CN115190478B - Key processing method, system and storage medium - Google Patents
Key processing method, system and storage medium Download PDFInfo
- Publication number
- CN115190478B CN115190478B CN202211042361.3A CN202211042361A CN115190478B CN 115190478 B CN115190478 B CN 115190478B CN 202211042361 A CN202211042361 A CN 202211042361A CN 115190478 B CN115190478 B CN 115190478B
- Authority
- CN
- China
- Prior art keywords
- relay
- service
- network element
- element device
- hplmn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/63—Location-dependent; Proximity-dependent
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
本公开提供了一种密钥处理方法、系统以及存储介质,其中的方法包括:中继UE和业务UE分别向对应的网络侧设备发送发现密钥请求,并接收网络侧设备返回的发现密钥以及安全参数;其中,发现密钥请求中携带的信息包括:中继服务代码;中继UE和业务UE分别使用发现密钥以及安全参数对发现消息进行处理。本公开能够从中继服务代码指向的中继UE的归属网络获取发现密钥,对于在源UE或目标UE与中继UE之间发送和接收的发现消息使用与中继服务代码相关的发现密钥进行保护,能够安全地向源UE、目标UE和中继UE分发发现密钥,为UE到UE中继发现过程提供安全保护,提高了业务的安全性,增强了用户体验。
The present disclosure provides a key processing method, system and storage medium, wherein the method includes: the relay UE and the service UE respectively send a discovery key request to the corresponding network side device, and receive the discovery key and security parameters returned by the network side device; wherein the information carried in the discovery key request includes: a relay service code; the relay UE and the service UE respectively use the discovery key and security parameters to process the discovery message. The present disclosure can obtain the discovery key from the home network of the relay UE pointed to by the relay service code, and use the discovery key related to the relay service code to protect the discovery message sent and received between the source UE or the target UE and the relay UE, and can safely distribute the discovery key to the source UE, the target UE and the relay UE, provide security protection for the UE to UE relay discovery process, improve the security of the service, and enhance the user experience.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method, a system, and a storage medium for processing a key.
Background
UE-to-UE Relay (U2U Relay) is one of the key scenarios for 5G ProSe (Proximity-based Services) research. In 5G ProSe, the source UE completes discovery and intent matching for the target UE through the relay UE. Currently, in the discovery process, there is no technical solution for how to distribute keys for protecting discovery messages for UE sources, relay UEs, and target UEs, and how to perform authorization checks for UE sources, relay UEs, and target UEs.
Disclosure of Invention
In view of the above, it is an object of the present invention to provide a key processing method, system and storage medium.
According to a first aspect of the disclosure, a key processing method is provided, which includes that a relay UE and a service UE respectively send a discovery key request to corresponding network side equipment and receive a discovery key and a security parameter returned by the network side equipment, wherein information carried in the discovery key request includes a relay service code, the relay service code is used for indicating connection service provided by the relay UE to the service UE, and the relay UE and the service UE respectively use the discovery key and the security parameter to process a discovery message.
Optionally, the information carried by the relay service code comprises distance-based service ProSe application information or the information carried by the relay service code comprises distance-based service ProSe application information and UE-to-UE relay service information, wherein the ProSe application information is used for indicating ProSe applications expected to be acquired by service UE, and the UE-to-UE relay service information is used for indicating that relay UE supports provided UE-to-UE relay service capability.
The network side equipment comprises first HPLMN network element equipment located in the HPLMN of the relay UE, the relay UE sends a discovery key request to the corresponding network side equipment and receives a discovery key and a security parameter returned by the network side equipment, the relay UE sends the discovery key request to the first HPLMN network element equipment, the relay UE receives the discovery key and the security parameter returned by the first HPLMN network element equipment, the first HPLMN network element equipment performs authorization verification processing on the relay UE, whether the relay UE has authority to provide connection service indicated by the relay service code or not is confirmed, after the relay UE passes authorization verification, the first HPLMN network element equipment returns the discovery key and the security parameter which are associated with the relay service code to the relay UE, the first HPLMN network element equipment stores the discovery key and the security parameter, and the binding key relation between the relay service and the security parameter is stored.
Optionally, the first HPLMN network element device performs authorization verification processing on the relay UE, where the first HPLMN network element device performs authorization verification processing on the relay UE based on locally stored subscription and authorization data information corresponding to the relay UE, or based on subscription and authorization data information returned by a first data storage network element device located in an HPLMN of the relay UE, or the first HPLMN network element device sends an authorization verification request corresponding to the relay UE to the first data storage network element device, receives an authorization verification result returned by the first data storage network element device, or the first HPLMN network element device sends an authorization verification request corresponding to the relay UE to a first ProSe application server or platform, and receives an authorization verification result returned by the first ProSe application server or platform.
