CN116318633A

CN116318633A - Communication method and device

Info

Publication number: CN116318633A
Application number: CN202111481925.9A
Authority: CN
Inventors: 张凡; 闫锐; 申伟; 李晓波
Original assignee: Dongguan Huawei Service Co ltd
Current assignee: Dongguan Huawei Service Co ltd
Priority date: 2021-12-06
Filing date: 2021-12-06
Publication date: 2023-06-23

Abstract

The application provides a communication method and device, which belong to the NR or LTE field and are used for avoiding the real equipment identification of a terminal from being stolen and guaranteeing the privacy of a user. The method comprises the following steps: the network device receives the first device identification of the terminal and transmits the second device identification of the terminal. The first device identifier is used for verifying the device validity of the terminal, the second device identifier is used for verifying the device validity after the terminal, and the device identifier is determined when the device validity of the terminal passes through the device validity verification.

Description

Communication method and device

Technical Field

The present disclosure relates to the field of communications, and in particular, to a communication method and apparatus.

Background

In systems such as long term evolution (long term evolution, LTE) or New Radio (NR), a Core Network (CN) element, e.g., a device identification register (equipment identity register, EIR), needs to verify the validity of a device accessing a terminal of the network to ensure network security. For example, after the core network element completes authentication of the terminal and establishes a context of the terminal, the core network element requests the terminal to send a device identifier of the terminal to the core network element so as to verify whether the device identifier of the terminal is legal.

However, the device identifier of the terminal is usually transmitted between the terminal and the core network element in a plaintext manner, which is easy to steal, so that the privacy of the user cannot be guaranteed.

Disclosure of Invention

The embodiment of the application provides a communication method and device, which are used for avoiding the real equipment identification of a terminal from being stolen and guaranteeing the privacy of a user.

The application adopts the following technical scheme:

in a first aspect, a communication method is provided. The method comprises the following steps: the network device receives the first device identification of the terminal and transmits the second device identification of the terminal. The first device identifier is used for verifying the device validity of the terminal, the second device identifier is used for verifying the device validity after the terminal, and the device identifier is determined when the device validity of the terminal passes through the device validity verification.

According to the method of the first aspect, after the network device passes the verification of the validity of the device, the device identifier of the terminal may be updated, for example, the first device identifier is updated to be the second device identifier, so that the device identifier of the terminal may be dynamically changed. The dynamically changed equipment identifier can be regarded as a temporary equipment identifier of the terminal, and the terminal can subsequently use the temporary equipment identifier to verify the validity of the equipment so as to avoid the real equipment identifier of the terminal from being stolen and ensure the privacy of the user.

In one possible design, the first device identification may include one or more of the following: the first international mobile equipment identification code IMEI or the first permanent equipment identifier PEI is used for considering both an LTE system and an NR system, and the device legitimacy of the terminal can be verified through the user identity in both the LTE system and the NR system.

In one possible configuration, the first device identifier may be carried in one or more of the following: the identity inquiry response message, the session request message or the equipment identification verification request message is created so as to realize signaling multiplexing and improve the communication efficiency.

In one possible design, the second device identification may include one or more of the following: and the second IMEI or the second PEI is used for considering both the LTE system and the NR system, so that the device validity verification can be carried out in both the LTE system and the NR system.

In one possible embodiment, the second device identifier may be carried in one or more of the following: attaching an acceptance message, activating a special evolution packet system to bear a context request message, creating a session response message or a device identification verification response message so as to realize signaling multiplexing and improve communication efficiency.

In a possible implementation manner, before the network device sends the second device identifier of the terminal, the method of the first aspect may further include: the network equipment receives the user identity corresponding to the terminal, and the user identity is used for verifying the validity of the equipment of the terminal. In this case, for verifying the validity of the device of the terminal, not only the first device identifier of the terminal but also the user identifier corresponding to the terminal needs to be verified, so as to improve the reliability of verifying the validity of the device.

Optionally, the user identity may include one or more of the following: the international mobile subscriber identity IMSI or the subscriber permanent identifier SUPI is used for considering both the LTE system and the NR system, so that the device legitimacy of the terminal can be verified in both the LTE system and the NR system.

Optionally, the user identity and the first equipment identity are carried in the same message, so that signaling overhead is saved, and communication efficiency is improved.

In one possible design, the second device identifier of the network device sending terminal may include: the network device sends the encrypted second device identification to further enhance the security of the transmission.

In a second aspect, a communication method is provided. The method comprises the following steps: the terminal sends a first equipment identifier of the terminal and receives a second equipment identifier of the terminal. The first device identifier is used for verifying the device validity of the terminal, the second device identifier is used for verifying the device validity after the terminal, and the device identifier is determined when the device validity of the terminal passes through the device validity verification.

In one possible design, the first device identification may include one or more of the following: the first international mobile equipment identity IMEI, or the first permanent equipment identifier PEI.

In one possible configuration, the first device identifier may be carried in one or more of the following: an identity inquiry response message, a create session request message, or a device identification verification request message.

In one possible design, the second device identification may include one or more of the following: a second IMEI, or a second PEI.

In one possible embodiment, the second device identifier may be carried in one or more of the following: attach accept message, activate dedicated evolved packet system bearer context request message, create session response message, or device identification verification response message.

In a possible design, before the terminal receives the second device identifier of the terminal, the method of the second aspect may further include: the terminal sends a user identity corresponding to the terminal, and the user identity is used for verifying the validity of the equipment of the terminal.

Optionally, the user identity may include one or more of the following: an international mobile subscriber identity IMSI, or a subscriber permanent identifier SUPI.

Optionally, the user identity is carried in the same message as the first device identity.

In one possible design, the second device identifier of the terminal receiving terminal may include: the terminal receives the encrypted second device identification.

In addition, the technical effects of the method described in the second aspect may refer to the technical effects of the method described in the first aspect, which are not described herein.

In a third aspect, a communication device is provided. The device comprises: a receiving module and a transmitting module. The receiving module is used for receiving a first equipment identifier of the terminal; and the sending module is used for sending the second equipment identifier of the terminal. The first device identifier is used for verifying the device validity of the terminal, the second device identifier is used for verifying the device validity after the terminal, and the device identifier is determined when the device validity of the terminal passes through the device validity verification.

In one possible design, the receiving module may be further configured to receive a user identity corresponding to the terminal before the sending module sends the second device identifier of the terminal, where the user identity is used for verifying the validity of the device of the terminal.

In a possible embodiment, the transmitting module may also be configured to transmit the encrypted second device identifier.

Alternatively, the transmitting module and the receiving module may be integrated as a transceiver module. Wherein, the transceiver module is configured to implement the transceiver function of the apparatus described in the third aspect.

Optionally, the apparatus according to the third aspect may further include a processing module. The processing module is used for realizing the processing function of the communication device.

Optionally, the apparatus according to the third aspect may further include a storage module, where the storage module stores a program or instructions. The program or instructions, when executed by a processing module, enable the apparatus to perform the method of the first aspect.

The apparatus described in the third aspect may be a network device, or may be a chip (system) or other components or assemblies in the network device, or may be an apparatus including the network device, which is not limited in this application.

In addition, the technical effects of the apparatus described in the third aspect may refer to the technical effects of the method described in the first aspect, which are not described herein.

In a fourth aspect, a communication device is provided. The device comprises: a receiving module and a transmitting module. The communication device comprises a sending module, a receiving module and a receiving module, wherein the sending module is used for sending a first equipment identifier of the communication device; and the receiving module is used for receiving the second equipment identification of the communication device. The first device identifier is used for device validity verification of the communication apparatus, the second device identifier is used for device validity verification of the communication apparatus after the second device identifier is used for device validity verification of the communication apparatus.

