminal, so that the first network element can determine whether the second network element has successfully completed the authentication process with the terminal based on the stored network element information corresponding to the network element that most recently successfully completed authentication with the terminal, and the network element information corresponding to the second network element. In some embodiments, the network element information is information about the network element, such as the network element's identifier (ID).
[0125] In this embodiment of the disclosure, the first network element can determine the information of the first PLMN corresponding to the network element that most recently successfully completed authentication with the terminal, and determine whether the second network element has successfully completed authentication with the terminal based on the information of the first PLMN and the information of the second PLMN corresponding to the second network element. In some embodiments, the PLMN information can be the identifier of the PLMN.
[0126] In this embodiment of the disclosure, the first network element can determine the network element information corresponding to the network element that has most recently successfully completed authentication with the terminal, and determine whether the second network element has successfully completed authentication with the terminal based on the network element information and the information of the second network element corresponding to the second network element. In some embodiments, the network element information can be a network element identifier.
[0127] In some embodiments, during the authentication process between a network element and a terminal, the network element sends its corresponding PLMN information and / or network element information to the authentication server function (AUSF) network element. The AUSF network element determines the authentication result between the network element and the terminal, and sends the corresponding PLMN information and / or network element information, along with indication information, to the first network element, indicating whether the network element has successfully completed authentication with the terminal. The first network element can then determine, based on the indication information, the network element information and / or the first network information corresponding to the network element that most recently successfully completed authentication with the terminal, thereby determining whether the second network element has successfully completed authentication with the terminal.
[0128] In some embodiments, the first network element is used for the management of terminal identifier, subscription data, authentication data, and the registration management of the terminal's service network element, and stores the terminal's subscription information.
[0129] In some embodiments, the first network element stores the context of the terminal.
[0130] In some embodiments, the first network element is a UDM.
[0131] In some embodiments, the second network element is used for access control and mobility management of the terminal access network (e.g., PLMN), including mobility state management, assigning temporary user identities, authenticating and authorizing users, etc.
[0132] In some embodiments, the second network element is an AMF.
[0133] S202A, the first network element sends the first message to the second network element.
[0134] In some embodiments, the second network element receives the first message sent by the first network element, but is not limited thereto. The second network element may also receive the first message sent by other entities other than the first network element, in which case S202A can be omitted.
[0135] In some embodiments, the second network element obtains the first message specified by the protocol, in which case S202A can be omitted.
[0136] In some embodiments, the second network element obtains the first message from the upper layer(s), in which case S202A can be omitted.
[0137] In some embodiments, the second network element processes the data to obtain the first message, in which case S202A can be omitted.
[0138] In some embodiments, the second network element autonomously implements the function indicated by the first message, or the above function is a default or default value, in which case S202A can be omitted.
[0139] In some embodiments, if the first network element determines that the second network element requests to register as a service network element of the terminal, and the second network element fails to complete authentication with the terminal, the first network element sends a first message to the second network element.
[0140] In some embodiments, if the first network element determines that the second network element requests to register as a service network element for the terminal, and the second network element fails to complete authentication with the terminal, the first network element sends a first message to the second network element according to the local policy.
[0141] In some embodiments, the first message is used to instruct the second network element to perform an authentication process with the terminal.
[0142] In some embodiments, the first network element initiates a terminal context management re-registration notification (Nudm_UECM_Re-authenticationNotification) request and sends a first message to the second network element, instructing the second network element to perform the authentication process with the terminal.
[0143] S203A, the second network element sends a second message to the first network element.
[0144] In some embodiments, the first network element receives a second message sent by the second network element, but is not limited thereto. The first network element may also receive a second message sent by other entities other than the second network element, in which case S203A can be omitted.
[0145] In some embodiments, the first network element obtains the second message specified by the protocol, in which case S203A can be omitted.
[0146] In some embodiments, the first network element obtains the second message from the upper layer(s), in which case S203A can be omitted.
[0147] In some embodiments, the first network element processes the data to obtain the second message, in which case S203A can be omitted.
[0148] In some embodiments, the first network element autonomously implements the function indicated by the second message, or the above function is a default or default setting, in which case S203A can be omitted.
[0149] In some embodiments, the second message is used to indicate whether the second network element confirms the execution of the authentication process with the terminal.
[0150] In some embodiments, the second message is used to instruct the second network element to confirm the execution of the authentication process with the terminal.
[0151] In some embodiments, the second message is used to instruct the second network element to confirm that it will not perform the authentication process with the terminal.
[0152] In some embodiments, the second message is used to instruct the second network element to confirm whether to perform an authentication process with the terminal.
[0153] In some embodiments, when the second network element receives a first message from the first network element instructing the second network element to perform an authentication process with the terminal, the second network element may send a second message to the first network element instructing whether the second network element confirms the execution of the authentication process with the terminal.
[0154] In some embodiments, the second network element initiates a terminal context management re-registration notification response (Nudm_UECM_Re-authenticationNotification Response), sending a first message to the second network element, instructing the second network element to perform the authentication process with the terminal.
[0155] S204A, the first network element determines whether to add the information of the second network element in the context of the terminal.
[0156] In this embodiment of the disclosure, the first network element receives a second message sent by the second network element, and can determine whether the second network element confirms the execution of the authentication process with the terminal.
[0157] In this embodiment of the disclosure, the first network element determines whether to add the information of the second network element in the context of the terminal based on whether the second network element confirms the execution of the authentication process with the terminal.
[0158] In some embodiments, the first network element determines to add information of the second network element to the context of the terminal, wherein the second message is used to instruct the second network element to confirm the execution of the authentication process with the terminal.
[0159] In this embodiment of the disclosure, when the second network element confirms the execution of the authentication process with the terminal, the first network element determines to add the information of the second network element to the context of the terminal.
[0160] In some embodiments, the information of the second network element includes a first identifier, which is used to indicate that the second network element is a temporary serving network element of the terminal.
[0161] In cases where the second network element confirms that it will not perform the authentication process with the terminal, the first network element will refuse to add the second network element's information to the terminal's context.
[0162] In some embodiments, when the second message is used to instruct the second network element to refuse to perform the authentication process with the terminal, the first network element sends a fifth message to the second network element, the fifth message being used to instruct the second network element to refuse to register as a service network element for the terminal.
[0163] In some embodiments, if the second network element receives a fifth message from the first network element and determines that the first network element refuses to register the second network element as the terminal's serving network element, it sends a sixth message to the third network element. The sixth message is used to indicate that the terminal's serving network element failed to switch from the third network element to the second network element, or that the terminal's serving network element failed to be updated from the third network element to the second network element.
[0164] In some embodiments, when the second network element confirms the execution of the authentication process with the terminal, the first network element determines to start a timer, wherein the timer is used to time the duration for the second network element to execute the authentication process with the terminal.
[0165] In some embodiments, if the first network element determines that the timer has expired and the second network element has failed to complete authentication with the terminal, the information of the second network element is deleted from the terminal's context.
[0166] In this embodiment of the disclosure, if the timer expires and the first network element confirms that the second network element has failed to complete authentication with the terminal, then it can determine to delete the information of the second network element from the context of the terminal.
[0167] In some embodiments, if the first network element determines to add the information of the second network element to the context of the terminal, it also determines not to delete the information of the third network element in the context of the terminal, where the third network element is the serving network element of the current terminal.
[0168] In this embodiment of the disclosure, when the first network element determines that the second network element is registered as the service network element of the terminal, it can choose not to delete the information of the current service network element, i.e. the third network element, in the context of the terminal. This is so that when it is determined that the second network element cannot serve as the service network element of the terminal, the third network element can continue to provide services to the terminal as the service network element of the terminal, ensuring the accurate execution of communication.
[0169] In some embodiments, if the first network element determines that the information of the second network element has been added to the context of the terminal, it sends a third message to the second network element, wherein the third message is used to indicate that the second network element has been successfully registered as the terminal's serving network element.
[0170] In some embodiments, the first network element determines that the second network element has successfully completed authentication with the terminal, and sends a fourth message to the third network element. The fourth message is used to instruct the third network element to register as the terminal's serving network element.
[0171] In some embodiments, the information of the second network element includes a first identifier indicating that the second network element is a temporary serving network element. If the first network element determines that the second network element has successfully completed authentication with the terminal, the first identifier in the context of the terminal is determined to be deleted. The information of the third network element is the serving network element of the current terminal.