The network side equipment comprises a first VPLMN network element equipment which is located in a Visiting Public Land Mobile Network (VPLMN) where the relay UE roams, the relay UE sends a discovery key request to the corresponding network side equipment and receives a discovery key and security parameters returned by the network side equipment, the relay UE sends the discovery key request to the first VPLMN network element equipment, the relay UE receives the discovery key and the security parameters returned by the first VPLMN network element equipment, the first VPLMN network element equipment forwards the discovery key request to the first HPLMN network element equipment based on HPLMN ID information which is stored by a local core network and corresponds to the home public land mobile network of the relay UE, the first HPLMN network element equipment performs authorization verification processing on the relay UE, confirms whether the relay UE has a connection service indicated by the relay service code or not, and after the relay UE passes authorization verification, the first VPLMN network element equipment sends the discovery key and the security parameters to the first HPLMN network element equipment.
Optionally, the first HPLMN network element device comprises a first HPLMN DDNMF located within the HPLMN of the relay UE and the first VPLMN network element device comprises a first VPLMN DDNMF located within the VPLMN where the relay UE roams.
The network side equipment comprises a second HPLMN network element equipment located in the HPLMN of the service UE, wherein the service UE sends a discovery key request to the corresponding network side equipment, receives a discovery key and a security parameter returned by the network side equipment, comprises the service UE sending the discovery key request to the second HPLMN network element equipment, the service UE receiving the discovery key and the security parameter returned by the second HPLMN network element equipment, the second HPLMN network element equipment performs authorization verification processing on the service UE, confirms whether the service UE has access to a connection service indicated by the relay service code, after determining that the service UE passes the authorization verification processing, the second HPLMN network element equipment inquires a second ProSe application server or a platform about candidate relay UE meeting the condition of the relay service code, after receiving a relay user ID of the second ProSe application server or the relay UE returned by the platform, the second HPLMN network element equipment sends the relay network element to the second ProSe application layer based on the PLMN application ID and sends the second HPLMN network element to the second network element equipment, and the second HPLMN network element carries the security key information to the second network element, and the second network element is used for indicating the service ID to be used for the service network element.
Optionally, the authorization verification processing of the service UE by the second HPLMN network element device includes that the second HPLMN network element device performs authorization verification processing of the service UE based on locally stored subscription and authorization data information corresponding to the service UE or based on subscription and authorization data information returned by a second data storage network element device located in an HPLMN of the service UE, or the second HPLMN network element device sends an authorization verification request corresponding to the service UE to the second data storage network element device, receives an authorization verification result returned by the second data storage network element device, or the second HPLMN network element device sends an authorization verification request corresponding to the service UE to the second ProSe application server or platform, and receives an authorization verification result returned by the second ProSe application server or platform.
The network side equipment comprises second VPLMN network element equipment which is positioned in a VPLMN where the service UE roams, the service UE sends a discovery key request to the corresponding network side equipment and receives a discovery key and a security parameter returned by the network side equipment, the service UE sends the discovery key request to the second VPLMN network element equipment, the service UE receives the discovery key and the security parameter returned by the second VPLMN network element equipment, the second VPLMN network element equipment forwards the discovery key request to the second HPLMN network element equipment based on HPLMN ID information which is stored by a local core network and corresponds to a home public land mobile network of the service UE, the second HPLMN network element equipment performs authorization verification processing on the service UE, confirms whether the service UE has authorization to use a connection service indicated by the relay service code, and sends the discovery key to the first HPLMN network element equipment and the second HPLMN network element equipment through the relay service code after determining that the service UE passes the authorization verification processing, and sends the service key request to the second HPLMN network element equipment and the security parameter to the second HPLMN network element equipment.
Optionally, the second HPLMN network element device includes a second HPLMN DDNMF located within the HPLMN of the service UE and the second VPLMN network element device includes a second VPLMN DDNMF located within the VPLMN where the service UE roams.
Optionally, the service UE comprises a source UE and a target UE, the discovery key comprises a confidentiality protection key, an integrity protection key and a scrambling protection key, and the security parameters comprise a time stamp and a validity period.
According to a second aspect of the disclosure, a key processing system is provided, wherein the relay UE, the service UE and the network side equipment are used for respectively sending a discovery key request to the corresponding network side equipment and receiving a discovery key and a security parameter returned by the network side equipment, the information carried in the discovery key request comprises a relay service code, the relay service code is used for indicating connection service provided by the relay UE to the service UE, and the relay UE and the service UE are also used for respectively processing the discovery message by using the discovery key and the security parameter.
Optionally, the information carried by the relay service code comprises distance-based service ProSe application information or the information carried by the relay service code comprises distance-based service ProSe application information and UE-to-UE relay service information, wherein the ProSe application information is used for indicating ProSe applications expected to be acquired by service UE, and the UE-to-UE relay service information is used for indicating that relay UE supports provided UE-to-UE relay service capability.
The network side equipment comprises first HPLMN network element equipment located in the HPLMN of the relay UE, the relay UE is used for sending the discovery key request to the first HPLMN network element equipment, receiving the discovery key and the security parameter returned by the first HPLMN network element equipment, the first HPLMN network element equipment is used for conducting authorization verification processing on the relay UE, confirming whether the relay UE has authorization to provide connection service indicated by the relay service code or not, returning the discovery key and the security parameter associated with the relay service code to the relay UE after the fact that the relay UE passes the authorization verification is confirmed, and the first HPLMN network element equipment is used for storing the discovery key and the security parameter and storing the binding relation between the relay service code and the discovery key and the security parameter.