In a possible design, the sending module may be further configured to send, before the receiving module receives the second device identifier of the communication apparatus according to the second aspect, a user identifier corresponding to the communication apparatus, where the user identifier is used for verifying the validity of the device of the communication apparatus.

In a possible embodiment, the receiving module may also be configured to receive the encrypted second device identifier.

Alternatively, the transmitting module and the receiving module may be integrated as a transceiver module. Wherein, the transceiver module is configured to implement the transceiver function of the apparatus described in the fourth aspect.

Optionally, the apparatus of the fourth aspect may further include a processing module. The processing module is used for realizing the processing function of the communication device.

Optionally, the apparatus according to the fourth aspect may further include a storage module, where the storage module stores a program or instructions. The program or instructions, when executed by a processing module, enable the apparatus to perform the method of the second aspect.

The device according to the fourth aspect may be a terminal, or may be a chip (system) or other components or assemblies in the terminal, or may be a device including the terminal, which is not limited in this application.

In addition, the technical effects of the apparatus described in the fourth aspect may refer to the technical effects of the method described in the first aspect, which are not described herein.

In a fifth aspect, a communication device is provided. The device comprises: a processor. Wherein the processor is configured to perform the method according to the first or second aspect.

In a possible implementation manner, the apparatus according to the fifth aspect may further include a transceiver. The transceiver may be a transceiver circuit or an interface circuit. The transceiver may be used for the device to communicate with other devices.

In a possible embodiment, the device according to the fifth aspect may further comprise a memory. The memory may be integral with the processor or may be separate. The memory may be used to store computer programs and/or data related to the method of the first or second aspect.

In this application, the apparatus according to the fifth aspect may be a terminal or a network device in the first aspect or the second aspect, for example, the first device or the second device, or a chip (system) or other part or component that may be disposed in the terminal or the network device, or an apparatus including the terminal or the network device.

Further, the technical effects of the apparatus according to the fifth aspect may refer to the technical effects of the method according to the first aspect or the second aspect, and are not described herein.

In a sixth aspect, a communication device is provided. The device comprises: a processor and a memory. Wherein the memory is for storing computer instructions which, when executed by the processor, cause the apparatus to perform the method according to the first or second aspect.

In a possible implementation manner, the apparatus according to the sixth aspect may further include a transceiver. The transceiver may be a transceiver circuit or an interface circuit. The transceiver may be used for the device to communicate with other devices.

In this application, the apparatus according to the sixth aspect may be a terminal or a network device in the first aspect or the second aspect, for example, the first device or the second device, or a chip (system) or other part or component that may be disposed in the terminal or the network device, or an apparatus including the terminal or the network device.

In addition, the technical effects of the apparatus described in the sixth aspect may refer to the technical effects of the method described in the first aspect or the second aspect, which are not described herein.

In a seventh aspect, a communication device is provided. The device comprises: logic circuitry and input-output interfaces. The input/output interface is used for receiving the code instruction and transmitting the code instruction to the logic circuit. Logic circuitry is to execute code instructions to perform the method as described in the first or second aspect.

In this application, the apparatus according to the seventh aspect may be a terminal or a network device in the first aspect or the second aspect, for example, the first device or the second device, or a chip (system) or other part or component that may be disposed in the terminal or the network device, or an apparatus including the terminal or the network device.

In addition, the technical effects of the apparatus described in the seventh aspect may refer to the technical effects of the method described in the first aspect or the second aspect, which are not described herein.

In an eighth aspect, a communication device is provided. The device comprises: a processor and a transceiver. Wherein the transceiver is for information interaction between the communication device and the other device, and the processor executes program instructions for performing the method according to the first or second aspect.

In a possible embodiment, the device according to the eighth aspect may further comprise a memory. The memory may be integral with the processor or may be separate. The memory may be used to store computer programs and/or data related to the method of the first or second aspect.

In this application, the apparatus according to the eighth aspect may be a terminal or a network device in the first aspect or the second aspect, for example, the first device or the second device, or a chip (system) or other part or component that may be disposed in the terminal or the network device, or an apparatus including the terminal or the network device.

Further, the technical effects of the apparatus according to the eighth aspect may refer to the technical effects of the method according to the first aspect or the second aspect, and will not be described herein.

In a ninth aspect, a communication system is provided. The communication system includes one or more first devices and one or more second devices. The first device is for performing the method as described in the first aspect and the second device is for performing the method as described in the second aspect.

In a tenth aspect, there is provided a computer readable storage medium comprising: computer programs or instructions; the computer program or instructions, when run on a computer, cause the computer to perform the method of the first or second aspect.

In an eleventh aspect, there is provided a computer program product comprising a computer program or instructions which, when run on a computer, cause the computer to perform the method of the first or second aspect.

Drawings

Fig. 1 is a schematic flow chart of device validity verification of an LTE system;

FIG. 2 is a flow diagram of device validity verification for an NR system;

fig. 3 is a schematic architecture diagram of a communication system according to an embodiment of the present application;

fig. 4 is a schematic flow chart of a communication method according to an embodiment of the present application;

fig. 5 is a second flow chart of a communication method according to an embodiment of the present application;

Fig. 6 is a schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of a second communication device according to an embodiment of the present disclosure;

fig. 8 is a schematic structural diagram of a communication device according to an embodiment of the present application.

Detailed Description

Technical terms related to the embodiments of the present application are described below.

1. Device identification

The device identifier generally refers to an identifier of a terminal preconfigured at the time of shipment, and the device identifier of each terminal is unique so that different terminals can be distinguished by different device identifiers. In LTE systems, the device identity is in particular an international mobile equipment identity (international mobile equipment identity, IMEI), and in NR systems, the device identity is in particular a permanent device identifier (permanent equipment identifier, PEI). Unless otherwise specified, the device identifier mentioned below may be understood as IMEI or as PEI, and the present application is not specifically limited. When a terminal accesses a network through AN Access Network (AN), a CN network element, for example, AN EIR, may verify a device identifier of the terminal to determine the validity of the device of the terminal, thereby ensuring network security, which will be described in detail below.

And 2, verifying the device legitimacy of the LTE system.

Referring to fig. 1, the device validity verification of the lte system includes the following procedures:

s101, a User Equipment (UE) sends an attach request message to an evolved node B (eNodeB). Accordingly, the eNodeB receives an attach request message from the UE.

The eNodeB is mainly configured to provide a network access function for an authorized terminal device in a specific area, such as a network signal coverage area, and the specific implementation may also refer to the following description related to fig. 3, which is not repeated. When the UE accesses the eNodeB, the UE may send the above-described attach request message to the eNodeB. The attach request message contains an international mobile subscriber identity (international mobile subscriber identity, IMSI) or a globally unique temporary UE identity (globally unique temporary UE identity, GUTI) for the UE to register with the LTE system in order to use the services provided by the LTE network.

S102, the eNodeB sends an attach request message to a new (new) mobility management entity (mobility management entity, MME) network element. Accordingly, the new MME network element receives an attach request message from the eNodeB.

The new MME network element refers to an LTE network system entity that provides services for the UE at this time, and is used for mobility and session management of the UE.

S103, the new MME network element sends an identification request (identification request) message to the old (old) MME network element or the GPRS service support node (serving GPRS support node, SGSN) network element. Accordingly, the old MME network element or SGSN receives the identification request message from the new MME network element.

The old MME network element refers to an entity of an LTE network system which last provides service for the UE. The SGSN refers to the 2/3G network system entity that last served the UE. The identification request message is used for the network entity currently providing the service to acquire the UE identity and the mobility and session management related context information from the network entity providing the service last time. If the temporary identity GUTI used by the UE in the attach request message is allocated by the old MME, the new MME network element may send an identity request message to the old MME network element, or if the temporary identity GUTI used by the UE in the attach request message is allocated by the old SGSN network element, the new MME network element may send an identity request message to the SGSN.