[0172] In some embodiments, the names of information, etc., are not limited to the names described in the embodiments. Terms such as "information", "message", "signal", "signaling", "report", "configuration", "indication", "instruction", "command", "channel", "parameter", "domain", "field", "symbol", "symbol", "codebook", "codeword", "codepoint", "bit", "data", "program", and "chip" can be used interchangeably.
[0173] In some embodiments, terms such as “moment,” “point in time,” “time,” and “time location” can be used interchangeably, as can terms such as “duration,” “segment,” “time window,” “window,” and “time.”
[0174] In some embodiments, "acquire," "get," "obtain," "receive," "transmit," "bidirectional transmission," and "send and / or receive" can be used interchangeably and can be interpreted as receiving from other entities, acquiring from protocols, acquiring from higher layers, obtaining through self-processing, or autonomous implementation. Protocols include, for example, at least one of the 3GPP protocol, Wi-Fi protocol, and audio and / or video protocols.
[0175] In some embodiments, terms such as “send,” “transmit,” “report,” “distribute,” “transfer,” “bidirectional transmission,” “send and / or receive” can be used interchangeably.
[0176] In some embodiments, terms such as "certain," "preset," "default," "set," "indicated," "a certain," "any," and "first" can be used interchangeably. "Certain A," "preset A," "default A," "set A," "indicated A," "a certain A," "any A," and "first A" can be interpreted as A pre-defined in a protocol or the like, or as A obtained through setting, configuration, or instruction, or as specific A, a certain A, any A, or first A, but are not limited thereto.
[0177] In some embodiments, the determination or judgment can be made by a value represented by 1 bit (0 or 1), or by a true or false value (boolean), or by a comparison of numerical values (e.g., a comparison with a predetermined value), but is not limited thereto.
[0178] By implementing the embodiments of this disclosure, the first network element can confirm whether the second network element has successfully completed authentication with the terminal, and then decide whether to add the information of the second network element in the context of the terminal, and whether to register the second network element as the terminal's serving network element, so as to avoid directly registering the second network element as the terminal's serving network element, thereby avoiding fraud attacks and ensuring the information security of communication.
[0179] The communication method involved in the embodiments of this disclosure may include at least one of S201A to S204A. For example, S201A may be implemented as a standalone embodiment, S202A may be implemented as a standalone embodiment, S203A may be implemented as a standalone embodiment, S204A may be implemented as a standalone embodiment, S201A+S202A may be implemented as a standalone embodiment, and S201A+S202A+S203A may be implemented as a standalone embodiment, but is not limited thereto.
[0180] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.
[0181] Figure 2B is an interactive schematic diagram of a communication method according to an embodiment of the present disclosure. As shown in Figure 2B, the present disclosure relates to a communication method, which includes:
[0182] S201B, the first network element determines that the second network element requests to register as a service network element of the terminal, and the second network element fails to complete authentication with the terminal.
[0183] The optional implementations of S201B can be found in the optional implementations of S201A in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0184] S202B, the first network element sends the first message to the second network element.
[0185] The optional implementations of S202B can be found in the optional implementations of S202A in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0186] S203B, the second network element sends a second message to the first network element.
[0187] The optional implementations of S203B can be found in the optional implementations of S203A in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0188] In some embodiments, the second message is used to instruct the second network element to confirm the execution of the authentication process with the terminal.
[0189] S204B, the first network element determines to add the information of the second network element to the context of the terminal.
[0190] The optional implementations of S204B can be found in the optional implementations of S204A in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0191] In some embodiments, the information of the second network element includes a first identifier, which is used to indicate that the second network element is a temporary serving network element of the terminal.
[0192] It is understandable that the first network element adds the information of the second network element to the context of the terminal, that is, registers the second network element as the terminal's serving network element.
[0193] S205B, the first network element determines to enable the timer.
[0194] S205B and S204B can be executed simultaneously or in reverse order.
[0195] In some embodiments, the timer is used to count down the timeframe for the second network element to perform the authentication process with the terminal.
[0196] In this embodiment of the disclosure, when the first network element receives a second message sent by the second network element, indicating that the second network element confirms the execution of the authentication process with the terminal, it can determine to enable a timer and start counting down to determine the authentication result between the second network element and the terminal.
[0197] Before the timer expires, the second network element can serve as the terminal's service network element. After the timer expires, if the second network element has not successfully completed authentication with the terminal, the first network element can delete the second network element's information from the terminal's context.
[0198] In some embodiments, the duration of the timer is determined based on protocol agreement or operator configuration, such as based on operator configuration files.
[0199] S206B, the first network element determines not to delete the information of the third network element in the context of the terminal.
[0200] S206B and S205B can be executed simultaneously or in reverse order, and S206B and S204B can be executed simultaneously or in reverse order.
[0201] In this embodiment of the disclosure, if the first network element receives a second message sent by the second network element, indicating that the second network element confirms the execution of the authentication process with the terminal, it can be determined not to delete the information of the third network element in the context of the terminal.
[0202] In this embodiment of the disclosure, when the first network element receives a second message sent by the second network element, instructing the second network element to confirm the execution of the authentication process with the terminal, it can determine to add the information of the second network element to the terminal's context and not delete the information of the third network element from the terminal's context. In this case, the second network element is a temporary serving network element for the terminal, and the third network element also serves as a serving network element for the terminal. Optionally, the information of the second network element added to the terminal's context includes a first identifier indicating that the second network element is a temporary serving network element.
[0203] In this embodiment of the disclosure, when the first network element receives a second message sent by the second network element, indicating that the second network element confirms the execution of the authentication process with the terminal, it can determine to enable the timer and not delete the information of the third network element in the context of the terminal.
[0204] In this embodiment of the present disclosure, when the first network element receives a second message sent by the second network element, indicating that the second network element confirms the execution of the authentication process with the terminal, it can determine to add the information of the second network element in the context of the terminal, and not delete the information of the third network element in the context of the terminal, and determine to enable the timer.
[0205] S207B, the first network element sends a third message to the second network element.
[0206] S207B and S205B can be executed simultaneously or in reverse order, and S207B and S206B can be executed simultaneously or in reverse order.
[0207] In some embodiments, the second network element receives a third message sent by the first network element, but is not limited thereto. The second network element may also receive a third message sent by other entities other than the first network element, in which case S207B can be omitted.
[0208] In some embodiments, the second network element obtains a third message as specified by the protocol, in which case S207B can be omitted.
[0209] In some embodiments, the second network element obtains the third message from the upper layer(s), in which case S207B can be omitted.
[0210] In some embodiments, the second network element processes the data to obtain the third message, in which case S207B can be omitted.
[0211] In some embodiments, the second network element autonomously implements the function indicated by the third message, or the above function is a default or default value, in which case S207B can be omitted.
[0212] In some embodiments, the third message is used to indicate that the second network element has been successfully registered as the service network element of the terminal.
[0213] In some embodiments, when the first network element adds the information of the second network element to the context of the terminal, it can send a third message to the second network element to indicate that the second network element has been successfully registered as a serving network element in the terminal.
[0214] In some embodiments, the third message includes indication information indicating that the second network element has been successfully registered as a temporary service network element of the terminal.
[0215] S208B: The first network element confirms that the second network element has successfully completed authentication with the terminal.
[0216] Understandably, when a network element successfully completes authentication with the terminal, the first network element stores the network information and / or network element information corresponding to the network element that most recently successfully completed authentication with the terminal. Therefore, the first network element can determine whether the second network element has successfully completed authentication with the terminal based on the stored network information and / or network element information corresponding to the network element that most recently successfully completed authentication with the terminal. In some embodiments, the network information is PLMN information, such as the PLMN's identifier (ID), and the network element information is network element information, such as the network element's identifier.
[0217] In this embodiment of the disclosure, the first network element can determine that the second network element has successfully completed authentication with the terminal if the PLMN information in the terminal's context is the same as the PLMN information corresponding to the second network element. Alternatively, the first network element can determine that the second network element has successfully completed authentication with the terminal if the network element information in the terminal's context is the same as the network element information corresponding to the second network element.
[0218] In some embodiments, if the first network element determines that a timer is enabled in S205B, the first network element determines whether the second network element has successfully completed authentication with the terminal after the timer expires.
[0219] In some embodiments, if the first network element determines that the timer is enabled in S205B, it receives the latest authentication result sent by AUSF before the timer expires. The first network element can determine whether the second network element has successfully completed authentication with the terminal based on the latest authentication result. If the authentication is successfully completed, the timer is stopped and the process continues to be executed according to the successful authentication case.
[0220] In this embodiment of the disclosure, the first network element can determine that the second network element has successfully completed authentication with the terminal if the PLMN identifier in the context of the terminal is the same as the PLMN identifier corresponding to the second network element.
[0221] In this embodiment of the disclosure, the first network element can determine that the second network element has successfully completed authentication with the terminal based on the identifier of the network element in the terminal context. If the identifier of the network element is the identifier of the second network element, the first network element can determine that the second network element has successfully completed authentication with the terminal.
[0222] S209B, the first network element sends the fourth message to the third network element.
[0223] In some embodiments, the third network element receives a fourth message sent by the first network element, but is not limited thereto. The third network element may also receive a fourth message sent by other entities other than the first network element, in which case S209B can be omitted.
[0224] In some embodiments, the third network element obtains the fourth message specified by the protocol, in which case S209B can be omitted.
[0225] In some embodiments, the third network element obtains the fourth message from the upper layer(s), in which case S209B can be omitted.
[0226] In some embodiments, the third network element processes the data to obtain the fourth message, in which case S209B can be omitted.
[0227] In some embodiments, the third network element autonomously implements the function indicated by the fourth message, or the above function is a default or default setting, in which case S209B can be omitted.
[0228] In some embodiments, the fourth message is used to instruct a third network element to be registered as a serving network element for the terminal.
[0229] In this embodiment of the disclosure, if the first network element confirms that the second network element has successfully completed authentication with the terminal, it can determine to register the third network element as the terminal's service network element, thereby the first network element sends a fourth message to the third network element.
[0230] In some embodiments, the third network element is an AMF.
[0231] In some embodiments, the third network element is the serving network element of the current terminal.
[0232] In some embodiments, the second network element is the target AMF and the third network element is the source AMF, and the terminal needs to switch from the source AMF to the target AMF.
[0233] In some embodiments, when a third network element receives a fourth message sent by a first network element, and the fourth message is used to instruct the third network element to register as a serving network element for the terminal, the third network element may delete the terminal's context information.
[0234] S210B, the first network element determines the first identifier in the context of the deleted terminal, as well as the information of the third network element.
[0235] In this embodiment of the disclosure, if the first network element determines that the second network element is registered as the service network element of the terminal, and then registers the third network element as the service network element of the terminal, it can be determined to delete the first identifier indicating that the second network element is a temporary service network element and the information of the third network element in the context of the terminal.
[0236] By implementing the embodiments of this disclosure, the first network element can confirm whether the second network element has successfully completed authentication with the terminal, and then decide whether to add the information of the second network element in the context of the terminal, and whether to register the second network element as the terminal's serving network element, so as to avoid directly registering the second network element as the terminal's serving network element, thereby avoiding fraud attacks and ensuring the information security of communication.
[0237] The communication method involved in the embodiments of this disclosure may include at least one of S201B to S210B. For example, S201B, S202B, S203B, S204B, S205B, S206B, S207B, S208B, S209B, and S210B may be implemented as independent embodiments. +S202B can be implemented as a standalone embodiment; S201B+S202B+S203B can be implemented as a standalone embodiment; S201B+S202B+S203B+S204B can be implemented as a standalone embodiment; S201B+S202B+S203B+S204B+S205B can be implemented as a standalone embodiment; S201B+S202B+S203B+S204B+S206B can be implemented as a standalone embodiment; S201B+S202B+S203B+S S204B+S205B+S206B can be implemented as an independent embodiment, S201B+S202B+S203B+S204B+S207B can be implemented as an independent embodiment, S201B+S202B+S203B+S204B+S205B+S207B can be implemented as an independent embodiment, S201B+S202B+S203B+S204B+S206B+S207B can be implemented as an independent embodiment, S201B+S202B+S203B+S206B+S207B can be implemented as an independent embodiment, S201B+S202B+S203B+S20 4B+S205B+S206B+S207B can be implemented as an independent embodiment, S201B+S202B+S203B+S204B+S208B can be implemented as an independent embodiment, S201B+S202B+S203B+S204B+S208B+S209B can be implemented as an independent embodiment, and S201B+S202B+S203B+S204B+S205B+S206B+S208B+S210B can be implemented as an independent embodiment, but are not limited thereto.
[0238] In some embodiments, S205B and S204B can be executed simultaneously or in a different order, S206B and S205B can be executed simultaneously or in a different order, S206B and S204B can be executed simultaneously or in a different order, S207B and S205B can be executed simultaneously or in a different order, and S207B and S206B can be executed simultaneously or in a different order.
[0239] In some embodiments, S205B, S206B, S207B, S208B, S209B, and S210B are optional, and one or more of these steps may be omitted or substituted in different embodiments.
[0240] In some embodiments, steps S206B, S207B, S208B, S209B, and S210B are optional, and one or more of these steps may be omitted or substituted in different embodiments.
[0241] In some embodiments, S205B, S207B, S208B, S209B, and S210B are optional, and one or more of these steps may be omitted or substituted in different embodiments.
[0242] In some embodiments, S205B and S209B are optional, and one or more of these steps may be omitted or substituted in different embodiments.
[0243] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.
[0244] Figure 2C is an interactive schematic diagram illustrating a communication method according to an embodiment of the present disclosure. As shown in Figure 2C, the embodiments of the present disclosure relate to a communication method, which includes:
[0245] S201C, the first network element determines that the second network element requests to register as a service network element of the terminal, and the second network element fails to complete authentication with the terminal.
[0246] The optional implementations of S201C can be found in the optional implementations of S201A in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0247] S202C, the first network element sends the first message to the second network element.
[0248] The optional implementations of S202C can be found in the optional implementations of S202A in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0249] S203C, the second network element sends a second message to the first network element.
[0250] The optional implementations of S203C can be found in the optional implementations of S203A in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0251] In some embodiments, the second message is used to instruct the second network element to confirm the execution of the authentication process with the terminal.
[0252] S204C, the first network element determines to add the information of the second network element to the context of the terminal.
[0253] The optional implementations of S204C can be found in the optional implementations of S204A in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0254] S205C, the first network element determines to enable the timer.
[0255] The optional implementation of S205C can be found in the optional implementation of S204A in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0256] The optional implementations of S205C can be found in the optional implementations of S205B in Figure 2B and other related parts in the embodiments involved in Figure 2B, which will not be repeated here.
[0257] S205C and S204C can be executed simultaneously or in reverse order.
[0258] S206C, the first network element determines not to delete the information of the third network element in the context of the terminal.
[0259] The optional implementations of S206C can be found in the optional implementations of S206B in Figure 2B and other related parts in the embodiments involved in Figure 2B, which will not be repeated here.
[0260] S206C and S205C can be executed simultaneously or in reverse order, and S206C and S204C can be executed simultaneously or in reverse order.
[0261] S207C, the first network element sends a third message to the second network element.
[0262] The optional implementations of S207C can be found in the optional implementations of S207B in Figure 2B and other related parts in the embodiments involved in Figure 2B, which will not be repeated here.
[0263] S207C and S205C can be executed simultaneously or in reverse order, and S207C and S206C can be executed simultaneously or in reverse order.
[0264] S208C: The timer for the first network element expires, and the second network element fails to complete authentication with the terminal. The information of the second network element is then deleted from the terminal's context.
[0265] Understandably, when a network element successfully completes authentication with the terminal, the first network element stores the network information and / or network element information corresponding to the network element that most recently successfully completed authentication with the terminal. Therefore, the first network element can determine whether the second network element has successfully completed authentication with the terminal based on the stored network information and / or network element information corresponding to the network element that most recently successfully completed authentication with the terminal. In some embodiments, the network information is PLMN information, such as the PLMN's identifier (ID). The network element information is network element information, such as the network element's identifier.
[0266] In this embodiment of the present disclosure, the first network element can determine that the second network element has failed to complete authentication with the terminal if the PLMN information in the context of the terminal is not the same as the PLMN information corresponding to the second network element.
[0267] In this embodiment of the disclosure, the first network element can determine that the second network element has failed to complete authentication with the terminal if the network element information in the context of the terminal is not the same as the network element information corresponding to the second network element.
[0268] In this embodiment of the disclosure, the first network element can determine that the second network element has failed to complete authentication with the terminal if the PLMN identifier in the context of the terminal is not the same as the PLMN identifier corresponding to the second network element.
[0269] In this embodiment of the disclosure, the first network element can determine that the second network element has failed to complete authentication with the terminal if the network element information is not the same as the network element identifier corresponding to the second network element, based on the network element identifier in the context of the terminal.
[0270] In this embodiment of the disclosure, if the second network element fails to complete authentication with the terminal when the timer expires, the second network element's information can be deleted from the terminal's context, and the first identifier used to indicate that the second network element is a temporary serving network element can be deleted. Optionally, the timer will not be restarted.
[0271] In some embodiments, if the second network element fails to complete authentication with the terminal when the timer expires, it will not deregister with the third network element, and the third network element will still serve as the terminal's service network element.
[0272] By implementing the embodiments of this disclosure, the first network element can confirm whether the second network element has successfully completed authentication with the terminal, and then decide whether to add the information of the second network element in the context of the terminal, and whether to register the second network element as the terminal's serving network element, so as to avoid directly registering the second network element as the terminal's serving network element, thereby avoiding fraud attacks and ensuring the information security of communication.
[0273] The communication method involved in the embodiments of this disclosure may include at least one of S201C to S208C. For example, S201C can be implemented as a standalone embodiment, S202C can be implemented as a standalone embodiment, S203C can be implemented as a standalone embodiment, S204C can be implemented as a standalone embodiment, S205C can be implemented as a standalone embodiment, S206C can be implemented as a standalone embodiment, S207C can be implemented as a standalone embodiment, S208C can be implemented as a standalone embodiment, and S201C+S202C can be implemented as standalone embodiments. +S202C+S203C can be implemented as an independent embodiment, S201C+S202C+S203C+S204C can be implemented as an independent embodiment, S201C+S202C+S203C+S204C+S205C can be implemented as an independent embodiment, S201C+S202C+S203C+S204C+S206C can be implemented as an independent embodiment, S201C+S202C+S203C+S204C+S205C+S 206C can be implemented as a standalone embodiment; S201C+S202C+S203C+S204C+S207C can be implemented as a standalone embodiment; S201C+S202C+S203C+S204C+S205C+S207C can be implemented as a standalone embodiment; S201C+S202C+S203C+S204C+S206C+S207C can be implemented as a standalone embodiment; S201C+S202C+S203 ... 4C+S205C+S206C+S207C can be implemented as an independent embodiment, S201C+S202C+S203C+S204C+S208C can be implemented as an independent embodiment, S201C+S202C+S203C+S204C+S208C can be implemented as an independent embodiment, and S201C+S202C+S203C+S204C+S205C+S206C+S208C can be implemented as an independent embodiment, but are not limited thereto.
[0274] In some embodiments, S205C and S204C can be executed simultaneously or in a different order, S206C and S205C can be executed simultaneously or in a different order, S206C and S204C can be executed simultaneously or in a different order, S207C and S205C can be executed simultaneously or in a different order, and S207C and S206C can be executed simultaneously or in a different order.
[0275] In some embodiments, S205C, S206C, S207C, and S208C are optional, and one or more of these steps may be omitted or substituted in different embodiments.
[0276] In some embodiments, S206C, S207C, and S208C are optional, and one or more of these steps may be omitted or substituted in different embodiments.
[0277] In some embodiments, S205C, S207C, and S208C are optional, and one or more of these steps may be omitted or substituted in different embodiments.
[0278] In some embodiments, S205C is optional, and one or more of these steps may be omitted or substituted in different embodiments.
[0279] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.
[0280] Figure 2D is an interactive schematic diagram illustrating a communication method according to an embodiment of the present disclosure. As shown in Figure 2D, the embodiments of the present disclosure relate to a communication method, which includes:
[0281] S201D, the first network element determines that the second network element requests to register as a service network element of the terminal, and the second network element fails to complete authentication with the terminal.
[0282] The optional implementations of S201D can be found in the optional implementations of S201A in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0283] S202D: The first network element sends the first message to the second network element.
[0284] The optional implementations of S202D can be found in the optional implementations of S202A in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0285] S203D, the second network element sends a second message to the first network element.
[0286] The optional implementations of S203D can be found in the optional implementations of S203A in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0287] In some embodiments, the second message is used to instruct the second network element to confirm that it will not perform the authentication process with the terminal.
[0288] S204D, the first network element determines not to add the second network element's information to the terminal's context.
[0289] The optional implementations of S204C can be found in the optional implementations of S204A in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0290] In this embodiment of the disclosure, the first network element receives a second message sent by the second network element and determines that the second network element confirms that it will not perform the authentication process with the terminal. The first network element can determine that it will not add the information of the second network element in the context of the terminal.
[0291] In this embodiment of the disclosure, the first network element receives a second message sent by the second network element and determines that the second network element confirms that it will not perform the authentication process with the terminal. The first network element can determine, according to its local policy, not to add the information of the second network element in the context of the terminal.
[0292] S205D, the first network element sends the fifth message to the second network element.
[0293] In some embodiments, the second network element receives a fifth message sent by the first network element, but is not limited thereto. The second network element may also receive a fifth message sent by other entities other than the first network element, in which case S205D can be omitted.
[0294] In some embodiments, the second network element obtains the fifth message specified by the protocol, in which case S205D can be omitted.
[0295] In some embodiments, the second network element obtains the fifth message from the upper layer(s), in which case S205D can be omitted.
[0296] In some embodiments, the second network element processes the data to obtain the fifth message, in which case S205D can be omitted.
[0297] In some embodiments, the second network element autonomously implements the function indicated by the fifth message, or the above function is a default or default setting, in which case S205D can be omitted.
[0298] S205D and S204D can be executed simultaneously or in reverse order.
[0299] In some embodiments, the fifth message is used to indicate that the service network element for the terminal is refused to register the second network element.
[0300] In this embodiment of the disclosure, if the first network element receives a second message from the second network element and determines that the second network element confirms that it will not perform the authentication process with the terminal, the first network element may send a fifth message to the second network element, indicating that it will refuse to register the second network element as the service network element of the terminal.
[0301] In some embodiments, the first network element may indicate the reason for the failure to register the second network element as a service network element for the terminal in the fifth message.
[0302] S206D, the second network element sends the sixth message to the third network element.
[0303] In some embodiments, the third network element receives the sixth message sent by the second network element, but is not limited thereto. The third network element may also receive the sixth message sent by other entities other than the second network element, in which case S206D can be omitted.
[0304] In some embodiments, the third network element obtains the sixth message specified by the protocol, in which case S206D can be omitted.
[0305] In some embodiments, the third network element obtains the sixth message from the upper layer(s), in which case S206D can be omitted.
[0306] In some embodiments, the third network element processes the data to obtain the sixth message, in which case S206D can be omitted.
[0307] In some embodiments, the third network element autonomously implements the function indicated by the sixth message, or the above function is a default or default setting, in which case S206D can be omitted.
[0308] In some embodiments, the sixth message is used to indicate that the terminal's service network element failed to switch from the third network element to the second network element, or that the terminal's service network element failed to be updated from the third network element to the second network element.
[0309] In this embodiment of the disclosure, when the second network element receives the fifth message sent by the first network element and determines that the first network element refuses to register the second network element as the service network element of the terminal, it sends a sixth message to the third network element, indicating that the switching of the terminal's service network element from the third network element to the second network element has failed, or the update of the terminal's service network element from the third network element to the second network element has failed.
[0310] In some embodiments, S206D and S204D are executed simultaneously or in reverse order, and S206D and S205D are executed simultaneously or in reverse order.
[0311] In some embodiments, the third network element is an AMF.
[0312] In some embodiments, the third network element is the serving network element of the current terminal.
[0313] In some embodiments, the second network element is the target AMF and the third network element is the source AMF, and the terminal needs to switch from the source AMF to the target AMF.
[0314] By implementing the embodiments of this disclosure, the first network element can confirm whether the second network element has successfully completed authentication with the terminal, and then decide whether to add the information of the second network element in the context of the terminal, and whether to register the second network element as the terminal's serving network element, so as to avoid directly registering the second network element as the terminal's serving network element, thereby avoiding fraud attacks and ensuring the information security of communication.
[0315] The communication methods involved in the embodiments of this disclosure may include at least one of S201D to S206D. For example, S201D can be implemented as an independent embodiment, S202D can be implemented as an independent embodiment, S203D can be implemented as an independent embodiment, S204D can be implemented as an independent embodiment, S205D can be implemented as an independent embodiment, S206D can be implemented as an independent embodiment, S201D+S202D+S203D can be implemented as an independent embodiment, S201D+S202D+S203D+S204D+S205D can be implemented as an independent embodiment, S201D+S202D+S203D+S204D+S206D can be implemented as an independent embodiment, but are not limited thereto.
[0316] In some embodiments, S205D and S204D can be executed simultaneously or in a different order, S206D and S204D can be executed simultaneously or in a different order, and S206D and S205D can be executed simultaneously or in a different order.
[0317] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.
[0318] Figure 3A is a schematic diagram illustrating a communication method according to an embodiment of the present disclosure. As shown in Figure 3A, the embodiment of the present disclosure relates to a communication method, which is executed by a first network element, and the method includes:
[0319] S301A: It is determined that the second network element requested to register as a serving network element of the terminal, and the second network element failed to complete the authentication with the terminal.
[0320] The optional implementations of S301A can be found in the optional implementations of S201A in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0321] S302A, send the first message.
[0322] The optional implementation of S302A can be found in the optional implementation of S202A in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0323] S303A, obtain the second message.
[0324] The optional implementations of S303A can be found in the optional implementations of S203A in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0325] S304A determines whether to add information about the second network element to the terminal's context.
[0326] The optional implementation of S304A can be found in the optional implementation of S204A in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0327] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.
[0328] Figure 3B is a schematic diagram illustrating a communication method according to an embodiment of the present disclosure. As shown in Figure 3B, the embodiment of the present disclosure relates to a communication method, which is executed by a first network element, and the method includes:
[0329] S301B: It is determined that the second network element requested to register as a serving network element of the terminal, and the second network element failed to complete the authentication with the terminal.
[0330] The optional implementation of S301B can be found in the optional implementation of S201B in Figure 2B and other related parts in the embodiments involved in Figure 2B, which will not be repeated here.
[0331] S302B, send the first message.
[0332] The optional implementation of S302B can be found in the optional implementation of S202B in Figure 2B and other related parts in the embodiments involved in Figure 2B, which will not be repeated here.
[0333] S303B, obtain the second message.
[0334] The optional implementations of S303B can be found in the optional implementations of S203B in Figure 2B and other related parts in the embodiments involved in Figure 2B, which will not be repeated here.
[0335] S304B determines to add information about the second network element to the context of the terminal.
[0336] The optional implementation of S304B can be found in the optional implementation of S204B in Figure 2B and other related parts in the embodiments involved in Figure 2B, which will not be repeated here.
[0337] S305B, confirm that the timer is enabled.
[0338] The optional implementations of S305B can be found in the optional implementations of S205B in Figure 2B and other related parts in the embodiments involved in Figure 2B, which will not be repeated here.
[0339] S306B determines that the information of the third network element in the context of the terminal will not be deleted.
[0340] The optional implementations of S306B can be found in the optional implementations of S206B in Figure 2B and other related parts in the embodiments involved in Figure 2B, which will not be repeated here.
[0341] S307B, send the third message.
[0342] The optional implementations of S307B can be found in the optional implementations of S207B in Figure 2B and other related parts in the embodiments involved in Figure 2B, which will not be repeated here.
[0343] S308B confirms that the second network element has successfully completed authentication with the terminal.
[0344] The optional implementations of S308B can be found in the optional implementations of S208B in Figure 2B and other related parts in the embodiments involved in Figure 2B, which will not be repeated here.
[0345] S309B, send the fourth message.
[0346] The optional implementations of S309B can be found in the optional implementations of S209B in Figure 2B and other related parts in the embodiments involved in Figure 2B, which will not be repeated here.
[0347] S310B determines the first identifier in the context of the deleted terminal, as well as the information of the third network element.
[0348] The optional implementation of S310B can be found in the optional implementation of S210B in Figure 2B and other related parts in the embodiments involved in Figure 2B, which will not be repeated here.
[0349] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.
[0350] Figure 3C is a schematic diagram illustrating a communication method according to an embodiment of the present disclosure. As shown in Figure 3C, the embodiment of the present disclosure relates to a communication method, which is executed by a first network element, and the method includes:
[0351] S301C: It is determined that the second network element requested to register as a serving network element of the terminal, and the second network element failed to complete the authentication with the terminal.
[0352] The optional implementation of S301C can be found in the optional implementation of S201C in Figure 2C, as well as other related parts in the embodiments involved in Figure 2C, which will not be repeated here.
[0353] S302C, send the first message.
[0354] The optional implementation of S302C can be found in the optional implementation of S202C in Figure 2C, as well as other related parts in the embodiments involved in Figure 2C, which will not be repeated here.
[0355] S303C, obtain the second message.
[0356] The optional implementations of S303C can be found in the optional implementations of S203C in Figure 2C, as well as other related parts in the embodiments involved in Figure 2C, which will not be repeated here.
[0357] S304C determines to add information about the second network element to the context of the terminal.
[0358] The optional implementation of S304C can be found in the optional implementation of S204C in Figure 2C, as well as other related parts in the embodiments involved in Figure 2C, which will not be repeated here.
[0359] S305C, confirm that the timer is enabled.
[0360] The optional implementations of S305C can be found in the optional implementations of S205C in Figure 2C, as well as other related parts in the embodiments involved in Figure 2C, which will not be repeated here.
[0361] S306C determines not to delete the information of the third network element in the context of the terminal.
[0362] The optional implementations of S306C can be found in the optional implementations of S206C in Figure 2C and other related parts in the embodiments involved in Figure 2C, which will not be repeated here.
[0363] S307C, send the third message.
[0364] The optional implementations of S307C can be found in the optional implementations of S207C in Figure 2C and other related parts in the embodiments involved in Figure 2C, which will not be repeated here.
[0365] S308C determines that the timer has expired, the second network element has failed to complete authentication with the terminal, and deletes the information of the second network element from the terminal's context.
[0366] The optional implementations of S308C can be found in the optional implementations of S208C in Figure 2C, as well as other related parts in the embodiments involved in Figure 2C, which will not be repeated here.
[0367] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.
[0368] Figure 3D is a schematic diagram illustrating a communication method according to an embodiment of the present disclosure. As shown in Figure 3D, the embodiment of the present disclosure relates to a communication method, which is executed by a first network element, and the method includes:
[0369] S301D: It is determined that the second network element requested to register as a serving network element of the terminal, and the second network element failed to complete the authentication with the terminal.
[0370] The optional implementations of S301D can be found in the optional implementations of S201D in Figure 2D and other related parts in the embodiments involved in Figure 2D, which will not be repeated here.
[0371] S302D, send the first message.
[0372] The optional implementation of S302D can be found in the optional implementation of S202D in Figure 2D and other related parts in the embodiments involved in Figure 2D, which will not be repeated here.
[0373] S303D, retrieve second message.
[0374] The optional implementation of S303D can be found in the optional implementation of S203D in Figure 2D and other related parts in the embodiments involved in Figure 2D, which will not be repeated here.
[0375] S304D determines that information about the second network element will not be added to the context of the terminal.
[0376] The optional implementation of S304D can be found in the optional implementation of S204D in Figure 2D and other related parts in the embodiments involved in Figure 2D, which will not be repeated here.
[0377] S305D, sending the fifth message.
[0378] The optional implementations of S305D can be found in the optional implementations of S205D in Figure 2D and other related parts in the embodiments involved in Figure 2D, which will not be repeated here.
[0379] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.
[0380] Figure 4A is a schematic diagram illustrating a communication method according to an embodiment of the present disclosure. As shown in Figure 4A, the embodiment of the present disclosure relates to a communication method, which is executed by a second network element, and the method includes:
[0381] S401A, Get First Message.
[0382] The optional implementation of S401A can be found in the optional implementation of S202A in Figure 2A, as well as other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0383] S402A, send the second message.
[0384] The optional implementation of S402A can be found in the optional implementation of S203A in Figure 2A and other related parts in the embodiments involved in Figure 2A, which will not be repeated here.
[0385] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.
[0386] Figure 4B is a schematic diagram illustrating a communication method according to an embodiment of the present disclosure. As shown in Figure 4B, the embodiment of the present disclosure relates to a communication method, which is executed by a second network element, and the method includes:
[0387] S401B, Get First Message.
[0388] The optional implementation of S401B can be found in the optional implementation of S202B in Figure 2B, as well as other related parts in the embodiments involved in Figure 2B, which will not be repeated here.
[0389] The optional implementation of S401B can be found in the optional implementation of S202C in Figure 2C, as well as other related parts in the embodiments involved in Figure 2C, which will not be repeated here.
[0390] S402B, send the second message.
[0391] The optional implementation of S402B can be found in the optional implementation of S203B in Figure 2B and other related parts in the embodiments involved in Figure 2B, which will not be repeated here.
[0392] The optional implementation of S402B can be found in the optional implementation of S203C in Figure 2C, as well as other related parts in the embodiments involved in Figure 2C, which will not be repeated here.
[0393] S403B, obtain third message.
[0394] The optional implementation of S403B can be found in the optional implementation of S207B in Figure 2B and other related parts in the embodiments involved in Figure 2B, which will not be repeated here.
[0395] The optional implementation of S403B can be found in the optional implementation of S207C in Figure 2C, as well as other related parts in the embodiments involved in Figure 2C, which will not be repeated here.
[0396] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.
[0397] Figure 4C is a schematic diagram illustrating a communication method according to an embodiment of the present disclosure. As shown in Figure 4C, the embodiment of the present disclosure relates to a communication method, which is executed by a second network element, and the method includes:
[0398] S401C, Get First Message.
[0399] The optional implementation of S401C can be found in the optional implementation of S202D in Figure 2D and other related parts in the embodiments involved in Figure 2D, which will not be repeated here.
[0400] S402C, send the second message.
[0401] The optional implementation of S402C can be found in the optional implementation of S203D in Figure 2D and other related parts in the embodiments involved in Figure 2D, which will not be repeated here.
[0402] S403C, retrieve fifth message.
[0403] The optional implementation of S402C can be found in the optional implementation of S205D in Figure 2D and other related parts in the embodiments involved in Figure 2D, which will not be repeated here.
[0404] S404C, send the sixth message.
[0405] The optional implementation of S404C can be found in the optional implementation of S206D in Figure 2D and other related parts in the embodiments involved in Figure 2D, which will not be repeated here.
[0406] In some embodiments, the steps and their optional implementations in other embodiments described before or after this embodiment, as well as other related parts in the specification, can be referred to, and will not be repeated here.
[0407] To facilitate understanding of the embodiments of this disclosure, an exemplary embodiment is provided.
[0408] In an exemplary embodiment, 5G offers better security compared to 4G by strengthening home control to prevent certain types of fraud. When the home network receives a request from the visited network-as-a-service (SN), the home network is able to verify whether the device is indeed being served by the visited network.
[0409] This increased attribution control appears in 5GS in the following form:
[0410] - For EAP-AKA', when the EAP-Response / AKA'-Challenge received by the AUSF is successfully verified, the AUSF in the home network will be confirmed, that is, the UE has successfully authenticated its identity through the specific serving network.
[0411] - For 5G AKA, when the AUSF receives the authentication confirmation in the Nausf_UEAuthentication_Authenticate request message and it is successfully verified, the AUSF in the home network obtains confirmation that the UE has successfully completed authentication through a certain serving network.
[0412] Enhanced home control features help prevent certain types of fraud, such as fraudulent Nudm_UECM_Registration requests that register themselves as the AMF of the visited network in the home network's UDM, claiming to be serving users who do not actually exist in the visited network. However, the authentication protocol itself does not prevent such fraud. Authentication results need to be linked to subsequent procedures, such as the Nudm_UECM_Registration procedure, to achieve the required protection.
[0413] However, such fraudulent attacks can still be launched during PLMN handovers. During PLMN handovers, the new AMF can obtain the UE security context from the old AMF without performing a re-authentication process and register itself as the subscriber's serving AMF in the UDM. Without performing a re-authentication process, entities in the home network (such as AFSFs and UDMs) cannot link the authentication result to the serving network to which the registered AMF belongs. Therefore, any AMF can successfully register as the subscriber's serving AMF in the subscriber's UDM, making it easy for attackers to use this AMF for fraudulent attacks.
[0414] The main objectives of this disclosure are as follows:
[0415] -Prevent fraudulent attacks during PLMN handover;
[0416] - Ensure that the home network can maintain the target AMF's pending instructions and timers without linking them to the authentication results.
[0417] In some embodiments, as shown in Figure 5, the method of re-authentication triggered by the AMF registration procedure is illustrated by taking the first network element as UDM, the second network element as target AMF, and the third network element as source AMF as an example.
[0418] 1. The UE sends a registration request for mobile registration update. The GUTI generated by the source AMF is included in the registration request.
[0419] 2. The target AMF uses the UE's 5G-GUTI to determine the source AMF. The target AMF sends a context request to the source AMF, including the GUTI, access type, and the received registration request.
[0420] 3. The source AMF uses the UE security context to check the integrity of the registration request. If the verification passes, the source AMF can provide the Kamf / Kamf* to the target AMF by sending a context response.
[0421] 4. The target AMF calls the UDM's Nudm_UECM_Registration service.
[0422] 5. If no successful authentication process is performed between the target AMF and the UE, and there is no authentication result that can be linked to the target AMF's service PLMN, the UDM can send a re-authentication notification message to the target AMF.
[0423] 6. The target AMF returns a response message.
[0424] 7. If the target AMF returns a confirmation message, the UDM can add the target AMF information and pending flag to the UE context and start the re-authentication timer according to the local policy.
[0425] Note: Source AMF information will not be deleted from the UE context.
[0426] Otherwise, the UDM will reject the AMF registration, and the target AMF will invoke the Namf_Communication_RegistrationStatusUpdate service operation, displaying a rejection indication to the source AMF. The source AMF will continue as if it had never received the UE context transfer service operation. In this case, steps 8-12 will be skipped.
[0427] 8. UDM returns confirmation of the target AMF.
[0428] 9. Execution includes SMF selection, PCF selection, etc.
[0429] Note: UDM does not perform the source AMF deregistration process. The source AMF still maintains the UE context.
[0430] Success stories:
[0431] 10. The target AMF initiates the re-authentication process.
[0432] 11. After the re-authentication process between the target AMF and the UE is successful, the UDM will invoke the source AMF to complete the registration process. The source AMF will delete the stored UE context and release all AS resources.
[0433] Failure Case:
[0434] 12. If the re-authentication timer expires and the authentication process between the target AMF and the UE is not successfully performed, the UDM will delete the target AMF information stored in the UE context according to the local policy.
[0435] By implementing embodiments of this disclosure, after linking the authentication result and the target AMF, the UDM should be able to register with the source AMF. If a registration request is received from the target AMF, and no authentication procedure has been performed previously, the UDM should be able to initiate a re-authentication notification procedure. If a re-authentication confirmation message is returned from the target AMF, the UDM should be able to update the UE context. The UDM should be able to maintain a pending flag and a timer in the UE context. Once the timer expires, and re-authentication between the UE and the target AMF has not been successfully performed, the UDM should be able to delete the target AMF information.
[0436] This disclosure also proposes an apparatus (also referred to as a communication device, etc.) for implementing any of the above methods. For example, an apparatus is proposed, which includes units or modules for implementing the steps performed by the first network element in any of the above methods. Furthermore, another apparatus is proposed, which includes units or modules for implementing the steps performed by the second network element in any of the above methods.
[0437] It should be understood that the division of units or modules in the above device is only a logical functional division. In actual implementation, they can be fully or partially integrated into a single physical entity, or they can be physically separated. Furthermore, the units or modules in the device can be implemented by a processor calling software: for example, the device includes a processor connected to a memory containing instructions. The processor calls the instructions stored in the memory to implement any of the above methods or to implement the functions of the units or modules in the above device. The processor can be, for example, a general-purpose processor, such as a Central Processing Unit (CPU) or a microprocessor, and the memory can be internal or external to the device. Alternatively, the units or modules in the device can be implemented in the form of hardware circuits. The functionality of some or all of the units or modules can be achieved through the design of these hardware circuits, which can be understood as one or more processors. For example, in one implementation, the hardware circuit is an application-specific integrated circuit (ASIC). The functionality of some or all of the units or modules is achieved through the design of the logical relationships between the components within the circuit. In another implementation, the hardware circuit can be implemented using a programmable logic device (PLD). Taking a field-programmable gate array (FPGA) as an example, it can include a large number of logic gates. The connection relationships between the logic gates are configured through configuration files, thereby achieving the functionality of some or all of the units or modules. All units or modules of the above device can be implemented entirely through processor-called software, entirely through hardware circuits, or partially through processor-called software with the remaining parts implemented through hardware circuits.
[0438] In this embodiment, the processor is a circuit with signal processing capabilities. In one implementation, the processor can be a circuit with instruction read and execute capabilities, such as a Central Processing Unit (CPU), a microprocessor, a graphics processing unit (GPU) (which can be understood as a microprocessor), or a digital signal processor (DSP). In another implementation, the processor can implement certain functions through the logical relationships of hardware circuits. The logical relationships of the aforementioned hardware circuits are fixed or reconfigurable. For example, the processor is a hardware circuit implemented using an application-specific integrated circuit (ASIC) or a programmable logic device (PLD), such as an FPGA. In a reconfigurable hardware circuit, the process of the processor loading a configuration document and configuring the hardware circuit can be understood as the process of the processor loading instructions to implement the functions of some or all of the above units or modules. Furthermore, it can also be a hardware circuit designed for artificial intelligence, which can be understood as an ASIC, such as a Neural Network Processing Unit (NPU), a Tensor Processing Unit (TPU), or a Deep Learning Processing Unit (DPU).
[0439] Figure 6A is a schematic diagram of the structure of the first network element proposed in an embodiment of this disclosure. As shown in Figure 6A, the first network element 401 may include at least one of a transceiver module 4011, a processing module 4012, etc.
[0440] In some embodiments, the processing module 4012 is used to determine that the second network element requests to register as a service network element of the terminal, and the second network element has failed to complete authentication with the terminal.
[0441] The transceiver module 4011 is used to send a first message to the second network element, wherein the first message is used to instruct the second network element to perform an authentication process with the terminal.
[0442] The transceiver module 4011 is also used to receive a second message sent by the second network element, wherein the second message is used to indicate whether the second network element confirms the execution of the authentication process with the terminal.
[0443] The processing module 4012 is also used to determine whether to add information about the second network element in the context of the terminal.
[0444] Optionally, the transceiver module 4011 is used to perform at least one of the communication steps such as sending and / or receiving performed by the first network element 401 in any of the above methods (e.g., the communication steps such as sending and / or receiving performed by the first network element in S201A~S204A, S201B~S210B, S201C~S208C, S201D~S206D, S301A~S304A, S301B~S310B, S301C~S308C, S301D~S305D, but not limited to these), which will not be elaborated here. Optionally, the processing module 4012 is used to execute at least one of the other steps executed by the first network element 401 in any of the above methods (e.g., other steps besides the communication steps such as sending and / or receiving executed by the first network element in S201A~S204A, S201B~S210B, S201C~S208C, S201D~S206D, S301A~S304A, S301B~S310B, S301C~S308C, S301D~S305D, but not limited thereto), which will not be elaborated here.
[0445] In some embodiments, the transceiver module may include a sending module and / or a receiving module, which may be separate or integrated together.
[0446] In some embodiments, the processing module may be a single module or may include multiple sub-modules. Optionally, the multiple sub-modules may each perform all or part of the steps required by the processing module.
[0447] In some embodiments, the processing module can be replaced by the processor, and the transceiver module can be replaced by the transceiver.
[0448] Figure 6B is a schematic diagram of the structure of the second network element proposed in an embodiment of this disclosure. As shown in Figure 6B, the second network element 402 may include at least one of a transceiver module 4021, a processing module 4022, etc.
[0449] In some embodiments, the transceiver module 4021 is configured to receive a first message sent by the first network element, wherein the first message is sent by the first network element when it determines that the second network element requests to register as a service network element of the terminal, and the second network element fails to complete authentication with the terminal. The first message is used to instruct the second network element to perform the authentication process with the terminal.
[0450] The transceiver module 4021 is also used to send a second message to the first network element, wherein the second message is used to instruct the second network element whether to perform the authentication process with the terminal, and the second message is also used by the second network element to determine whether to add the information of the second network element in the context of the terminal.
[0451] Optionally, the transceiver module 4021 is used to perform at least one of the communication steps such as sending and / or receiving performed by the second network element 402 in any of the above methods (e.g., the communication steps such as sending and / or receiving performed by the second network element in S201A~S204A, S201B~S210B, S201C~S208C, S201D~S206D, S401A~S402A, S401B~S403B, S401C~S404C, but not limited thereto), which will not be elaborated here. Optionally, the processing module 4022 is used to perform at least one of the other steps performed by the second network element 402 in any of the above methods (e.g., other steps besides the communication steps such as sending and / or receiving performed by the second network element in S201A~S204A, S201B~S210B, S201C~S208C, S201D~S206D, S401A~S402A, S401B~S403B, S401C~S404C, but not limited thereto), which will not be elaborated here.
[0452] In some embodiments, the transceiver module may include a sending module and / or a receiving module, which may be separate or integrated together.
[0453] In some embodiments, the processing module may be a single module or may include multiple sub-modules. Optionally, the multiple sub-modules may each perform all or part of the steps required by the processing module.
[0454] In some embodiments, the processing module can be replaced by the processor, and the transceiver module can be replaced by the transceiver.
[0455] Figure 7A is a schematic diagram of the structure of the communication device 5100 proposed in an embodiment of this disclosure. The communication device 5100 can be a first network element, a second network element, a chip, chip system, or processor that supports the first network element in implementing any of the above methods, or a chip, chip system, or processor that supports the second network element in implementing any of the above methods. The communication device 5100 can be used to implement the methods described in the above method embodiments; for details, please refer to the descriptions in the above method embodiments.
[0456] As shown in Figure 7A, the communication device 5100 is used to execute any of the above methods. In some embodiments, the communication device 5100 includes one or more processors 5101. The processor 5101 may be a general-purpose processor or a special-purpose processor, such as a baseband processor or a central processing unit. The baseband processor may be used to process communication protocols and communication data, and the central processing unit may be used to control communication devices (e.g., base stations, baseband chips, terminals, terminal chips, DUs or CUs, etc.), execute programs, and process program data. Optionally, the communication device 5100 is used to execute any of the above methods. Optionally, one or more processors 5101 are used to invoke instructions to cause the communication device 5100 to execute any of the above methods.
[0457] In some embodiments, the communication device 5100 further includes one or more transceivers 5102. When the communication device 5100 includes one or more transceivers 5102, the transceivers 5102 perform the communication steps such as sending and / or receiving in the above-described method (e.g., sending and / or receiving in S201A-S204A, S201B-S210B, S201C-S208C, S201D-S206D, S301A-S304A, S301B-S310B, S301C-S308C, S301D-S305D, S401A-S402A, S401B-S403B, S401C-S404C). The processor 5101 performs at least one of the following steps (including, but not limited to, S201A-S204A, S201B-S210B, S201C-S208C, S201D-S206D, S301A-S304A, S301B-S310B, S301C-S308C, S301D-S305D, S401A-S402A, S401B-S403B, S401C-S404C, other than transmitting and / or receiving, but not limited to) steps. In an optional embodiment, the transceiver may include a receiver and / or a transmitter, which may be separate or integrated together. Optionally, terms such as transceiver, transceiver unit, transceiver, transceiver circuit, interface circuit, and interface can be used interchangeably; terms such as transmitter, transmitter unit, transmitter, and transmitter circuit can be used interchangeably; and terms such as receiver, receiver unit, receiver, and receiver circuit can be used interchangeably.
[0458] In some embodiments, the communication device 5100 further includes one or more memories 5103 for storing data and / or instructions. Optionally, one or more processors 5101 are used to invoke instructions stored in the memory 5103 to cause the communication device 5100 to perform any of the above methods. Optionally, all or part of the memory 5103 may also be located outside the communication device 5100. In an optional embodiment, the communication device 5100 may include one or more interface circuits 5104. Optionally, the interface circuit 5104 is connected to the memory 5103 and can be used to receive data and / or instructions from the memory 5103 or other devices, and can be used to send data and / or instructions to the memory 5103 or other devices. For example, the interface circuit 5104 can read data and / or instructions stored in the memory 5103 and send the data and / or instructions to the processor 5101.
[0459] The communication device 5100 described in the above embodiments may be a first network element or a second network element, but the scope of the communication device 5100 described in this disclosure is not limited thereto, and the structure of the communication device 5100 may not be limited by FIG7A. The communication device may be an independent device or may be part of a larger device. For example, the communication device may be: (1) an independent integrated circuit IC, or chip, or chip system or subsystem; (2) a collection of one or more ICs, optionally, the IC collection may also include storage components for storing data, programs and / or instructions; (3) an ASIC, such as a modem; (4) a module that can be embedded in other devices; (5) a receiver, terminal, smart terminal, cellular phone, wireless device, handheld device, mobile unit, vehicle device, network device, cloud device, artificial intelligence device, etc.; (6) others, etc.
[0460] Figure 7B is a schematic diagram of the structure of the chip 5200 proposed in an embodiment of this disclosure. For cases where the communication device 5100 can be a chip or a chip system, the schematic diagram of the chip 5200 shown in Figure 7B can be referred to, but is not limited thereto.
[0461] Chip 5200 includes one or more processors 5201. Chip 5200 is used to perform any of the methods described above.
[0462] In some embodiments, chip 5200 further includes one or more interface circuits 5202. Optionally, terms such as interface circuit, interface, and transceiver pin can be used interchangeably. In some embodiments, chip 5200 further includes one or more memories 5203 for storing data and / or instructions. Optionally, all or part of the memories 5203 may be located outside of chip 5200. Optionally, the interface circuit 5202 is connected to the memories 5203, and the interface circuit 5202 can be used to receive data and / or instructions from the memories 5203 or other devices, and the interface circuit 5202 can be used to send data and / or instructions to the memories 5203 or other devices. For example, the interface circuit 5202 can read data and / or instructions stored in the memories 5203 and send the data and / or instructions to the processor 5201.
[0463] In some embodiments, the interface circuit 5202 performs at least one of the communication steps such as sending and / or receiving in the above-described method (e.g., the sending and / or receiving steps in S201A-S204A, S201B-S210B, S201C-S208C, S201D-S206D, S301A-S304A, S301B-S310B, S301C-S308C, S301D-S305D, S401A-S402A, S401B-S403B, S401C-S404C, but not limited thereto). The interface circuit 5202 performing the communication steps such as sending and / or receiving in the above-described method refers, for example, to the interface circuit 5202 performing data and / or instruction interaction between the processor 5201, chip 5200, memory 5203, or transceiver device. In some embodiments, the processor 5201 performs at least one of other steps (e.g., steps other than sending and / or receiving in S201A-S204A, S201B-S210B, S201C-S208C, S201D-S206D, S301A-S304A, S301B-S310B, S301C-S308C, S301D-S305D, S401A-S402A, S401B-S403B, S401C-S404C, but not limited thereto).
[0464] The modules and / or devices described in the various embodiments, such as virtual devices, physical devices, and chips, can be combined or separated arbitrarily as needed. Optionally, some or all steps can also be performed collaboratively by multiple modules and / or devices, which is not limited here.
[0465] This disclosure also proposes a storage medium storing instructions that, when executed on a communication device, cause the communication device to perform any of the above methods. Optionally, the storage medium is an electronic storage medium. Optionally, the storage medium is a computer-readable storage medium, but not limited thereto; it may also be a storage medium readable by other devices. Optionally, the storage medium may be a non-transitory storage medium, but not limited thereto; it may also be a temporary storage medium.
[0466] This disclosure also proposes a program product, including a program and / or instructions, which, when executed by a communication device, cause the communication device to perform any of the above methods. Optionally, the program product is a computer program product. Optionally, the program product is stored on the storage medium.
[0467] This disclosure also proposes a computer program that, when run on a computer, causes the computer to perform any of the above methods.
[0468] Those skilled in the art will recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this disclosure.
[0469] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.
[0470] The above description is merely a specific embodiment of this disclosure, but the scope of protection of this disclosure is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this disclosure should be included within the scope of protection of this disclosure. Therefore, the scope of protection of this disclosure should be determined by the scope of the claims.
Claims
A communication method, characterized in that, The method is executed by the first network element and includes: It is determined that the second network element requests to register as a service network element of the terminal, and the second network element fails to complete authentication with the terminal; Send a first message to the second network element, wherein the first message is used to instruct the second network element to perform an authentication process with the terminal; The second message sent by the second network element is received, wherein the second message is used to indicate whether the second network element confirms the execution of the authentication process with the terminal; Determine whether to add the information of the second network element to the context of the terminal. The method as described in claim 1, characterized in that, The method further includes: The information of the second network element is determined to be added to the context of the terminal, wherein the second message is used to instruct the second network element to confirm the execution of the authentication process with the terminal. The method as described in claim 2, characterized in that, The method further includes: Confirm the start timer. The method as described in claim 2 or 3, characterized in that, The method further includes: It is determined that the information of the third network element in the context of the terminal will not be deleted, where the third network element is the current serving network element of the terminal. The method as described in any one of claims 2 to 4, characterized in that, The method further includes: A third message is sent to the second network element, wherein the third message is used to indicate that the second network element has been successfully registered as the serving network element of the terminal. The method as described in claim 5, characterized in that, The method further includes: It is confirmed that the second network element has successfully completed authentication with the terminal; A fourth message is sent to the third network element, wherein the fourth message is used to instruct the third network element to register as the serving network element of the terminal. The method as described in claim 6, characterized in that, The information of the second network element includes a first identifier indicating that the second network element is a temporary serving network element, wherein the method further includes: It is determined that the first identifier in the context of the terminal and the information of the third network element, wherein the third network element is the current serving network element of the terminal, shall be deleted. The method as described in claim 3, characterized in that, The method further includes: If the timer expires and the second network element fails to complete authentication with the terminal, the information of the second network element is deleted from the context of the terminal. The method as described in claim 1, characterized in that, The method further includes: A fifth message is sent to the second network element, wherein the second message is used to instruct the second network element to refuse to perform the authentication process with the terminal, and the fifth message is used to instruct the second network element to refuse to register as the terminal's service network element. The method as described in any one of claims 1 to 9, characterized in that, The method further includes: Determine the first network information corresponding to the network element that has recently successfully completed authentication with the terminal; Based on the first network information and the second network information corresponding to the second network element, it is determined whether the second network element has successfully completed authentication with the terminal. A communication method, characterized in that, The method is executed by the second network element and includes: The system receives a first message sent by a first network element, wherein the first message is sent by the first network element when it determines that the second network element requests to register as a service network element of the terminal, and the second network element fails to complete authentication with the terminal. The first message is used to instruct the second network element to perform the authentication process with the terminal. A second message is sent to the first network element, wherein the second message is used to instruct the second network element whether to perform an authentication process with the terminal, and the second message is also used by the second network element to determine whether to add the information of the second network element in the context of the terminal. The method as described in claim 11, characterized in that, The method further includes: The system receives a third message sent by the first network element, wherein the second message is used to instruct the second network element to confirm the execution of the authentication process with the terminal, and the third message is used to indicate successful registration of the second network element as the service network element of the terminal. The method as described in claim 11, characterized in that, The method further includes: The system receives a fifth message sent by the first network element, wherein the second message is used to instruct the second network element to refuse to perform the authentication process with the terminal, and the fifth message is used to instruct the second network element to refuse to register as a device serving the terminal. The method as described in claim 13, characterized in that, The method further includes: A sixth message is sent to the third network element, wherein the sixth message is used to indicate that the switching of the terminal's serving network element from the third network element to the second network element has failed, or that the update of the terminal's serving network element from the third network element to the second network element has failed. A communication method, characterized in that, The first network element determines that the second network element requests to register as a service network element for the terminal, and the second network element fails to complete authentication with the terminal; The first network element sends a first message to the second network element, wherein the first message is used to instruct the second network element to perform an authentication process with the terminal; The second network element receives the first message sent by the first network element; The second network element sends a second message to the first network element, wherein the second message is used to indicate whether the second network element confirms the execution of the authentication process with the terminal; The first network element receives the second message sent by the second network element; The first network element determines whether to add the information of the second network element to the context of the terminal. A communication device, characterized in that, The communication device is used to perform the method according to any one of claims 1 to 10, 11 to 14. A communication system, characterized in that, It includes a first network element and a second network element, wherein the first network element is configured to implement the method of any one of claims 1 to 10, and the second network element is configured to implement the method of any one of claims 11 to 14. A storage medium storing instructions, characterized in that, When the instructions are executed on a communication device, the communication device performs the method as described in any one of claims 1 to 10, 11 to 14. A program product comprising at least one of a program and instructions, characterized in that: When at least one of the programs or instructions is executed by the communication device, it implements the method of any one of claims 1 to 10, 11 to 14.