Optionally, the first HPLMN network element device is configured to perform authorization verification processing on the relay UE based on locally stored subscription and authorization data information corresponding to the relay UE, or based on subscription and authorization data information returned by a first data storage network element device located in the HPLMN of the relay UE, where the first HPLMN network element device is further configured to send an authorization verification request corresponding to the relay UE to the first data storage network element device, receive an authorization verification result returned by the first data storage network element device, or send an authorization verification request corresponding to the relay UE to a first ProSe application server or platform, and receive an authorization verification result returned by the first ProSe application server or platform.
The network side equipment comprises a first VPLMN network element equipment located in a Visiting Public Land Mobile Network (VPLMN) where the relay UE roams, the relay UE is used for sending the discovery key request to the first VPLMN network element equipment, receiving the discovery key and the security parameters returned by the first VPLMN network element equipment, the first VPLMN network element equipment is used for forwarding the discovery key request to the first HPLMN network element equipment based on HPLMN ID information which is stored by a local core network and corresponds to the home public land mobile network of the relay UE, and the first HPLMN network element equipment is used for carrying out authorization verification processing on the relay UE, confirming whether the relay UE has authority to provide connection services indicated by the relay service codes or not and sending the discovery key and the security parameters which are associated with the relay service codes to the relay UE through the first VPLMN network element equipment after the relay UE passes authorization verification.
Optionally, the first HPLMN network element device comprises a first HPLMN DDNMF located within the HPLMN of the relay UE and the first VPLMN network element device comprises a first VPLMN DDNMF located within the VPLMN where the relay UE roams.
The network side equipment comprises a second HPLMN network element equipment located in the HPLMN of the service UE, the service UE is used for sending the discovery key request to the second HPLMN network element equipment, receiving the discovery key and the security parameters returned by the second HPLMN network element equipment, the second HPLMN network element equipment is used for carrying out authorization verification processing on the service UE, confirming whether the service UE has the connection service indicated by the relay service code or not, inquiring a second ProSe application server or platform for the candidate relay UE meeting the condition of the relay service code after the service UE passes the authorization verification processing, sending the key request to the first HPLMN network element equipment based on PLMN ID information in the ProSe application layer ID of the relay UE after receiving the ProSe application layer user ID of the relay UE, and sending the service layer ID of the relay UE to the first HPLMN network element equipment in association with the PLMN application layer ID and carrying the security parameters, wherein the PLMN ID information is used for indicating the service layer user ID of the relay UE.
Optionally, the second HPLMN network element device is configured to perform authorization verification processing on the service UE based on locally stored subscription and authorization data information corresponding to the service UE, or based on subscription and authorization data information returned by a second data storage network element device located in the HPLMN of the service UE, where the second HPLMN network element device is further configured to send an authorization verification request corresponding to the service UE to the second data storage network element device, receive an authorization verification result returned by the second data storage network element device, or send an authorization verification request corresponding to the service UE to the second ProSe application server or platform, and receive an authorization verification result returned by the second ProSe application server or platform.
The network side equipment comprises second VPLMN network element equipment which is positioned in a VPLMN where the service UE roams, the service UE is used for sending the discovery key request to the second VPLMN network element equipment, receiving the discovery key and the security parameters returned by the second VPLMN network element equipment, the second VPLMN network element equipment is used for inquiring candidate relay UE meeting the condition of the relay service code from a second ProSe application server or platform after determining that the service UE passes the authorization verification processing, forwarding the discovery key request to the second HPLMN network element equipment based on HPLMN ID information which is stored by a local core network and corresponds to a home public land mobile network of the service UE, the second HPLMN network element equipment is used for carrying out authorization verification processing on the service UE, confirming whether the service UE has authorization to use a connection service indicated by the relay service code or not, and sending the relay key request to the second HPLMN network element through the second application server or platform after receiving the relay service key request from the second ProSe application server or the second PLMN, and sending the relay key request to the second EPSe application server and the security platform based on the second HPLMN network element.
Optionally, the second HPLMN network element device includes a second HPLMN DDNMF located within the HPLMN of the service UE and the second VPLMN network element device includes a second VPLMN DDNMF located within the VPLMN where the service UE roams.
Optionally, the service UE comprises a source UE and a target UE, the discovery key comprises a confidentiality protection key, an integrity protection key and a scrambling protection key, and the security parameters comprise a time stamp and a validity period.
According to a third aspect of the present disclosure, there is provided a computer readable storage medium storing computer instructions for execution by a processor of a method as described above.