S104, the old MME network element or SGSN sends an identification response (identification response) message to the new MME network element. Correspondingly, the new MME network element receives an identification response message from the old MM E network element or SGSN.

The identification response message comprises an identity of the UE, an IMSI and security-related context information.

S105, the new MME network element sends an identity query request (identity request) message 1 to the UE. Correspondingly, the UE receives an identity query request message 1 from the new MME network element.

The identity inquiry request message 1 is used for requesting a user identity, such as an IMSI, corresponding to the UE.

S106, the UE sends an identity inquiry response (identity response) message 1 to the new MME network element. Correspondingly, the new MM E network element receives the identity query response message 1 from the UE.

The identity inquiry response message 1 carries an IMSI corresponding to the UE.

S107, the new MME network element, the UE and the home subscriber server (home subscriber server, HSS) complete authentication (authentication) and security (security) verification of the UE.

The HSS is mainly used for storing and managing signing and authentication information of the UE. The new MME network element can complete authentication and security verification of the UE by matching with the UE and the HSS according to the IMSI.

S108, the new MME network element sends an identity inquiry request message 2 to the UE. Correspondingly, the UE receives an identity query request message 2 from the new MME network element.

Wherein the identity lookup request message 2 is used to request a device identity of the UE, such as IMEI.

S109, the UE sends an identity inquiry response message 2 to the new MME network element. Correspondingly, the new MME network element receives the identity query response message 2 from the UE.

Wherein, the identity inquiry response message 2 carries the IMEI of the UE.

S110, the new MME network element and the EIR cooperate to verify the equipment validity of the UE.

Wherein, the new MME network element may send the IMEI of the UE to the EIR. The EIR may verify the IMEI of the UE, e.g., the EIR may determine whether the IMEI of the UE is present in the IMEI list. If the IMEI of the UE exists in the IMEI list, the device validity verification of the UE is passed, and the UE is allowed to access the network. Or if the IMEI of the UE does not exist in the IMEI list, indicating that the device validity of the UE is not verified, and not allowing the UE to access the network.

Device validity verification for nr systems.

Referring to fig. 2, the device validity verification of the nr system includes the following procedures:

s201, the UE sends a registration request (registration request) message to a radio access network (radio access network, RAN) network element. Accordingly, the RAN network element receives a registration request message from the UE.

The RAN network element is mainly configured to provide a network access function for an authorized terminal device in a specific area, such as a network signal coverage area, and the specific implementation may also refer to the following related description of fig. 3, which is not repeated. After the UE accesses the RAN network element, the UE may send the above-mentioned registration request message to the RAN network element. The registration request message is used for the UE to register with the NR system in order to use the NR network service.

S202, the RAN network element selects an access and mobility management function (access and mobility management function, AMF) network element.

The AMF network element is mainly responsible for access management in the wireless network, such as user access, user location update, user registration network, cell handover, etc. The RAN network element may select an AMF network element suitable for providing the service functions described above for the current UE. The selection of an AMF network element by the RAN network element may be referred to as a new AMF network element.

S203, the RAN network element sends a registration request message to the new AMF network element. Accordingly, the new AMF network element receives the registration request message from the RAN network element.

S204, the new AMF network element sends a UE context transfer (Namf_communication_ UE context transfer) message to the old AMF network element. Accordingly, the old AMF network element receives the UE context transfer message from the new AMF network element.

The old AMF network element is an NR network system access and mobility management entity which provides service for the UE. The UE context transfer message is used for the new AMF network element to request the old AMF network element for the UE context.

S205, the old AMF network element sends a UE context transfer response (namf_communication_ UE context transfer response) message to the new AMF network element. Correspondingly, the new AMF network element receives the UE context transfer response message from the old AMF network element.

Wherein the UE context transfer response message carries the UE context.

S206, the new AMF network element sends an identity inquiry request message 3 to the UE. Accordingly, the UE receives an identity lookup request message 3 from the new MME.

The identity inquiry request message 3 is used for requesting a user identity identifier corresponding to the UE, for example, a user permanent identifier (subscription permanent identifier, SUPI).

S207, the UE sends an identity inquiry response message 3 to the new AMF network element. Accordingly, the new AMF network element receives the identity query response message 3 from the UE.

The identity inquiry response message 3 carries the SUPI corresponding to the UE.

S208, the new AMF network element selects an authentication server function (authentication server function, AUSF) network element.

The AUSF network element mainly provides services such as authentication, security verification and the like for the UE. The new AMF network element may select an AUSF network element suitable for providing services such as authentication and security verification for the current UE.

S209, the new AMF network element, the UE and the AUSF network element finish authentication (authentication) and security (security) verification of the UE.

The new AMF network element may be matched with the UE and the AUSF network element to complete authentication and security verification of the UE according to the SUPI corresponding to the UE.

S210, the new AMF network element sends an identity query request message 4 to the UE. Correspondingly, the UE receives an identity query request message 4 from the new AMF network element.

Wherein the identity lookup request message 4 is used to request a device identity of the UE, such as PEI.

S211, the UE sends an identity inquiry response message 4 to the new AMF network element. Accordingly, the new AMF network element receives the identity query response message 4 from the UE.

Wherein the identity inquiry response message 4 carries PEI of the UE.

S212, the new AMF network element and the EIR cooperate to verify the device validity of the UE.

Wherein, the new AMF network element may send the IMEI of the UE to the EIR. The EIR may authenticate the PEI of the UE, e.g., the EIR may determine whether the PEI of the UE is present in the PEI list. If the PEI of the UE exists in the PEI list, the device validity verification of the UE is passed, and the UE is allowed to access the network. Or if the PEI of the UE does not exist in the PEI list, the device validity of the UE is not verified, and the UE is not allowed to access the network.

It should be noted that the above adopts the naming manner of the identity inquiry request message 1, the identity inquiry request message 2, the identity inquiry request message 3 and the identity inquiry request message 4, which are mainly used for distinguishing the messages, and the identity inquiry request message mentioned below can be understood as any message in the identity inquiry request message 1-the identity inquiry request message 4 unless otherwise specified. Similarly, the naming manners of the identity inquiry response message 1, the identity inquiry response message 2, the identity inquiry response message 3 and the identity inquiry response message 4 are adopted above, and are mainly used for distinguishing the messages, and under the condition that no special description exists, the identity inquiry response message mentioned below can be understood as any message in the identity inquiry response message 1-the identity inquiry response message 4.

It can be seen that, whether it is an LTE system or an NR system, after authentication and security verification of the UE pass, the UE needs to send the device identifier of the UE to the core network, so that the core network completes verification of device validity of the UE. However, the UE device identity is transmitted in the network in a clear text, for example, for an LTE system, the UE IMEI is transmitted in a clear text between the UE, a new MME and an EIR, or for an NR system, the UE PEI is transmitted in a clear text between the UE, a new AMF network element and an EIR, which is easy to be stolen, resulting in that the user privacy is not guaranteed.

In summary, aiming at the technical problems, the embodiment of the application provides the following technical scheme for improving the security of equipment identifier transmission and guaranteeing the privacy of users.

The technical solution of the embodiments of the present application may be applied to various communication systems, such as a wireless fidelity (wireless fidelity, wiFi) system, a vehicle-to-object (vehicle to everything, V2X) communication system, an inter-device (D2D) communication system, a vehicle networking communication system, a 4th generation (4th generation,4G) mobile communication system, such as an LTE system, a 5th generation (5th generation,5G) mobile communication system, such as an NR system, and future communication systems, such as a 6th generation (6th generation,6G), etc., although other naming manners for future communication systems are also possible, which are still covered in the scope of the present application, and the present application is not limited in any way.

The present application will present various aspects, embodiments, or features about a system that may include multiple devices, components, modules, etc. It is to be understood and appreciated that the various systems may include additional devices, components, modules, etc. and/or may not include all of the devices, components, modules etc. discussed in connection with the figures. Furthermore, combinations of these schemes may also be used.