The key processing method, the system and the storage medium can acquire the discovery key from the home network of the relay UE pointed by the relay service code, protect the discovery message sent and received between the source UE or the target UE and the relay UE by using the discovery key related to the relay service code, safely distribute the discovery key to the source UE, the target UE and the relay UE, provide safety protection for the relay discovery process from the UE to the UE, improve the service safety and enhance the user experience.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the solutions in the prior art, a brief description will be given below of the drawings required for the embodiments or the description of the prior art, it being obvious that the drawings in the following description are only some embodiments of the present disclosure, and that other drawings may be obtained according to these drawings without inventive faculty for a person skilled in the art.
FIG. 1 is a flow diagram of one embodiment of a key processing method according to the present disclosure;
Fig. 2 is a flow diagram of a relay UE acquiring a discovery key and security parameters according to one embodiment of a key processing method of the present disclosure;
Fig. 3 is a flowchart illustrating a relay UE acquiring a discovery key and security parameters according to another embodiment of the key processing method of the present disclosure;
fig. 4 is a flowchart illustrating a service UE acquiring a discovery key and security parameters according to an embodiment of the key processing method of the present disclosure;
Fig. 5 is a flowchart illustrating a service UE acquiring a discovery key and a security parameter according to another embodiment of the key processing method of the present disclosure;
FIG. 6 is a signaling interaction flow diagram according to one embodiment of a key processing method of the present disclosure;
fig. 7 is a block diagram of one embodiment of a key processing system according to the present disclosure.
Detailed Description
The present disclosure now will be described more fully hereinafter with reference to the accompanying drawings, in which exemplary embodiments of the disclosure are shown. The following description of the technical solutions in the embodiments of the present disclosure will be made clearly and completely with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are only some embodiments of the present disclosure, not all embodiments. Based on the embodiments in this disclosure, all other embodiments that a person of ordinary skill in the art would obtain without making any inventive effort are within the scope of protection of this disclosure.
The following "first", "second", etc. are used merely to describe differences and are not otherwise specifically meant.
FIG. 1 is a flow diagram of one embodiment of a key processing method according to the present disclosure, as shown in FIG. 1:
Step 101, the relay UE and the service UE respectively send a discovery key request to the corresponding network side device, and receive a discovery key and a security parameter returned by the network side device, where information carried in the discovery key request includes a relay service Code (RELAY SERVICE Code, RSC). The relay service code is used to instruct the relay UE to provide connection services to the service UE, including connection services for ProSe applications, etc.
Step 102, the relay UE and the service UE process the discovery message by using the discovery key and the security parameter, respectively.
In one embodiment, the service UE includes a source UE, a target UE, and the like, where the UE may be a mobile phone, a tablet computer, and the like. In the UE-to-UE relay discovery process, the source UE completes discovery and intent matching of the target UE through the relay UE. UE-to-UE relay discovery may include mode a and mode B, which are two existing discovery modes. In the mode a discovery procedure, the discovery message includes an announcement (discovery) message transmitted and received between the source UE or the target UE and the relay UE. In the mode B discovery process, the discovery message includes a discovery query message and a discovery response message, etc., transmitted and received between the source UE or the target UE and the relay UE.
Discovery messages transmitted and received between the source UE or the target UE and the relay UE may be protected by using discovery keys including confidentiality protection keys, integrity protection keys, scrambling protection keys, etc., security parameters including time stamps, validity periods, etc. The relay UE and the service UE may encrypt, decrypt, integrity protect, scramble, etc. the discovery message using the existing method and using the discovery key and the security parameters, respectively.
In one embodiment, the information carried by the relay service code includes ProSe application information and the like, wherein the ProSe application information is used for indicating ProSe applications expected to be acquired by the service UE, the ProSe application information can be a ProSe application identifier, a ProSe application code and the like, and the ProSe applications can be public security (police), emergency rescue (fire fighting), business service (industrial internet) and the like. Or the information carried by the relay service code includes ProSe application information, UE-to-UE relay service information, and the like, where the UE-to-UE relay service information is used to indicate that the relay UE supports the provided UE-to-UE relay service capability, such as supported QoS capability, supported radio technology (WiFi or cellular), and the like.
Fig. 2 is a flowchart illustrating a relay UE acquiring a discovery key and a security parameter according to an embodiment of a key processing method of the present disclosure, where a network-side device includes a first HPLMN network element device located in an HPLMN of the relay UE, as shown in fig. 2:
In step 201, the relay UE sends a discovery key request to the first HPLMN network element device.
In one embodiment, the first HPLMN network element device performs an authorization verification process on the relay UE, confirms whether the relay UE has permission to provide a connection service indicated by the relay service code, and whether the relay UE has permission to request a discovery key associated with the relay service code.
The first HPLMN network element device stores the discovery key and the security parameter, and stores a binding relationship between the relay service code and the discovery key and the security parameter. For example, the first HPLMN network element device establishes and stores a binding relationship between ProSe application information and a discovery key and a security parameter in the relay service code in advance, and when confirming that the relay UE has authority to provide the connection service indicated by the relay service code, obtains the discovery key and the security parameter associated with the relay service code based on the binding relationship, and returns the discovery key and the security parameter associated with the relay service code to the relay UE through the security channel. The secure channel may be any of a variety of secure channels available.
The first HPLMN network element device may perform authorization verification processing on the relay UE in a plurality of methods. For example, the first HPLMN network element device performs authorization verification processing on the relay UE based on locally stored subscription and authorization data information corresponding to the relay UE. The first HPLMN network element device performs authorization verification processing on the relay UE locally based on subscription and authorization data information returned by a first data storage network element device (network function responsible for subscription and authorization data storage) located in the HPLMN of the relay UE, where the first data storage network element device may be a UDM (Unified DATA MANAGEMENT) network element or the like.
The first HPLMN network element equipment sends an authorization verification request corresponding to the relay UE to the first data storage network element equipment, the authorization verification request comprises information such as identity information of the UE, request service information and the like, the first data storage network element equipment performs authorization verification, and the first HPLMN network element equipment receives an authorization verification result returned by the first data storage network element equipment. The first HPLMN network element equipment sends an authorization verification request corresponding to the relay UE to the first ProSe application server or platform, the authorization verification request comprises information such as identity information of the UE and request service information, the first ProSe application server or platform performs authorization verification, and the first HPLMN network element equipment receives an authorization verification result returned by the first ProSe application server or platform.
In step 202, the relay UE receives a discovery key and a security parameter returned by the first HPLMN network element device.
Fig. 3 is a flow chart illustrating a process of obtaining a discovery key and a security parameter by a relay UE according to another embodiment of the key processing method of the present disclosure, where a network-side device includes a first VPLMN network element device located in a visited public land mobile network VPLMN where the relay UE roams, as shown in fig. 3:
In step 301, the relay UE sends a discovery key request to the first VPLMN network element device.
In one embodiment, the first VPLMN network element device forwards the discovery key request to the first HPLMN network element device based on HPLMN (Home Public Land Mobile Network ) ID information stored by the local core network that corresponds to the home public land mobile network of the relay UE. The first HPLMN network element equipment performs authorization verification processing on the relay UE, confirms whether the relay UE has permission to provide connection service indicated by the relay service code, and sends a discovery key and a security parameter to the relay UE through the first VPLMN network element equipment after determining that the relay UE passes the authorization verification. The first VPLMN network element device returns the discovery key and the security parameter to the relay UE through a security channel, where the security channel may be an existing multiple security channels.
In step 302, the relay UE receives the discovery key and the security parameter returned by the first VPLMN network element device.
In one embodiment, the first HPLMN network element device includes a first HPLMN DDNMF (Direct Discovery NAME MANAGEMENT Function, direct Discovery naming management Function) located within the HPLMN of the relay UE, and the first VPLMN network element device includes a first VPLMN DDNMF located within the VPLMN where the relay UE roams.
Fig. 4 is a flowchart illustrating a service UE acquiring a discovery key and a security parameter according to an embodiment of the key processing method of the present disclosure, where the network-side device includes a second HPLMN network element device located in an HPLMN of the service UE, as shown in fig. 4:
In step 401, the service UE sends a discovery key request to the second HPLMN network element device.
In one embodiment, the second HPLMN network element device performs authorization verification processing on the service UE, confirms whether the service UE has authority to play a role of the source UE or the target UE, and confirms whether the service UE has authority to use the connection service indicated by the relay service code. After determining that the service UE passes the authorization verification process, the second HPLMN network element device queries the second ProSe application server or platform for candidate relay UEs satisfying the relay service code condition, that is, queries the second ProSe application server or platform for relay UEs capable of providing a connection service corresponding to ProSe application information in the relay service code.
And receiving a ProSe application layer user ID of the relay UE returned by the second ProSe application server or the platform, wherein the ProSe application layer user ID of the relay UE comprises public land mobile network PLMN (Public Land Mobile Network) ID information, the PLMN ID information is used for indicating an HPLMN of the relay UE, and the access information of a first HPLMN network element device in the HPLMN of the relay UE can be obtained based on the PLMN ID information by using the existing method. The second HPLMN network element equipment sends a key request to the first HPLMN network element equipment based on PLMN ID information in the ProSe application layer ID of the relay UE, and sends a discovery key and a security parameter which are returned by the first HPLMN network element equipment and are associated with the relay service code to the service UE.
The authorization verification process for the service UE by the second HPLMN network element device may use a plurality of methods. For example, the second HPLMN network element device performs authorization verification processing on the service UE based on locally stored subscription and authorization data information corresponding to the service UE. The second HPLMN network element equipment performs authorization verification processing on the service UE locally based on subscription and authorization data information returned by the second data storage network element equipment in the HPLMN of the service UE.
The second HPLMN network element device sends an authorization verification request corresponding to the service UE to the second data storage network element device, where the authorization verification request includes information such as identity information of the UE and service information of the service request, and the second data storage network element device performs authorization verification, and receives an authorization verification result returned by the second data storage network element device, where the second data storage network element device may be a UDM (Unified DATA MANAGEMENT) network element or the like.