In addition, in the embodiments of the present application, words such as "exemplary," "for example," and the like are used to indicate an example, instance, or illustration. Any embodiment or design described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, the term use of an example is intended to present concepts in a concrete fashion.

In the embodiment of the present application, "information", "signal", "message", "channel", and "signaling" may be used in a mixed manner, and it should be noted that the meaning of the expression is consistent when the distinction is not emphasized. "of", "corresponding" and "corresponding" are sometimes used in combination, and it should be noted that the meaning of the expression is consistent when the distinction is not emphasized. Furthermore, references to "/" herein may be used to indicate a relationship of "or".

The network architecture and the service scenario described in the embodiments of the present application are for more clearly describing the technical solution of the embodiments of the present application, and do not constitute a limitation on the technical solution provided in the embodiments of the present application, and those skilled in the art can know that, with the evolution of the network architecture and the appearance of the new service scenario, the technical solution provided in the embodiments of the present application is also applicable to similar technical problems.

To facilitate understanding of the embodiments of the present application, a communication system suitable for the embodiments of the present application will be described in detail first with reference to the communication system shown in fig. 3 as an example. Fig. 3 is a schematic architecture diagram of a communication system to which the communication method according to the embodiment of the present application is applicable. The communication system is a 4/5G converged network architecture and comprises a 4G network and a 5G network.

The 4G network mainly includes: a mobile communication system (universal mobile telecommunications system, UMTS) evolved terrestrial radio access network (evolution UMTS terrestrial radio access network, E-TURAN) network element, MME network element, and Serving Gateway (SGW). The 5G network mainly comprises: next generation radio access network (next generation radio access network, NG-RAN) network elements, AMF network elements, user plane function (user plane function, UPF) network elements, session management function (session management function, SMF) network elements, policy control function (policy control function, PCF) network elements, unified data management (unified data management, UDM) network elements, and EIR.

The E-TURAN network element may be understood as the eNodeB mentioned above, and the main function thereof may refer to the description of the eNodeB above, which is not repeated.

MME network element is mainly responsible for mobility management, bearer management, authentication and authentication of users, SGW selection and other functions

The SGW is mainly responsible for user plane processing, routing and forwarding functions of the data packet, and the like.

An NG-RAN network element may be understood as a RAN network element mentioned above, and the main function thereof may refer to the description of the RAN network element above, which is not repeated. Alternatively, the NG-RAN network element may also be replaced by a gNB as in the NR system, or one or a group (including multiple antenna panels) of base stations in 5G, or may also be a network node forming a gNB, a transmission point (transmission and reception point, TRP or transmission point, TP), or a transmission measurement function (transmission measurement function, TMF), such as a baseband unit (BBU), or a CU, DU, a Road Side Unit (RSU) with a base station function, or a wired access gateway, etc.

The main functions of the AMF network element may be mainly referred to the description of the AMF network element above, and will not be described in detail.

The UPF network element is mainly responsible for processing data packets of users, such as data packet forwarding, traffic volume statistics, and the like. In the 4/5G converged network architecture, a UPF network element may integrate user plane functions of a packet data network gateway (packet data network gateway, PGW) in a 4G network, which may also be referred to as a upf+pgw-U network element.

The SMF network element is mainly responsible for session management in the wireless network, such as creation, modification, deletion, etc. of protocol data unit (protocol data unit, PDU) sessions, and maintains PDU session context. In the 4/5G converged network architecture, SMF network elements may integrate control plane functions of PGWs in the 4G network, and SMF network elements may also be referred to as smf+pgw-C network elements.

The PCF network element is mainly responsible for providing various policies to the AMF network element and the SMF network element.

The UDM network element is mainly used for storing user data, such as subscription information, authentication/authorization information, etc. In the 4/5G converged network architecture, the UDM network element may integrate the functions of the HSS in the 4G network, and the UDM network element may also be referred to as a udm+hss network element.

The main function of the EIR may be mainly referred to the description of the EIR above, and will not be repeated. It should be noted that, the EIR and the SMF network element may be connected through an Nx port, where the Nx port is only one naming example, and may be replaced by any possible naming manner, which is not specifically limited in this application. Alternatively, the EIR and the MME network element may also be directly connected through a port, for example, through an S13 port.

The terminal may access the 5G network through the E-TURAN network element, or may directly access the 5G network through the NG-RAN network element, which is not specifically limited in this application. Alternatively, the terminal may be a terminal having a wireless transceiver function or a chip system that may be disposed on the terminal. The terminal may also be referred to as a user equipment, access terminal, subscriber unit (subscriber unit), subscriber station, mobile Station (MS), mobile station, remote terminal, mobile device, user terminal, wireless communication device, user agent, or user equipment. The terminals in embodiments of the present application may be mobile phones (mobile phones), cellular phones (cellular phones), smart phones (smart phones), tablet computers (Pad), wireless data cards, personal digital assistants (personal digital assistant, PDA), wireless modems (modem), handheld devices (handset), laptop computers (laptop computers), machine type communication (machine type communication, MTC) terminals, computers with wireless transceiving functions, virtual Reality (VR) terminals, augmented reality (augmented reality, AR) terminals, wireless terminals in industrial control (industrial control), wireless terminals in unmanned aerial vehicle (self driving), wireless terminals in smart grid (smart grid), wireless terminals in transportation security (transportation safety), wireless terminals in smart city (smart city), wireless terminals in smart home (smart home), RSU with functions, and the like. The terminal of the present application may also be an in-vehicle module, an in-vehicle component, an in-vehicle chip, or an in-vehicle unit built into a vehicle as one or more components or units.

Having described a communication system to which the communication method provided in the embodiment of the present application is applicable, the communication method provided in the embodiment of the present application will be specifically described with reference to fig. 4 to 5.

Fig. 4 is a schematic flow chart of a communication method according to an embodiment of the present application. The communication method can be suitable for communication between a terminal and a network device, the terminal can be a terminal in the communication system shown in fig. 3, and the network device can be a core network element in the communication system shown in fig. 3. As shown in fig. 4, the communication method includes: s401 and S402.

S401, the terminal sends a first device identification of the terminal. Correspondingly, the network device receives a first device identification of the terminal.

The first device identifier is used for verifying the validity of the device of the terminal. The first device identification includes one or more of the following: the first IMEI (naming mode of the LTE system) or the first PEI (naming mode of the NR system) is used to consider both the LTE system and the NR system, so that device validity verification can be performed in both the LTE system and the NR system. It should be noted that the terminal is first accessed to the network, and the first device identifier may be a real device identifier of the terminal, that is, a device identifier set before the device leaves the factory. Accordingly, the first IMEI may be referred to as a real IMEI and the first PEI may be referred to as a real PEI. Or the terminal is not accessed to the network for the first time, the first equipment identifier may be a temporary equipment identifier of the terminal, that is, the equipment identifier allocated by the core network to the terminal when the terminal accesses to the network last time. Accordingly, the first IMEI may be referred to as temporary IMEI (for convenience of distinction from the temporary IMEI mentioned below, the first IMEI is referred to as temporary IMEI 1), and the first PEI may be referred to as temporary PEI (for convenience of distinction from the temporary PEI mentioned below, the first PEI is referred to as temporary PEI 1). That is, only when the terminal first accesses the network, the terminal transmits its own real device identifier, otherwise, the terminal transmits the temporary device identifier, so as to avoid the real device identifier from being stolen as much as possible, and ensure the privacy of the user. It will be appreciated that the above-described real device identification or temporary device identification is only an exemplary naming scheme, and not limiting, and that any possible naming scheme may be substituted for the real device identification, e.g. the real device identification may be substituted for the device factory identification, the device tamper-proof identification, etc., and that the temporary device identification may be substituted for the dynamic device identification, the device tamper-proof identification, etc. Similarly, the real IMEI or real PEI, and the temporary IMEI1 or temporary PEI1 may be understood by reference, and will not be described again.