The second HPLMN network element equipment sends an authorization verification request corresponding to the service UE to the second ProSe application server or platform, the authorization verification request comprises the identity information of the UE, the service information and other information, the second ProSe application server or platform performs authorization verification, and the second HPLMN network element equipment receives an authorization verification result returned by the second ProSe application server or platform.
In step 402, the service UE receives the discovery key and the security parameter returned by the second HPLMN network element device.
Fig. 5 is a flow chart illustrating a service UE acquiring a discovery key and a security parameter according to another embodiment of the key processing method of the present disclosure, where the network-side device includes a second VPLMN network element device located in a VPLMN where the service UE roams, as shown in fig. 5:
In step 501, the service UE sends a discovery key request to the second VPLMN network element device.
In one embodiment, the second VPLMN network element device forwards the discovery key request to the second HPLMN network element device based on HPLMN ID information stored by the local core network corresponding to the home public land mobile network of the serving UE. The second VPLMN network element device may acquire HPLMN ID information stored in the local core network and corresponding to the home public land mobile network of the service UE by using an existing plurality of methods, and acquire access information of the second HPLMN network element device by using an existing plurality of methods. And the second HPLMN network element equipment performs authorization verification processing on the service UE to confirm whether the service UE has permission to use the connection service indicated by the relay service code. After determining that the service UE passes the authorization verification process, the second HPLMN network element equipment sends a key request to the first HPLMN network element equipment, and sends a discovery key and a security parameter which are returned by the first HPLMN network element equipment and are associated with the relay service code to the service UE through the second VPLMN network element equipment.
In step 502, the service UE receives the discovery key and the security parameter returned by the second VPLMN network element device.
In one embodiment, the second HPLMN network element equipment includes a second HPLMN DDNMF or the like located within the HPLMN of the serving UE and the second VPLMN network element equipment includes a second VPLMN DDNMF or the like located within the VPLMN where the serving UE roams.
Fig. 6 is a schematic signaling interaction flow diagram of one embodiment of a key processing method according to the present disclosure, as shown in fig. 6:
In step 601, the relay UE sends Discovery key request (discovery key request) message to VPLMN DDNMF of the relay UE, and the information carried in the Discovery key request message includes RSC (relay service code), R-UE (relay UE) information, and the like.
At step 602, VPLMN DDNMF of the relay UE forwards Discovery key request the request to EPLMN DDNMF of the relay UE.
In step 603, EPLMN DDNMF of the relay UE performs authentication processing on the relay UE.
In step 604, EPLMN DDNMF of the relay UE returns Discovery key response (discovery key response) to VPLMN DDNMF of the relay UE after determining that the authentication is successful, and the information carried in Discovery key response includes information such as discovery key, security parameter, RSC, etc.
In step 605, VPLMN DDNMF of the relay UE returns Discovery key response message to the relay UE, and the information carried in the Discovery key response message includes the discovery key, the security parameter, the RSC, and the like.
In step 606, the source or target UE sends Discovery key request message to VPLMN DDNMF of the source or target UE, and the information carried in the Discovery key request message includes RSC (relay service code), source or target UE information.
In step 607, VPLMN DDNMF of the source or target UE forwards Discovery key request the request to EPLMN DDNMF of the source or target UE.
At step 608, EPLMN DDNMF of the source or target UE performs authentication processing on the source or target UE.
In step 609, EPLMN DDNMF of the source or target UE forwards Discovery key request the request to EPLMN DDNMF of the relay UE after determining that the authentication was successful.
At step 610, EPLMN DDNMF of the relay UE returns Discovery key response (discovery key response) message to EPLMN DDNMF of the source or target UE, and the information carried in Discovery key response message includes discovery key, security parameters, RSC, and so on.
At step 611, EPLMN DDNMF of the source or target UE sends a Discovery key response message to VPLMN DDNMF of the source or target UE.
In step 612, VPLMN DDNMF of the source or target UE sends Discovery key response message to the source or target UE, and the information carried in Discovery key response message includes discovery key, security parameter, RSC, etc.
In step 613, the UE-to-UE relay discovery procedure is processed.
The source UE may complete discovery and intent matching of the target UE through the relay UE using existing methods, and discovery messages transmitted and received between the source UE, the target UE, and the relay UE may be protected by using a discovery key associated with a relay service code.
The key processing method of the present disclosure protects discovery messages transmitted and received between a source UE or a target UE and a relay UE by using a discovery key related to a relay service code, the discovery key being acquired from a core network function of a home network of the relay UE to which the relay service code is directed, and can safely distribute the discovery key to the source UE, the target UE and the relay UE, providing security protection for a UE-to-UE relay discovery process.
In one embodiment, as shown in fig. 7, the present disclosure provides a key processing system including a relay UE 71, a service UE 72, and a network side device 73, the service UE 72 including a source UE and a target UE. The relay UE 71 and the service UE 72 respectively send a discovery key request to the corresponding network side device 73, and receive a discovery key and a security parameter returned by the network side device 73, where information carried in the discovery key request includes a relay service code, where the relay service code is used to instruct the relay UE to provide a connection service to the service UE. The relay UE 71 and the service UE 72 process the discovery message using the discovery key and the security parameter, respectively.
In one embodiment, the network side device 73 comprises a first HPLMN network element device located within the HPLMN of the relay UE, the first HPLMN network element device comprising a first HPLMN DDNMF located within the HPLMN of the relay UE, and so on. The relay UE 71 sends a discovery key request to the first HPLMN network element equipment, receives the discovery key and the security parameter returned by the first HPLMN network element equipment, performs authorization verification processing on the relay UE, confirms whether the relay UE has authorization to provide the connection service indicated by the relay service code, and returns the discovery key and the security parameter associated with the relay service code to the relay UE after determining that the relay UE passes the authorization verification, wherein the first HPLMN network element equipment stores the discovery key and the security parameter and stores the binding relation between the relay service code and the discovery key and the security parameter.
The network side device 73 comprises a first VPLMN network element device located in a visited public land mobile network VPLMN where the relay UE roams, the first VPLMN network element device comprising a first VPLMN DDNMF located in the VPLMN where the relay UE roams, etc. The relay UE 71 sends a discovery key request to the first VPLMN network element device, and receives a discovery key and a security parameter returned by the first VPLMN network element device. The first HPLMN network element carries out authorization verification processing on the relay UE, confirms whether the relay UE has authorization to provide connection service indicated by the relay service code, and sends the discovery key and security parameters associated with the relay service code to the relay UE through the first VPLMN network element after determining that the relay UE passes the authorization verification.
In one embodiment, the network side device comprises a second HPLMN network element device located within the HPLMN of the service UE, the second HPLMN network element device comprises a second HPLMN DDNMF located within the HPLMN of the service UE, and so on. The second HPLMN network element equipment performs authorization verification processing on the service UE, confirms whether the service UE has the authority to use the connection service indicated by the relay service code, and inquires a second ProSe application server or platform of candidate relay UE meeting the condition of the relay service code after determining that the service UE passes the authorization verification processing.
After receiving the ProSe application layer user ID of the relay UE returned by the second ProSe application server or the platform, the second HPLMN network element device sends a key request to the first HPLMN network element device based on PLMN ID information in the ProSe application layer ID of the relay UE, and sends the first HPLMN network element device to the service UE in a manner of returning a discovery key and a security parameter associated with the relay service code.
The network side device 73 comprises a second VPLMN network element device located in the VPLMN where the service UE roams, the second VPLMN network element device comprises a second VPLMN DDNMF located in the VPLMN where the service UE roams, etc. The service UE 72 sends a discovery key request to the second VPLMN network element device, receives a discovery key and a security parameter returned by the second VPLMN network element device, and forwards the discovery key request to the second HPLMN network element device based on HPLMN ID information stored in the local core network and corresponding to the public land mobile network of the home location of the service UE.
The second HPLMN network element equipment performs authorization verification processing on the service UE, after the service UE passes the authorization verification processing, inquires a second ProSe application server or platform of candidate relay UE meeting the relay service code condition, after receiving the ProSe application layer user ID of the relay UE returned by the second ProSe application server or platform, the second HPLMN network element equipment sends a key request to the first HPLMN network element equipment based on PLMN ID information in the ProSe application layer ID of the relay UE, and sends a discovery key returned by the first HPLMN network element equipment and a security parameter to the service UE through the second VPLMN network element equipment.
In one embodiment, the present disclosure provides a computer-readable storage medium storing computer instructions that, when executed by a processor, implement the key processing method of any of the embodiments above.
The key processing method, the system and the storage medium in the above embodiments can acquire the discovery key from the home network of the relay UE pointed by the relay service code, protect the discovery message sent and received between the source UE or the target UE and the relay UE by using the discovery key related to the relay service code, safely distribute the discovery key to the source UE, the target UE and the relay UE, provide security protection for the UE-to-UE relay discovery process, and improve the security of the service.
The methods and systems of the present disclosure may be implemented in a number of ways. For example, the methods and systems of the present disclosure may be implemented by software, hardware, firmware, or any combination of software, hardware, firmware. The above-described sequence of steps for the method is for illustration only, and the steps of the method of the present disclosure are not limited to the sequence specifically described above unless specifically stated otherwise. Furthermore, in some embodiments, the present disclosure may also be implemented as programs recorded in a recording medium, the programs including machine-readable instructions for implementing the methods according to the present disclosure. Thus, the present disclosure also covers a recording medium storing a program for executing the method according to the present disclosure.
The description of the present disclosure has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the disclosure in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art. The embodiments were chosen and described in order to best explain the principles of the disclosure and the practical application, and to enable others of ordinary skill in the art to understand the disclosure for various embodiments with various modifications as are suited to the particular use contemplated.