The first device identification may be carried in one or more of the following: an identity inquiry response message, a create session request (create session request) message, or a device identification verification request (N5g-eir _ equipment identity check request) message to implement signaling multiplexing and improve communication efficiency. It is understood that the first device identifier is carried in different messages, and the device configuration of the network device is correspondingly different, which is described in detail below.

Case 11: the first equipment identifier is loaded in the identity inquiry response message, and the network equipment is an MME network element.

After the terminal accesses the 4G network, the MME network element (network device) may send an identity query request message to the terminal through an access network device of the 4G network, such as an eNodeB, where the identity query request message is used to request the first device identifier of the terminal. Correspondingly, the terminal can send an identity inquiry response message carrying the first equipment identifier to the MME network element through the eNodeB according to the identity inquiry request message.

Case 12: the first device identity is carried in a create session request message, and the network device is an SGW or smf+pgw-C network element.

The MME network element may obtain the first device identification from an identity query response message. The MME network element may carry the first device identification into a create session request message, and send the create session request message to the SGW. In this case, the network device is the SGW. Alternatively, after receiving the session creation request message carrying the first device identifier, the SGW may forward the session creation request message to a core network element in the 5G network, for example, an smf+pgw-C network element. In this case, the network device is an smf+pgw-C network element.

It is noted that the create session request message is typically used to create a session of the terminal, such as a protocol data unit (protocol data unit, PDU) session, or a packet data network (packet data network, PDN) session. However, the first device identifier is carried in the session creation request message, so that the session creation request message can be multiplexed to the device validity verification of the terminal, thereby saving signaling overhead and improving communication efficiency.

Case 13: the first device identifier is carried in a device identifier verification request message, and the network device is an EIR.

The smf+pgw-C network element may obtain the first device identification from the create session request message. The smf+pgw-C network element may carry the first device identification into a device identification verification request message, and send the device identification verification request message to an EIR (network device). Correspondingly, the EIR may obtain the first device identifier from the device identifier verification request message, so as to verify the device validity of the terminal according to the first device identifier, and the specific implementation may refer to the following description in S402, which is not repeated herein.

S402, the network equipment sends a second equipment identification of the terminal. Correspondingly, the terminal receives the second equipment identifier of the terminal.

The second device identifier is a device identifier determined when the device validity of the terminal passes verification. The second device identification is used for device validity verification after the terminal. The second device identification may include one or more of the following: and the second IMEI or the second PEI is used for considering both the LTE system and the NR system, so that the device validity verification can be carried out in both the LTE system and the NR system. Similar to the first device identification described above, the second device identification is also a temporary device identification of the terminal and is different from the first device identification. Accordingly, the second IMEI may also be referred to as temporary IMEI (for convenience of distinction from the above-mentioned temporary IMEI1, the second IMEI is referred to as temporary IMEI 2), and the second PEI may also be referred to as temporary PEI (for convenience of distinction from the above-mentioned temporary PEI1, the second PEI is referred to as temporary PEI 2).

The second device identification may be carried in one or more of the following: attach accept message, activate dedicated evolved packet system bearer context request (activate dedicated EPS bearer context request) message, create session response (create session response) message, or device identity authentication response (N5 g-eir _ equipment identity check response) message to implement signaling multiplexing and improve communication efficiency. It will be appreciated that, similar to the first device identifier, the second device identifier is carried in a different message, and the device morphology of the network device is correspondingly different, as described in more detail below.

Case 21: the second equipment identifier is carried in the equipment identifier verification response message, and the network equipment is EIR.

After the EIR (network device) completes the device validity verification on the terminal and determines the second device identifier (specific implementation may refer to the related description below and will not be described in detail here), the EIR may send a device identifier verification response message carrying the second device identifier to the smf+pgw-C network element. Wherein the second device identification may be encapsulated in a cell of a device identification verification response message, such as a protocol configuration options (protocol configuration options, PCO) cell, or any other possible cell.

Case 22: the second device identity is carried in the create session response message, and the network device is an SGW or smf+pgw-C network element.

The smf+pgw-C network element may obtain the second device identifier from the device identifier verification response message. The smf+pgw-C network element may carry the second device identification into a create session response message that is sent to a network element in the 4G network, e.g. the SGW. In this case, the network device is an smf+pgw-C network element. Furthermore, similar to the device identification verification response message, the second device identification may also be encapsulated in a cell, such as a PCO cell, or any other possible cell, that creates the session response message. Alternatively, after receiving the create session response message carrying the second device identifier, the SGW may forward the create session response message to the MME network element. In this case, the network device is the SGW.

Case 23: the second equipment identifier is carried in an attach accept message or an activate special evolution packet system carrier context request message, and the network equipment is an MME network element.

The MME network element (network device) may obtain the above-mentioned second device identification from the create session response message. The MME network element may carry the second device identifier in an active dedicated evolved packet system bearer context request message, e.g. similar to the device identifier verification response message, the second device identifier may also be encapsulated in a cell of the active dedicated evolved packet system bearer context request message, e.g. a PCO cell, or any other possible cell. The MME network element may send an attach accept message carrying an activate dedicated evolved packet system bearer context request message to the terminal via the eNodeB. In this way, the terminal may receive an attach accept message and obtain the second device identification from the active dedicated evolved packet system bearer context request message carried by the attach accept message.

For convenience of understanding, the following specifically describes verifying the device validity of the terminal and determining the second device identifier of the terminal by using the network device as an EIR as an example.

After the network device obtains the first device identifier from the device identifier verification request message, a preset real device identifier library may be traversed to determine whether the first device identifier exists in the real device identifier library. It will be appreciated that the above-mentioned real device identifier library is only a named example, and is not limited thereto, and it may be replaced by other names, such as a real device identifier resource pool, or a real device identifier resource pool, etc., which are not particularly limited thereto.

If the first equipment identifier exists in the real equipment identifier library, the first equipment identifier is indicated to be the real equipment identifier, and the equipment validity of the terminal passes verification. The network device may determine a corresponding temporary device identifier, e.g. a second device identifier, for the terminal from a preset temporary device identifier library. It will be appreciated that the temporary device identifier library is only a named example, and is not limited thereto, and may be replaced by other names, such as a temporary device identifier resource pool, or a temporary device identifier resource pool, etc., which are not specifically limited thereto. The network device may establish a correspondence of the real device identifier and the temporary device identifier of the terminal, for example, a correspondence of the first device identifier and the second device identifier, for subsequent authentication use, and the network device may send the second device identifier to the terminal.

Or if there is no first device identification in the real device identification library, indicating that the first device identification is not a real device identification. The network device may traverse the correspondence between the real device identifier and the temporary device identifier to determine whether the correspondence has the first device identifier. Under the condition, if the first equipment identifier exists in the corresponding relation, the first equipment identifier is indicated to be a temporary equipment identifier corresponding to the real equipment identifier, and the equipment validity of the terminal passes verification. In this case, the network device may determine a new temporary device identity, e.g. a second device identity, for the terminal from a preset temporary device identity library. The network device may update the correspondence between the real device identifier and the temporary device identifier of the terminal, for example, to update the correspondence to the correspondence between the first device identifier and the second device identifier, so as to facilitate subsequent authentication use, and the network device may send the second device identifier to the terminal. In another case, if the corresponding relation does not have the first equipment identifier, the first equipment identifier is neither a real equipment identifier nor a temporary equipment identifier, and the equipment validity of the terminal is not verified. In this case, the network device (EIR) may send a device identification verification response message to the smf+pgw-C network element, where the device identification verification response message carries first indication information to indicate that the device validity verification of the terminal fails. The smf+pgw-C network element may send a create session response message to the MME network element through the SGW according to the device identification verification response message, where the create session response message carries second indication information to indicate that session creation of the terminal fails. The SGW sends an attach reject (attach reject) message to the terminal via the eNodeB according to the create session response message to indicate that the terminal has failed to attach. Optionally, the network device may also blacklist the terminal in case the device validity verification of the terminal fails. Therefore, when the terminal requests to verify the validity of the equipment again, the network equipment can directly determine that the equipment validity verification of the terminal fails based on the blacklist, so that the calculation power of the network equipment is saved, and the operation efficiency of the network equipment is improved.

It should be noted that, in the above description, the network device traverses the real device identifier library first, and then traverses the corresponding relationship between the real device identifier and the temporary device identifier, which is only an example and not a limitation. For example, in case the real device identity is different from the data structure of the temporary device identity, the network device may determine from the data structure of the first device identity whether the first device identity is a real device identity or a temporary device identity. If the network device determines that the first device identification is a real device identification, the network device may directly traverse the real device identification library to determine whether the first device identification is recorded in the real device identification library. Or if the network device determines that the first device identifier is a temporary device identifier, the network device may directly traverse the corresponding relationship between the real device identifier and the temporary device identifier to determine whether the corresponding relationship has the first device identifier.

In summary, according to the method shown in fig. 4, after the current verification of the validity of the device, the network device may update the device identifier of the terminal, for example, update the first device identifier to be the second device identifier, so that the device identifier of the terminal may be dynamically changed. The dynamically changed equipment identifier can be regarded as a temporary equipment identifier of the terminal, and the terminal can subsequently use the temporary equipment identifier to verify the validity of the equipment so as to avoid the real equipment identifier of the terminal from being stolen and ensure the privacy of the user.

Alternatively, in one possible design, the second device identifier of the network device sending terminal may include: the network device sends the encrypted second device identification to further enhance the security of the transmission. For example, the network device may encrypt the second device identification using the public key of the terminal, resulting in an encrypted second device identification. The network device may obtain the public key of the terminal from a core network element, such as a udm+hss network element. Correspondingly, the terminal can decrypt the encrypted second device identifier by using the private key of the terminal to obtain the second device identifier.

Optionally, in another possible design, before S402, a method provided by an embodiment of the present application may further include: the terminal sends the user identity corresponding to the terminal. Correspondingly, the network equipment receives the user identity corresponding to the terminal.

The user identity can be used for verifying the validity of the terminal equipment. That is, for verifying the validity of the device of the terminal, not only the first device identifier of the terminal but also the user identity identifier corresponding to the terminal needs to be verified, so as to improve the reliability of verifying the validity of the device. The user identity may include one or more of the following: an international mobile subscriber identity (international mobile subscriber identification number) IMSI, or a subscriber permanent identifier (subscription permanent identifier, SUPI), to compromise the LTE system and the NR system, so as to enable the device legitimacy of the terminal to be verified in both the LTE system and the NR system. The user identity and the first device identity may be carried in the same message, e.g. the user identity is also carried in one or more of the following: the identity inquiry response message, the session request message or the equipment identification verification request message is created, so that signaling overhead is saved, and communication efficiency is improved. Alternatively, the user identifier and the first device identifier may be carried in different messages, which is not specifically limited.

For easy understanding, the network device is taken as an EIR as an example, and the validity of the device for verifying the terminal according to the user identity is specifically introduced by the network device.

After the network device obtains the user identity from the device identity verification request message, a preset user identity library can be traversed to determine whether the user identity exists in the user identity library. It will be appreciated that the above-mentioned user id library is only a named example, and is not limited thereto, and other names, such as a user id library resource pool, may be substituted, which is not particularly limited thereto. If the user identity is in the user identity library and the verification of the network equipment on the first equipment identity is passed, the equipment validity verification of the terminal is passed. Otherwise, if the user identity is not in the user identity library, or the verification of the network equipment on the first equipment identity is not passed, the equipment validity verification of the terminal is not passed.

The overall flow of the communication method provided in the embodiment of the present application is described above with reference to fig. 4, and the flow of the communication method shown in fig. 4 in a specific application scenario is described in detail with reference to fig. 5.

Fig. 5 is a schematic flow chart of a communication method according to an embodiment of the present application. The communication method can be applied to the communication among UE, eNodeB, MME network elements, SGW, SMF+PGW-C network elements, UDM+HSS network elements and EIR shown in figure 3. As shown in fig. 5, the communication method may include the steps of:

s501, the UE sends an attach request message to the eNodeB. Accordingly, the eNodeB receives an attach request message from the UE.

S502, the eNodeB sends an attach request message to the MME network element. Accordingly, the MME network element receives an attach request message from the eNodeB.

S503, MME network element, UE and UDM+HSS network element, to complete the authentication and security verification of UE.

The specific implementation principles of S501-S503 may refer to the related descriptions in S101-S107, and will not be described herein.

S504, the MME network element sends an identity inquiry request message to the UE. Correspondingly, the UE receives an identity query request message from the MME network element.

The identity query request message is used for requesting the first device identifier of the UE, and the specific implementation of the first device identifier may refer to the related description in S401 and will not be repeated.

S505, the UE sends an identity inquiry response message to the MME network element. Correspondingly, the MME network element receives an identity inquiry response message from the UE.

The identity inquiry response message carries a first equipment identifier of the UE.

S506, the MME network element sends a create session request message to the SGW. Correspondingly, the SGW receives a create session request message from the MME network element.

S507, SGW sends request message for creating session to SMF+PGW-C network element. Correspondingly, the SMF+PGW-C network element receives a create session request message from the MME network element.

The session creation request message carries the first device identifier of the UE, and optionally, the session creation request message may also carry the user identifier corresponding to the UE.

S508, the SMF+PGW-C network element sends a device identification verification request message to the EIR. Correspondingly, the EIR receives a device identification verification request message from the SMF+PGW-C network element.

The device identifier verification request message carries the first device identifier of the UE, and optionally, the device identifier verification request message may also carry a user identity identifier corresponding to the UE. The specific implementation of S505-S508 may refer to the description related to S401 and the other possible design schemes, and will not be described in detail.

S509, the EIR verifies the device legitimacy of the UE.

The specific implementation of S509 may refer to the description related to S402 and the other possible design schemes, and will not be described herein.

S510, the EIR sends a device identification verification response message to the SMF+PGW-C network element. Correspondingly, the SMF+PGW-C network element receives the equipment identity verification response message from the EIR.

If the validity of the UE device passes, the device identifier verification response message may carry the second device identifier of the UE, and the specific implementation may refer to S402 and the description related to the one possible design scheme, which is not described herein.

S511, the SMF+PGW-C network element sends a create session response message to the SGW. Accordingly, the SGW receives a create session response message from the SMF+PGW-C network element.

S512, the SGW sends a create session response message to the MME network element. Correspondingly, the MME network element receives a create session response message from the SGW.

The second device identifier of the UE may be carried by the session response message, and the specific implementation may refer to S402 and the related description in the foregoing one possible design scheme, which are not described herein.

S513, the MME network element sends an attach accept message to the UE. Correspondingly, the UE receives an attach accept message from the MME network element, respectively.

The attach accept message may carry the second device identifier of the UE, and the specific implementation may refer to S402 and the related description in the foregoing one possible design scheme, which are not described herein.

S514, the EIR sends a device identification verification response message to the SMF+PGW-C network element. Correspondingly, the SMF+PGW-C network element receives the equipment identity verification response message from the EIR.

If the device validity verification of the UE fails, the device identifier verification response message may carry first indication information to indicate that the device validity verification of the UE fails, and the specific implementation may refer to the related description in S402 and will not be repeated.

S515, the smf+pgw-C network element sends a create session response message to the SGW. Accordingly, the SGW receives a create session response message from the SMF+PGW-C network element.

S516, the SGW sends a create session response message to the MME network element. Correspondingly, the MME network element receives a create session response message from the SGW.

The session creation response message may carry second indication information to indicate that the session creation of the UE fails, and the specific implementation may refer to the description related to S402 and will not be repeated.

S517, the MME network element sends an attach reject message to the UE. Correspondingly, the UE receives an attach reject message from the MME network element.

The attach reject message may indicate that the terminal has failed to attach, and the specific implementation may refer to the description related to S402, which is not repeated.

It is understood that the steps S510-S513 and S514-S517 are optional steps. If the device validity verification of the UE passes, S510-S513 are performed. If the device validity verification of the UE is not passed, S514-S517 is performed. In addition, the above procedure is only an example, for example, the MME network element may obtain the first device identifier of the UE through the security mode command (scurity mode cmmand) procedure, that is, S503 above. For another example, the MME network element may also send the first device identifier directly to the EIR through the S13 port. Correspondingly, after the EIR passes the verification, the EIR can directly return the second equipment identifier through the S13 port and the MME network element.

The communication method provided in the embodiment of the present application is described in detail above with reference to fig. 4 to 5. A communication apparatus for performing the communication method provided in the embodiment of the present application is described in detail below with reference to fig. 6 to 8.

Fig. 6 is a schematic structural diagram of a communication device according to an embodiment of the present application. As shown in fig. 6, the communication apparatus 600 includes: a receiving module 601 and a transmitting module 602. For ease of illustration, fig. 6 shows only the main components of the communication device.

In an embodiment, the communication apparatus 600 may be adapted to perform the functions of the network device in the method shown in fig. 4, or perform the functions of the MME network element, SGW, smf+pgw-C network element, or EIR in fig. 5 in the communication system shown in fig. 3.

The receiving module 601 is configured to receive a first device identifier of a terminal; a sending module 602, configured to send a second device identifier of the terminal. The first device identifier is used for verifying the device validity of the terminal, the second device identifier is used for verifying the device validity after the terminal, and the device identifier is determined when the device validity of the terminal passes through the device validity verification.

In a possible design, the receiving module 601 may be further configured to receive a user identity corresponding to the terminal before the sending module 602 sends the second device identifier of the terminal, where the user identity is used for verifying the validity of the device of the terminal.

In a possible design, the sending module 602 may also be configured to send the encrypted second device identifier.

Alternatively, the transmitting module 602 and the receiving module 601 may also be integrated as a transceiver module (not shown in fig. 6). The transceiver module is configured to implement a transceiver function of the communication device 600.

Optionally, the communication device 600 may further comprise a processing module 603 (shown in dashed lines in fig. 6). The processing module 603 is configured to implement a processing function of the communication device 600.

Optionally, the communication device 600 may further comprise a storage module (not shown in fig. 6) storing programs or instructions. The processing module 603, when executing the program or instructions, enables the communications apparatus 600 to perform functions of a network device in the method shown in fig. 4, or perform functions of an MME network element, an SGW, an smf+pgw-C network element, a udm+hss network element, and an EIR in the method shown in fig. 6.

It is to be appreciated that the processing module 603 involved in the communication device 600 may be implemented by a processor or processor-related circuit component, which may be a processor or processing unit; the transceiver module may be implemented by a transceiver or transceiver related circuit components, and may be a transceiver or a transceiver unit.

The communication apparatus 600 may be a network device, a chip (system) or other components or assemblies that may be provided in the network device, or an apparatus including the network device, which is not limited in this application.

In addition, the technical effects of the communication apparatus 600 may refer to the corresponding technical effects in the method shown in fig. 4, which are not described herein.

In another embodiment, the communication apparatus 600 may be adapted to be used in the communication system shown in fig. 3, perform the functions of a terminal in the method shown in fig. 4, or perform the functions of a UE in the method shown in fig. 5.

Wherein, the sending module 602 is configured to send a first device identifier of the communication apparatus 600; a receiving module 601 is configured to receive a second device identifier of the communication apparatus 600. The first device identification is used for device validity verification of the communication apparatus 600, the second device identification is a device identification determined when the device validity verification of the communication apparatus 600 passes, and the second device identification is used for device validity verification after the communication apparatus 600.

In a possible design, the sending module 602 may be further configured to send, before the receiving module 601 receives the second device identifier of the communication apparatus 600, a user identifier corresponding to the communication apparatus 600, where the user identifier is used for verifying the validity of the device of the communication apparatus 600.

In a possible design, the receiving module 601 may be further configured to receive the encrypted second device identifier.

Optionally, the communication device 600 may further comprise a storage module (not shown in fig. 6) storing programs or instructions. The processing module 603, when executing the program or instructions, enables the communication apparatus 600 to perform the functions of a terminal in the method shown in fig. 4 or to perform the functions of a UE in the method shown in fig. 5.

The communication device 600 may be a terminal, a chip (system) or other components or assemblies that may be provided in the terminal, or a device including the terminal, which is not limited in this application.

Fig. 7 is a schematic diagram of a second configuration of the communication device according to the embodiment of the present application. The communication device may be a terminal device or a network device, or may be a chip (system) or other parts or components that may be provided in the terminal device or the network device. As shown in fig. 7, a communication device 700 may include a processor 701. Optionally, the communication device 700 may further comprise a memory 702 and/or a transceiver 703. Wherein the processor 701 is coupled to a memory 702 and a transceiver 703, such as may be connected by a communication bus.

The following describes the respective constituent elements of the communication apparatus 700 in detail with reference to fig. 7:

the processor 701 is a control center of the communication device 700, and may be one processor, a collective term of a plurality of processing elements, or may be referred to as a logic circuit. For example, the processor 701 is one or more central processing units (central processing unit, CPU), but may also be an integrated circuit (application specific integrated circuit, ASIC), or one or more integrated circuits configured to implement embodiments of the present application, such as: one or more microprocessors (digital signal processor, DSPs), or one or more field programmable gate arrays (field programmable gate array, FPGAs).

Alternatively, the processor 701 may perform various functions of the communication device 700 by running or executing software programs stored in the memory 702 and invoking data stored in the memory 702.

In a particular implementation, the processor 701 may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 7, as an embodiment.

In a particular implementation, as an embodiment, the communication apparatus 700 may also include a plurality of processors, such as the processor 701 and the processor 704 shown in fig. 2. Each of these processors may be a single-core processor (single-CPU) or a multi-core processor (multi-CPU). A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).

The memory 702 is used for storing a software program for executing the solution of the present application, and is controlled by the processor 701, so that the method shown in fig. 4 or fig. 5 is executed.

Alternatively, memory 702 may be, but is not limited to, read-only memory (ROM) or other type of static storage device that may store static information and instructions, random access memory (random access memory, RAM) or other type of dynamic storage device that may store information and instructions, but may also be electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), compact disc read-only memory (compact disc read-only memory) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 702 may be integrated with the processor 701 or may exist separately and be coupled to the processor 701 through an interface circuit of the communication device 700 or an input/output interface (not shown in fig. 7), which is not specifically limited in this embodiment of the present application.

A transceiver 703 for communication with other communication devices. For example, the communication device 700 is a terminal, and the transceiver 703 may be used to communicate with a network apparatus or with another terminal apparatus. As another example, the communication apparatus 700 is a network device, and the transceiver 703 may be used to communicate with a terminal or another network device.

Alternatively, the transceiver 703 may include a receiver and a transmitter (not separately shown in fig. 7). The receiver is used for realizing the receiving function, and the transmitter is used for realizing the transmitting function.

Alternatively, transceiver 703 may be integrated with processor 701 or may exist separately and be coupled to processor 701 through interface circuitry (not shown in fig. 7) of communication device 700, as embodiments of the present application are not specifically limited.

It should be noted that the structure of the communication device 700 shown in fig. 7 is not limited to the communication device, and an actual communication device may include more or less components than those shown, or may combine some components, or may be different in arrangement of components.

In addition, the technical effects of the communication device 700 may refer to the technical effects of the communication method described in the above method embodiments, and will not be described herein.

Fig. 8 is a schematic diagram of a third configuration of a communication device according to an embodiment of the present application. The communication device may be a terminal device or a network device, or may be a chip (system) or other parts or components that may be provided in the terminal device or the network device. As shown in fig. 8, a communication device 800 may include: logic circuit 801 and input-output interface 802. The input/output interface 802 is configured to receive a code instruction and transmit the code instruction to the logic circuit 801. Logic 801 is used to execute code instructions to perform the methods as described above with respect to fig. 4 or 5.

In addition, the technical effects of the communication device 800 may refer to the technical effects of the communication method described in the above method embodiments, which are not described herein.

The embodiment of the application provides a communication system. The communication system comprises one or more terminals as described above, and one or more network devices.

It should be appreciated that the processor in the embodiments of the present application may be a CPU, but the processor may also be other general purpose processors, DSPs, ASICs, field programmable gate arrays FPGAs or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

It should also be appreciated that the memory in embodiments of the present application may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile memory may be ROM, programmable ROM (PROM), erasable Programmable ROM (EPROM), EEPROM, or flash memory, among others. The volatile memory may be RAM, which acts as external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic Random Access Memory (SDRAM), double data rate synchronous dynamic random access memory (DDR SDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), and direct memory bus RAM (DR RAM).

The above embodiments may be implemented in whole or in part by software, hardware (e.g., circuitry), firmware, or any other combination. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer instructions or computer programs. When the computer instructions or computer programs or instructions are loaded or executed on a computer, the processes or functions described in accordance with embodiments of the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center by wired (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more sets of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a solid state disk.

It should be understood that the term "and/or" is merely an association relationship describing the associated object, and means that three relationships may exist, for example, a and/or B may mean: there are three cases, a alone, a and B together, and B alone, wherein a, B may be singular or plural. In addition, the character "/" herein generally indicates that the associated object is an "or" relationship, but may also indicate an "and/or" relationship, and may be understood by referring to the context.

In the present application, "at least one" means one or more, and "a plurality" means two or more. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b, or c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or plural.

It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.

In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.

The above functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk, etc.

The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A method of communication, the method comprising:

the network equipment receives a first equipment identifier of a terminal, wherein the first equipment identifier is used for verifying the equipment validity of the terminal;

the network device sends a second device identifier of the terminal, wherein the second device identifier is determined when the device validity verification of the terminal passes, and the second device identifier is used for device validity verification after the terminal.

2. The method of claim 1, wherein prior to the network device transmitting the second device identification of the terminal, the method further comprises:

the network equipment receives a user identity corresponding to the terminal, wherein the user identity is used for verifying the validity of the equipment of the terminal.

3. The method according to claim 1 or 2, wherein the network device sending the second device identification of the terminal comprises:

the network device transmits the encrypted second device identification.

4. A method of communication, the method comprising:

the method comprises the steps that a terminal sends a first equipment identifier of the terminal, wherein the first equipment identifier is used for verifying the equipment validity of the terminal;

the terminal receives a second device identifier of the terminal, wherein the second device identifier is determined when the device validity verification of the terminal passes, and the second device identifier is used for device validity verification after the terminal.

5. The method of claim 1 or 4, wherein the first device identification comprises one or more of: the first international mobile equipment identity IMEI, or the first permanent equipment identifier PEI.

6. The method of any one of claims 1, 4, 5, wherein the first device identification is carried in one or more of: an identity inquiry response message, a create session request message, or a device identification verification request message.

7. The method of any of claims 1, 4-6, wherein the second device identification comprises one or more of: a second IMEI, or a second PEI.

8. The method of any of claims 1, 4-7, wherein the second device identification is carried in one or more of: attach accept message, activate dedicated evolved packet system bearer context request message, create session response message, or device identification verification response message.

9. The method according to any of claims 4-8, characterized in that before the terminal receives the second device identification of the terminal, the method further comprises:

the terminal sends a user identity corresponding to the terminal, and the user identity is used for verifying the validity of the equipment of the terminal.

10. A method according to claim 2 or 9, wherein the user identity comprises one or more of the following: an international mobile subscriber identity IMSI, or a subscriber permanent identifier SUPI.

11. The method according to any of claims 2, 9 or 10, wherein the user identity is carried in the same message as the first device identity.

12. The method according to any of claims 4-11, wherein the terminal receiving a second device identification of the terminal comprises:

the terminal receives the encrypted second device identification.

13. A communication device, the device comprising: a receiving module and a transmitting module, wherein,

the receiving module is used for receiving a first equipment identifier of a terminal, wherein the first equipment identifier is used for verifying the equipment validity of the terminal;

the sending module is configured to send a second device identifier of the terminal, where the second device identifier is a device identifier determined when device validity verification of the terminal passes, and the second device identifier is used for device validity verification after the terminal.

14. The apparatus of claim 13, wherein the receiving module is further configured to receive a user identity corresponding to the terminal before the sending module sends the second device identifier of the terminal, where the user identity is used for verifying the validity of the device of the terminal.

15. The apparatus according to claim 13 or 14, wherein the transmitting module is further configured to transmit the encrypted second device identification.

16. A communication device, the device comprising: a receiving module and a transmitting module, wherein,

the sending module is used for sending a first equipment identifier of the communication device, wherein the first equipment identifier is used for verifying the equipment validity of the communication device;

the receiving module is configured to receive a second device identifier of the communication apparatus, where the second device identifier is a device identifier determined when device validity verification of the communication apparatus passes, and the second device identifier is used for device validity verification after the communication apparatus.

17. The apparatus of claim 13 or 16, wherein the first device identification comprises one or more of: the first international mobile equipment identity IMEI, or the first permanent equipment identifier PEI.

18. The apparatus of any one of claims 13, 16, 17, wherein the first device identification is carried in one or more of: an identity inquiry response message, a create session request message, or a device identification verification request message.

19. The apparatus of any of claims 13, 16-18, wherein the second device identification comprises one or more of: a second IMEI, or a second PEI.

20. The apparatus of any of claims 13, 16-19, wherein the second device identification is carried in one or more of: attach accept message, activate dedicated evolved packet system bearer context request message, create session response message, or device identification verification response message.

21. The apparatus according to any one of claims 16-20, wherein the sending module is further configured to send, before the receiving module receives the second device identifier of the communication apparatus, a user identity identifier corresponding to the communication apparatus, where the user identity identifier is used for device validity verification of the communication apparatus.

22. The apparatus of claim 13 or 21, wherein the user identity comprises one or more of: an international mobile subscriber identity IMSI, or a subscriber permanent identifier SUPI.

23. The apparatus according to any one of claims 13, 21 or 22, wherein the user identity is carried in the same message as the first device identity.

24. The apparatus according to any of claims 16-23, wherein the receiving module is further configured to receive the encrypted second device identification.

25. A communication device, the device comprising: a processor; wherein,,

the processor configured to perform the method of any one of claims 1-12.

26. A communication device, the device comprising: logic circuit and input/output interface; wherein,,

the input/output interface is used for receiving the code instruction and transmitting the code instruction to the logic circuit;

the logic circuitry is to execute the code instructions to perform the method of any of claims 1-12.

27. A computer readable storage medium, characterized in that the computer readable storage medium comprises a computer program or instructions which, when run on a computer, cause the computer to perform the method of any of claims 1-12.

28. A computer program product, the computer program product comprising: computer program or instructions which, when run on a computer, cause the computer to perform the method of any one of claims 1-12.