Claims (19)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211042361.3A CN115190478B (en) | 2022-08-29 | 2022-08-29 | Key processing method, system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211042361.3A CN115190478B (en) | 2022-08-29 | 2022-08-29 | Key processing method, system and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115190478A CN115190478A (en) | 2022-10-14 |
| CN115190478B true CN115190478B (en) | 2025-02-11 |
Family
ID=83523084
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211042361.3A Active CN115190478B (en) | 2022-08-29 | 2022-08-29 | Key processing method, system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115190478B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2024092796A1 (en) * | 2022-11-04 | 2024-05-10 | 北京小米移动软件有限公司 | Information processing method and apparatus, communication device and storage medium |
| WO2024092735A1 (en) * | 2022-11-04 | 2024-05-10 | 北京小米移动软件有限公司 | Communication control method, system and apparatus, and communication device and storage medium |
| WO2024098197A1 (en) * | 2022-11-07 | 2024-05-16 | Nokia Shanghai Bell Co., Ltd. | Methods, devices and computer-readable medium for communication |
| WO2024098437A1 (en) * | 2022-11-13 | 2024-05-16 | Nokia Shanghai Bell Co., Ltd. | Obtaining of security information for relay discovery |
| WO2024138389A1 (en) * | 2022-12-27 | 2024-07-04 | 北京小米移动软件有限公司 | Relay communication processing method, and apparatus |
| CN118786693A (en) * | 2023-02-09 | 2024-10-15 | 北京小米移动软件有限公司 | Long-term credential distribution method and device |
| CN118945654A (en) * | 2023-05-11 | 2024-11-12 | 华为技术有限公司 | Communication method and device |
| WO2025054983A1 (en) * | 2023-09-15 | 2025-03-20 | 北京小米移动软件有限公司 | Communication method, apparatus and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022148622A1 (en) * | 2021-01-11 | 2022-07-14 | Telefonaktiebolaget Lm Ericsson (Publ) | Discovery key handling for ue-to-network relay discovery |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210345104A1 (en) * | 2020-05-01 | 2021-11-04 | Qualcomm Incorporated | Relay sidelink communications for secure link establishment |
| WO2022019627A1 (en) * | 2020-07-20 | 2022-01-27 | Samsung Electronics Co., Ltd. | Methods and systems for establishing secure communication in wireless communication system |
| CN114866964B (en) * | 2022-04-13 | 2024-02-23 | 中国电信股份有限公司 | Message transmission method, device, electronic equipment and medium based on proximity service |
-
2022
- 2022-08-29 CN CN202211042361.3A patent/CN115190478B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022148622A1 (en) * | 2021-01-11 | 2022-07-14 | Telefonaktiebolaget Lm Ericsson (Publ) | Discovery key handling for ue-to-network relay discovery |
Non-Patent Citations (2)
| Title |
|---|
| "S3-221031_33.503_U2N Relay Discovery Security over CP".3GPP tsg_sa\wg3_security.2022,第4节. * |
| "S3-221032_33.503_U2N Relay Discovery Security over UP".3GPP tsg_sa\wg3_security.2022,第4节. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115190478A (en) | 2022-10-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115190478B (en) | Key processing method, system and storage medium | |
| US7050797B2 (en) | Remote control system in mobile communication terminal and method thereof | |
| US7937092B2 (en) | Method for providing a location information service in mobile communications system | |
| US11233817B2 (en) | Methods and apparatus for end device discovering another end device | |
| CN102057726B (en) | Mobile equipment is handled to the method for the roaming of restricted area | |
| CN101415187B (en) | Method for implementing position business, method and apparatus for broadcasting base station geographic position information | |
| US20080002829A1 (en) | Identifiers in a communication system | |
| EP1440592A1 (en) | A method for creating a dynamic talk group | |
| EP2740299B1 (en) | Method and apparatus for distributing wireless local area network access information | |
| CN114697945B (en) | Method and device for generating discovery response message and method for processing discovery message | |
| CN103039055A (en) | Group security in machine-type communication | |
| CN102984646B (en) | A kind of supplying method of cell-phone customer terminal location service and system | |
| JP2022126821A (en) | Core network device, communication terminal, method of core network device, program, and method of communication terminal | |
| JP7053812B2 (en) | Public alert message through N3GPP access | |
| CA2972455A1 (en) | Method and apparatus for providing access to local services and applications to multi-agency responders | |
| CN101310541B (en) | Method and system for leveraging an authentication on one network to obtain an authentication on another network | |
| JP2020501440A (en) | Emergency number setting method, acquisition method and device | |
| KR20140125785A (en) | Method and apparatus for efficient security management of disaster message in mobile communication system | |
| KR100779963B1 (en) | A method for processing the request of position information from a user equipment | |
| US20180131676A1 (en) | Code encryption | |
| US10028141B2 (en) | Method and system for determining that a SIM and a SIP client are co-located in the same mobile equipment | |
| CN102938882A (en) | Method and system changing contact information of mobile phone terminals of others by sending messages | |
| US9525980B2 (en) | Method and system for triggering terminal group | |
| CN111372204B (en) | A discovery method and device | |
| WO2016079309A1 (en) | Profile to ensure the same level of security as in the existing 3gpp system for proximity service (prose) epc support for wlan direct discovery and communication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |