CN117616789A - Application authentication and key management AKMA application program key request method and device under User Equipment (UE) roaming condition - Google Patents
Application authentication and key management AKMA application program key request method and device under User Equipment (UE) roaming condition Download PDFInfo
- Publication number
- CN117616789A CN117616789A CN202280002210.7A CN202280002210A CN117616789A CN 117616789 A CN117616789 A CN 117616789A CN 202280002210 A CN202280002210 A CN 202280002210A CN 117616789 A CN117616789 A CN 117616789A
- Authority
- CN
- China
- Prior art keywords
- akma
- key
- application
- network
- network element
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 144
- 238000004891 communication Methods 0.000 claims abstract description 42
- 230000004044 response Effects 0.000 claims description 223
- 230000006870 function Effects 0.000 claims description 101
- 238000012790 confirmation Methods 0.000 claims description 53
- 230000015654 memory Effects 0.000 claims description 12
- 238000005516 engineering process Methods 0.000 claims description 6
- 230000000977 initiatory effect Effects 0.000 claims description 5
- 239000000758 substrate Substances 0.000 claims 2
- 238000010295 mobile communication Methods 0.000 abstract description 2
- 238000007726 management method Methods 0.000 description 66
- 238000004590 computer program Methods 0.000 description 17
- 238000010586 diagram Methods 0.000 description 13
- 239000003795 chemical substances by application Substances 0.000 description 6
- 239000004065 semiconductor Substances 0.000 description 6
- 229910044991 metal oxide Inorganic materials 0.000 description 5
- 150000004706 metal oxides Chemical class 0.000 description 5
- 238000013475 authorization Methods 0.000 description 3
- 229910000577 Silicon-germanium Inorganic materials 0.000 description 2
- 230000000295 complement effect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- HRANPRDGABOKNQ-ORGXEYTDSA-N (1r,3r,3as,3br,7ar,8as,8bs,8cs,10as)-1-acetyl-5-chloro-3-hydroxy-8b,10a-dimethyl-7-oxo-1,2,3,3a,3b,7,7a,8,8a,8b,8c,9,10,10a-tetradecahydrocyclopenta[a]cyclopropa[g]phenanthren-1-yl acetate Chemical group C1=C(Cl)C2=CC(=O)[C@@H]3C[C@@H]3[C@]2(C)[C@@H]2[C@@H]1[C@@H]1[C@H](O)C[C@@](C(C)=O)(OC(=O)C)[C@@]1(C)CC2 HRANPRDGABOKNQ-ORGXEYTDSA-N 0.000 description 1
- JBRZTFJDHDCESZ-UHFFFAOYSA-N AsGa Chemical compound [As]#[Ga] JBRZTFJDHDCESZ-UHFFFAOYSA-N 0.000 description 1
- LEVVHYCKPQWKOP-UHFFFAOYSA-N [Si].[Ge] Chemical compound [Si].[Ge] LEVVHYCKPQWKOP-UHFFFAOYSA-N 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- GVVPGTZRZFNKDS-JXMROGBWSA-N geranyl diphosphate Chemical compound CC(C)=CCC\C(C)=C\CO[P@](O)(=O)OP(O)(O)=O GVVPGTZRZFNKDS-JXMROGBWSA-N 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present disclosure provides a method and an apparatus for requesting an application authentication and key management AKMA application key under a roaming condition of a user equipment UE, which relate to the technical field of mobile communications. The method and the device integrate the judgment of the roaming state when the secure communication management between the user equipment and the application function is carried out based on the AKMA characteristics, so that the AKMA can support the roaming scene to meet the potential use case requirement of the AKMA.
Description
The disclosure relates to the technical field of mobile communication, and in particular relates to a method and a device for requesting an application Authentication and Key Management (AKMA) application key under the roaming condition of User Equipment (UE).
In mobile network communication systems, application authentication and key management (Authentication and Key management for Applications, AKMA) features based on third generation partnership project credentials have been used as a solution to secure communications between User Equipment (UE) and application functions (Application Function, AF). Considering current AKMA use cases and potential use cases, roaming scenarios also need to be considered in the mobile network communication system. However, in current mobile network communication systems, there is no relevant solution to enable AKMA to support roaming scenarios.
Disclosure of Invention
The present disclosure provides a method and an apparatus for application Authentication and Key Management (AKMA) application key request under a roaming condition of a User Equipment (UE), so that AKMA can support a roaming scenario.
An embodiment of a first aspect of the present disclosure provides an application authentication and key management AKMA application key request method under a roaming condition of a user equipment UE, where the method is applied to an application function AF, the method includes:
and sending an AKMA application key request to a first network element in a home network corresponding to the UE or a second network element in a service network corresponding to the UE according to whether the network connected by the AF is the home network of the UE in a roaming state.
In some embodiments of the disclosure, the serving network is a serving network used by a roaming state UE to establish a connection with the AF.
In some embodiments of the present disclosure, before sending an AKMA application key request to a first network element in a home network corresponding to the UE or a second network element in a serving network corresponding to the UE according to whether the network to which the AF is connected is a home network of the UE in a roaming state, the method further includes: judging whether the User Equipment (UE) is in a roaming state or not;
the determining whether the UE is in a roaming state includes:
receiving an application session establishment request sent by UE, wherein the application session establishment request comprises an AKMA key identification;
acquiring UE information of the UE from a strategy control function, wherein the UE information at least comprises an identifier of a public land mobile network used by the UE for establishing connection with the AF, an access type used by the UE and a radio access technology type used by the UE;
and acquiring a home network identifier from the AKMA key identifier, and judging whether the UE is in a roaming state according to the home network identifier and the identifier of the public land mobile network used by the UE for establishing connection with the AF.
In some embodiments of the present disclosure, determining whether the UE is in a roaming state according to the home network identifier and an identifier of a public land mobile network used by the UE to establish a connection with the AF includes:
extracting a first mobile equipment country code and a first mobile network code in the home network identification; the method comprises the steps of,
extracting a second mobile equipment country code and a second mobile network code in an identifier of a public land mobile network used by the UE for establishing connection with the AF;
and if the country code of the first mobile equipment is different from the country code of the second mobile equipment and/or the first mobile network code is different from the second mobile network code, determining that the UE is in a roaming state.
In some embodiments of the present disclosure, in response to the UE being in a roaming state and the AF being connected to a home network corresponding to the UE, sending an AKMA application key request to a first network element in the home network corresponding to the UE, specifically including: responding to the AF without the AKMA application program key associated with the AKMA key identification, and sending a first AKMA application program key request carrying at least the UE information and the AKMA key identification to a first network element in a home network corresponding to the UE;
And receiving a first AKMA application key response or an error response of failure of an AKMA key request sent by the first network element response, wherein the first AKMA application key response at least comprises a subscription permanent identifier, a universal public user identifier, an AKMA application key and expiration time of the AKMA application key.
In some embodiments of the present disclosure, before sending a first AKMA application key request carrying at least the UE information and the AKMA key identifier to a first network element in the home network to which the UE corresponds, the method further includes:
determining whether the current AF exists in a third generation partnership project operator domain;
if not, the sending, to a first network element in the home network corresponding to the UE, a first AKMA application key request carrying at least the UE information and the AKMA key identifier, including:
and sending a first AKMA application program key request carrying at least the UE information, the AKMA key identification and the AKMA application identification to a first network element in a home network corresponding to the UE through a network opening function NEF.
In some embodiments of the present disclosure, in response to the UE being in a roaming state and the AF being connected to a serving network corresponding to the UE, sending an AKMA application key request to a second network element in the serving network corresponding to the UE, specifically including: responding to the current AF without the AKMA application program key associated with the AKMA key identification, and sending a second AKMA application program key request carrying at least the UE information and the AKMA key identification to a second network element in the service network corresponding to the UE;
And receiving a second AKMA application key response or an error response of failure of an AKMA key request sent by the second network element response, wherein the second AKMA application key response at least comprises a subscription permanent identifier, a universal public user identifier, an AKMA application key and expiration time of the AKMA application key.
In some embodiments of the present disclosure, before sending a second AKMA application key request carrying at least the UE information and the AKMA key identifier to a second network element in the UE-to-UE serving network, the method further includes:
determining whether the current AF exists in a third generation partnership project operator domain;
if not, the sending, to a second network element in the service network corresponding to the UE, a second AKMA application key request carrying at least the UE information and the AKMA key identifier, including:
and sending a second AKMA application program key request carrying at least the UE information, the AKMA key identification and the AKMA application identification to a second network element in the service network corresponding to the UE through a network opening function NEF.
In some embodiments of the present disclosure, the method further comprises:
sending an application session establishment response to the UE according to one of the first AKMA application key response and the second AKMA application key response; or sending an error response of the application session establishment failure to the UE according to the error response of the AKMA key request failure.
An embodiment of a second aspect of the present disclosure provides a method for application authentication and key management AKMA application key request under roaming condition of a user equipment UE, where the method is applied to a first network element in a corresponding home network of the user equipment UE, and the method includes:
responding to the roaming state of the UE, initiating an AKMA application key request by an application function AF of a corresponding home network of the UE, sending a first AKMA application key response related to the AKMA application key to the AF, and simultaneously sending an AKMA application key confirmation request message to a second network element in the corresponding service network of the UE;
and in response to the UE being in a roaming state, initiating an AKMA application key request by a second network element of a service network corresponding to the UE, and sending a second AKMA application key response about the AKMA application key to the second network element in the service network corresponding to the UE.
In some embodiments of the disclosure, the first network element is an AKMA anchor function AAnF in the UE-corresponding serving network.
In some embodiments of the present disclosure, in response to a UE being in a roaming state and an AKMA application key request being initiated by an AF of a corresponding home network of the UE, sending a first AKMA application key response to the AF regarding the AKMA application key, comprising:
Receiving a first AKMA application program key request sent by the AF of the UE corresponding to the home network, wherein the first AKMA application program key request at least carries UE information of the UE and an AKMA key identification, and the first AKMA application program key request is sent by the AF when the AF is connected to the home network corresponding to the UE and does not have an AKMA application program key associated with the AKMA key identification;
judging whether an AKMA anchor key exists in the AKMA key identification carried in the first AKMA application program key request;
if yes, an AKMA application key is derived from the AKMA anchor key, and when the AF is connected to a home network corresponding to the UE, a first AKMA application key response related to the AKMA application key is sent to the AF, wherein the first AKMA application key response at least comprises a subscription permanent identifier, a universal public user identifier, the AKMA application key and expiration time of the AKMA application key;
if not, when the AF is connected to the home network corresponding to the UE, an error response of failure of the AKMA key request is sent to the AF.
In some embodiments of the present disclosure, before determining whether the AKMA key identifier carried in the first AKMA application key request has an AKMA anchor key, the method further comprises:
Receiving an AKMA application identifier sent by the AF, wherein the AKMA application identifier is sent by the AF when judging that the current AF does not exist in a third generation partnership project operator domain;
judging whether the current first network element can provide service for the AF according to a first preset configuration strategy and the AKMA application identifier;
if yes, judging whether an AKMA anchor key exists in the AKMA key identification carried in the first AKMA application program key request;
if not, rejecting the first AKMA application program key request.
In some embodiments of the present disclosure, in response to the UE being in a roaming state and the AKMA application key request being initiated by an application function AF of a home network corresponding to the UE, sending an AKMA application key confirmation request message to a second network element in a serving network corresponding to the UE, including:
sending an AKMA application key confirmation request message to a second network element in a service network corresponding to the UE, wherein the AKMA application key confirmation request message at least comprises an AKMA application identifier, a subscription permanent identifier, a general public user identifier, an AKMA application program key and expiration time of the AKMA application program key;
and receiving an AKMA application key confirmation response sent by a second network element in the corresponding service network of the UE.
In some embodiments of the disclosure, the responding to the UE being in a roaming state and the AKMA application key request being initiated by a second network element of the UE-corresponding serving network, sending a second AKMA application key response regarding the AKMA application key to the second network element in the UE-corresponding serving network, includes:
receiving a second AKMA application key request relayed by a second network element in a service network corresponding to the UE, wherein the second AKMA application key request at least carries UE information of the UE and an AKMA key identification, and the second AKMA application key request is sent by AF when being connected to the service network corresponding to the UE and an AKMA application key associated with the AKMA key identification is not available;
judging whether an AKMA anchor key exists in the AKMA key identification carried in the second AKMA application program key request;
if yes, an AKMA application key is derived from the AKMA anchor key, the AKMA application key is sent to a second network element in the service network corresponding to the UE, so that the second network element in the service network corresponding to the UE sends a second AKMA application key response related to the AKMA application key to the AF when the AF is connected to the service network corresponding to the UE, and the second AKMA application key response at least comprises a subscription permanent identifier, a universal public user identifier, the AKMA application key and the expiration time of the AKMA application key;
If not, sending an error response of failure of the AKMA key request to a second network element in the service network corresponding to the UE.
In some embodiments of the present disclosure, the method further comprises:
judging whether the current first network element has the function of providing service for the second network element according to a first preset configuration strategy.
In some embodiments of the present disclosure, the method further comprises:
and acquiring a home network identifier of the UE according to the AKMA key identifier, acquiring an identifier of a public land mobile network used for establishing connection with the AF by the UE according to the UE information, and judging whether the UE is in a roaming state according to the home network identifier and the identifier of the public land mobile network used for establishing connection with the AF by the UE.
An embodiment of a third aspect of the present disclosure provides a method for application authentication and key management AKMA application key request under roaming condition of a user equipment UE, where the method is applied to a second network element in a corresponding visited network of the user equipment UE, and the method includes:
receiving a second AKMA application program key request sent by an application function AF, wherein the second AKMA application program key request at least carries UE information of UE and an AKMA key identification, and the second AKMA application program key request is sent when the AF is connected to a service network corresponding to the UE and does not have an AKMA application program key associated with the AKMA key identification when the UE is in a roaming state;
Relaying the second AKMA application key request to a first network element in the UE's corresponding home network;
receiving a second AKMA application key response or an error response of failure of an AKMA key request sent by a first network element in a corresponding home network of the UE, wherein the second AKMA application key response at least comprises a subscription permanent identifier, a universal public user identifier, the AKMA application key and expiration time of the AKMA application key;
and when the AF is connected to a service network corresponding to the UE, relaying the second AKMA application key response or an error response of failure of the AKMA key request to the AF.
In some embodiments of the disclosure, the second network element is an AKMA anchor function proxy AAnFproxy in the UE-corresponding serving network.
In some embodiments of the present disclosure, before relaying the second AKMA application key request to the first network element in the UE corresponding home network, the method further comprises:
receiving an AKMA application identifier sent by the AF, wherein the AKMA application identifier is sent by the AF when judging that the current AF does not exist in a third generation partnership project operator domain;
Judging whether a first network element in a home network corresponding to the UE can provide service for the AF or not according to a second preset local configuration strategy and the AKMA application identifier;
if yes, relaying the second AKMA application program key request to a first network element in the corresponding home network of the UE;
if not, rejecting the second AKMA application program key request.
In some embodiments of the present disclosure, the method further comprises:
receiving an AKMA application key confirmation request message sent by a first network element in a home network corresponding to the UE, wherein the AKMA application key confirmation request at least comprises an AKMA application identifier, a subscription permanent identifier, a general public user identifier, an AKMA application program key and expiration time of the AKMA application program key, the AKMA application key confirmation request is sent when the first network element in the home network corresponding to the UE confirms that the UE is in a service network according to UE information of the UE and the UE establishes connection with an AF connected to the home network corresponding to the UE;
and storing the AKMA application key confirmation request message, and sending an AKMA application key confirmation response to a first network element in the corresponding home network of the UE.
In some embodiments of the present disclosure, the method further comprises:
and judging whether the current second network element can provide service for the AF according to a second preset configuration strategy.
An embodiment of a fourth aspect of the present disclosure provides a method for application authentication and key management AKMA application key request under roaming condition of a user equipment UE, the method being applied to a network opening function NEF, the method comprising:
in response to the application function AF not existing in the third generation partnership project operator domain, a first AKMA application program key request carrying at least UE information, an AKMA key identification and an AKMA application identification is sent to a first network element in a corresponding home network of User Equipment (UE); or alternatively, the first and second heat exchangers may be,
and in response to the application function AF not existing in the third generation partnership project operator domain, sending a second AKMA application program key request carrying at least UE information, an AKMA key identification and an AKMA application identification to a second network element in a corresponding service network of the user equipment UE.
A fifth aspect of the present disclosure provides an application authentication and key management AKMA application key requesting apparatus under roaming condition of a user equipment UE, the apparatus being applied to an application function AF, the apparatus comprising:
And the sending module is used for sending an AKMA application key request to a first network element in the UE corresponding home network or a second network element in the UE corresponding service network according to whether the network connected by the AF is the home network of the UE in a roaming state.
An embodiment of a sixth aspect of the present disclosure provides an apparatus for application authentication and key management AKMA application key request under roaming condition of a user equipment UE, where the apparatus is applied to a first network element in a corresponding home network of the user equipment UE, the apparatus includes:
a sending module, configured to respond to a roaming state of a UE, where an AKMA application key request is initiated by an application function AF of a corresponding home network of the UE, send a first AKMA application key response related to the AKMA application key to the AF, and send an AKMA application key confirmation request message to a second network element in the corresponding serving network of the UE;
the sending module is further configured to send a second AKMA application key response related to the AKMA application key to a second network element in the UE-corresponding serving network, in response to the UE being in a roaming state, and the AKMA application key request being initiated by the second network element of the UE-corresponding serving network.
An embodiment of a seventh aspect of the present disclosure provides an apparatus for application authentication and key management AKMA application key request under roaming condition of a user equipment UE, where the apparatus is applied to a second network element in a corresponding visited network of the user equipment UE, the apparatus includes:
a receiving module, configured to receive a second AKMA application key request sent by an application function AF, where the second AKMA application key request at least carries UE information of a UE and an AKMA key identifier, where the second AKMA application key request is sent when the AF is connected to a service network corresponding to the UE and there is no AKMA application key associated with the AKMA key identifier when the UE is in a roaming state;
a relay module, configured to relay the second AKMA application key request to a first network element in the UE corresponding home network;
the receiving module is further configured to receive a second AKMA application key response or an error response that fails to request an AKMA key, where the second AKMA application key response is sent by the UE corresponding to the first network element in the home network, and the second AKMA application key response includes at least a subscription permanent identifier, a common public user identifier, the AKMA application key, and an expiration time of the AKMA application key;
The relay module is further configured to relay, when the AF is connected to a serving network corresponding to the UE, the second AKMA application key response or an error response that fails to the AKMA key request to the AF.
An eighth aspect of the present disclosure provides an apparatus for application authentication and key management AKMA application key request under roaming condition of a user equipment UE, the apparatus being applied to a network opening function NEF, the apparatus comprising:
a sending module, configured to send, to a first network element in a home network corresponding to a UE of a user equipment, a first AKMA application key request that carries at least UE information, an AKMA key identifier, and an AKMA application identifier, in response to an application function AF not existing in a third generation partnership project operator domain; or alternatively, the first and second heat exchangers may be,
and the sending module is used for sending a second AKMA application program key request carrying at least UE information, AKMA key identification and AKMA application identification to a second network element in a service network corresponding to the User Equipment (UE) in response to the fact that the Application Function (AF) does not exist in the third generation partnership project operator domain.
A ninth aspect embodiment of the present disclosure provides a communication device including: a transceiver; a memory; and a processor, respectively connected with the transceiver and the memory, configured to control wireless signal transceiving of the transceiver by executing computer executable instructions on the memory, and capable of implementing a method as an embodiment of the first aspect or the second aspect or an embodiment of the third aspect or an embodiment of the fourth aspect of the disclosure.
An embodiment of a tenth aspect of the present disclosure provides a computer storage medium, wherein the computer storage medium stores computer-executable instructions; the computer-executable instructions, when executed by a processor, enable the implementation of a method as in the first aspect embodiment or the second aspect embodiment or the third aspect embodiment or the fourth aspect embodiment of the present disclosure.
The embodiment of the disclosure provides a method and a device for requesting an application Authentication and Key Management (AKMA) application key under a roaming condition of User Equipment (UE), wherein an Application Function (AF) can send an AKMA application key request to a first network element in a corresponding home network of the UE or a second network element in a corresponding service network of the UE according to whether a network connected by the AF is a home network of the UE in a roaming state. When the secure communication management between the user equipment and the application function is carried out based on the AKMA characteristic, the roaming state judgment is integrated, so that the AKMA can support the roaming scene, and the potential use case requirement of the AKMA is met.
Additional aspects and advantages of the disclosure will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the disclosure.
The foregoing and/or additional aspects and advantages of the present disclosure will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings, in which:
Fig. 1 is a flowchart of an application authentication and key management AKMA application key request method under roaming conditions of a user equipment UE according to an embodiment of the present disclosure;
fig. 2 is a flowchart of an application authentication and key management AKMA application key request method under roaming condition of a user equipment UE according to an embodiment of the present disclosure;
fig. 3 is a flowchart of an application authentication and key management AKMA application key request method under roaming condition of a user equipment UE according to an embodiment of the present disclosure;
fig. 4 is a flowchart of an application authentication and key management AKMA application key request method under roaming condition of a user equipment UE according to an embodiment of the present disclosure;
fig. 5 is a flowchart of an application authentication and key management AKMA application key request method under roaming condition of a user equipment UE according to an embodiment of the present disclosure;
fig. 6 is a flowchart of an application authentication and key management AKMA application key request method under roaming condition of a user equipment UE according to an embodiment of the present disclosure;
fig. 7 is a flowchart of an application authentication and key management AKMA application key request method under roaming condition of a user equipment UE according to an embodiment of the present disclosure;
Fig. 8 is a timing diagram of an application authentication and key management AKMA application key request method under roaming conditions of a user equipment UE according to an embodiment of the present disclosure;
fig. 9 is a block diagram of an application authentication and key management AKMA application key requesting apparatus under roaming condition of a user equipment UE according to an embodiment of the present disclosure;
fig. 10 is a block diagram of an application authentication and key management AKMA application key requesting apparatus under roaming condition of a user equipment UE according to an embodiment of the present disclosure;
fig. 11 is a block diagram of an application authentication and key management AKMA application key requesting apparatus under roaming condition of a user equipment UE according to an embodiment of the present disclosure;
fig. 12 is a block diagram of an application authentication and key management AKMA application key requesting apparatus under roaming condition of a user equipment UE according to an embodiment of the present disclosure;
fig. 13 is a schematic structural view of a communication device according to an embodiment of the present disclosure;
fig. 14 is a schematic structural diagram of a chip according to an embodiment of the disclosure.
Embodiments of the present disclosure are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are exemplary and intended for the purpose of explaining the present disclosure and are not to be construed as limiting the present disclosure.
The third generation partnership project (3rd Generation Partnership Project,3GPP) release 3 Service Pack (SA 3) specifies authentication and key management in 3gpp TS 33.535 for third generation partnership project credential based application authentication and key management (Authentication and Key management for Applications based on 3GPP credentials,AKMA). AKMA features have been used as a solution for secure communication between User Equipment (UE) and application functions (Application Function, AF) in ProSe, MSGin5G, etc. scenarios. Considering current AKMA use cases and potential use cases, roaming aspects must be considered, which are not yet resolved in rel-17.
Therefore, the present disclosure provides a method and apparatus for application Authentication and Key Management (AKMA) application key request under roaming condition of User Equipment (UE), so that AKMA can support roaming scenario.
The switching method and device provided by the application are described in detail below with reference to the accompanying drawings.
Fig. 1 is a flowchart of an application authentication and key management AKMA application key request method under roaming conditions of a user equipment UE according to an embodiment of the present disclosure. As shown in fig. 1, the method is applied to the application function AF, and may include the following steps.
Step 101, according to whether the network connected by the AF is the home network of the UE in the roaming state, sending an AKMA application key request to a first network element in the home network corresponding to the UE or a second network element in the service network corresponding to the UE.
In an embodiment of the present disclosure, the first network element may correspond to an AKMA anchor function (AKMA Anchor Function, AAnF) in the home network for the UE. The second network element may be an AKMA anchor function proxy (AKMA Anchor Function proxy, AAnFproxy) in the UE-corresponding serving network. Wherein, the service network may be a service network used by the roaming UE to establish a connection with the AF.
In response to the UE being in the roaming state, it may be further determined whether the network connected by the AF is a home network of the UE in the roaming state, and according to a determination result of whether the network connected by the AF is the home network of the UE in the roaming state, an AKMA application key request is sent to a first network element in the UE corresponding to the home network or a second network element in the UE corresponding to the service network. In an alternative embodiment, if the network connected by the AF is judged to be the home network of the UE in the roaming state, an AKMA application key request may be sent to a first network element in the UE corresponding to the home network; in an alternative embodiment, if it is determined that the network to which the AF is connected is not the home network of the UE in the roaming state, an AKMA application key request may be sent to a second network element in the UE's corresponding serving network. The AAnfProxy function may be implemented as a separate network function in the services network, or as part of any NF in the services network. For example, AAnFProxy may be AAnf of the visited network or may be AF deployed by the operator in the visited network.
In summary, according to the method for requesting an application authentication and key management AKMA application key under a roaming condition of a UE according to the embodiments of the present disclosure, an AKMA application key request may be sent to a first network element in a UE corresponding home network or a second network element in a UE corresponding service network according to whether a network connected by an AF is a home network of the UE in a roaming state. The method can integrate the judgment of the roaming state when the secure communication management between the user equipment and the application function is carried out based on the AKMA characteristic, so that the AKMA can support the roaming scene to meet the potential use case requirement of the AKMA.
Fig. 2 is a flowchart illustrating an application authentication and key management AKMA application key request method under roaming conditions of a user equipment UE according to an embodiment of the present disclosure. The method is applied to the application function AF, as shown in fig. 2, based on the embodiment shown in fig. 1, and may include the following steps.
Step 201, determining whether the UE is in a roaming state.
In the embodiment of the disclosure, an application session establishment request sent by a user equipment UE may be received, where the application session establishment request includes an AKMA key identifier (AKMA Key IDentifier, a-KID), and may also obtain UE information of the UE from a policy control function (Policy Control Function, PCF), where the UE information includes at least an identifier of a public land mobile network (Public Land Mobile Network, PLMN) used by the UE to establish a connection with the AF, an access type used by the UE, and a radio access technology (Radio Access Technology, RAT) type used by the UE; and acquiring the home network identifier from the AKMA key identifier, and judging whether the UE is in a roaming state according to the home network identifier and the identifier of the public land mobile network used for establishing connection with the AF by the UE. It should be noted that the access types used by the UE include, but are not limited to, 3GPP access, and non-3 GPP access.
In an alternative embodiment, when determining whether the UE is in a roaming state according to the home network identity and the identity of the public land mobile network used by the UE to establish a connection with the AF, a first mobile device country code (Mobile country code, MCC) and a first mobile network code (Mobile Network Code, MNC) in the home network identity may be extracted; and extracting a second mobile device country code (Mobile country code, MCC) and a second mobile network code (Mobile Network Code, MNC) in the identity of the public land mobile network used by the UE to establish a connection with the AF; and if the country code of the first mobile equipment is different from the country code of the second mobile equipment and/or the first mobile network code is different from the second mobile network code, determining that the UE is in a roaming state. In such alternative implementations, determining that the UE is in a roaming state may be divided into three alternative scenarios: (1) The first mobile device country code is different from the second mobile device country code and the first mobile network code is the same as the second mobile network code; (2) The first mobile device country code is the same as the second mobile device country code, and the first mobile network code is different from the second mobile network code; (3) The first mobile device country code is different from the second mobile device country code and the first mobile network code is different from the second mobile network code.
Step 202, in response to the UE being in a roaming state and the AF being connected to the home network corresponding to the UE, sending an AKMA application key request to a first network element in the home network corresponding to the UE.
In an embodiment of the present disclosure, in response to a UE being in a roaming state and determining that a current AF is connected to a home network corresponding to the UE, that is, a network to which the AF is connected is not a serving network of the UE in the roaming state, as a first optional embodiment, in response to the current AF not having an AKMA application key associated with an AKMA key identifier, a first AKMA application key request carrying at least UE information and the AKMA key identifier may be sent to a first network element in the home network corresponding to the UE. After sending the first AKMA application key request, an error response may be received from the first network element in response to the sent first AKMA application key response or failure of the AKMA key request, the first AKMA application key response including at least a subscription permanent identifier (Subscription Permanent Identifier, SUPI), a generic public user identifier (Generic Public Subscription Identifier, GPSI), an AKMA application key, and an expiration time of the AKMA application key.
It should be noted that, in the embodiment of the present disclosure, before sending a first AKMA application key request that at least carries UE information and an AKMA key identifier to a first network element in a home network corresponding to a UE, it is further required to determine in advance whether a current AF exists in a third generation partnership project operator domain; if it is determined that the current AF exists in the third generation partnership project operator domain, the first AKMA application key request carrying at least UE information and an AKMA key identifier may be sent to the first network element in the home network corresponding to the UE, and the above optional embodiments may be executed.
As a second alternative embodiment, if it is determined that the current AF does not exist in the third generation partnership project operator domain, a first AKMA application key request carrying at least UE information, an AKMA key identification and an AKMA application identification (Application funciton identity, af_id) may be sent to the first network element in the UE's corresponding home network through the network opening function NEF. The AKMA application identity may consist of a fully qualified domain name (Fully Qualified Domain Name, FQDN) of the AF and a User Agent (UA) identifier for identifying the security protocol that the AF will use with the UE.
In a second optional embodiment of the embodiments of the present disclosure, after receiving a first AKMA application key request that carries at least UE information, an AKMA key identifier and an AKMA application identifier, a first network element in a UE corresponding home network may determine, according to a first preset configuration policy and the AKMA application identifier, whether the current first network element may provide service to an AF, and if yes, may further receive a first AKMA application key response sent by a first network element response; if not, an error response of failure of the AKMA key request sent by the first network element response can be further received. The first preset configuration policy is a service authority of a first network element configured by an operator and can be stored in a local storage space of the first network element. In some possible embodiments, each first network element may be configured with an AF list that can provide a service, where an AKMA application identifier that can provide the service may be included in the AF list. For the embodiment of the present disclosure, the first network element may determine whether an AKMA application identifier in the first AKMA application key request is in an AF list that the current first network element may provide services, and if the AKMA application identifier in the first AKMA application key request is in the AF list of the current first network element, it indicates that the current first network element may provide services for an AF corresponding to the AKMA application identifier, and further send a first AKMA application key response to the AF; if the AKMA application identifier in the first AKMA application program key request is not in the AF list of the current first network element, the current first network element is not capable of providing service for AF corresponding to the AKMA application identifier, and an error response of failure of the AKMA key request is further sent to AF.
Step 203, an application session establishment response is sent to the UE according to the first AKMA application key response, or an error response of an application session establishment failure is sent to the UE according to the error response of the AKMA key request failure.
In an embodiment of the present disclosure, if a first AKMA application key response sent by the first network element response is received based on the embodiment step 202, an application session establishment response may be sent to the UE according to at least a subscription permanent identifier, a common public user identifier, an AKMA application key, and an expiration time of the AKMA application key, which are included in the first AKMA application key response, that is, an application session connection is successfully established with the UE; if an error response that fails the AKMA key request sent by the first network element in response is received based on embodiment step 202, an error response that fails the application session establishment may be sent to the UE, thereby rejecting the application session establishment. The UE may then trigger a new application session establishment request with the latest AKMA key identification to the AF. It can be understood that the error response of the application session establishment failure may further include a failure reason (such as AKMA key request failure) and corresponding prompt information (such as text prompt information, audio prompt information, video prompt information, vibration prompt information), which is not limited specifically.
In summary, according to the method for requesting an application authentication and key management AKMA application key under a roaming condition of a UE according to the embodiments of the present disclosure, whether the UE is in a roaming state may be first determined, and if the UE is determined to be in the roaming state and the current AF is determined to be connected to a home network corresponding to the UE, an AKMA application key request is sent to a first network element in the home network corresponding to the UE. The determination of the roaming state can be incorporated when secure communication management between the user equipment and the application function is performed based on the AKMA characteristics. Further, under the conditions that the UE is in a roaming state and the current AF is judged to be connected to the home network corresponding to the UE, the AKMA is enabled to support application session establishment in a roaming scene, so that the potential use case requirement of the AKMA is met.
Fig. 3 is a flowchart illustrating an application authentication and key management AKMA application key request method under roaming conditions of a user equipment UE according to an embodiment of the present disclosure. The method is applied to the application function AF, based on the embodiment shown in fig. 1, as shown in fig. 3, and may include the following steps.
Step 301, judging whether the UE is in a roaming state.
In the embodiment of the present disclosure, the implementation process is the same as that of embodiment step 201, and will not be described herein.
Step 302, in response to the UE being in a roaming state and the AF being connected to the service network corresponding to the UE, sending an AKMA application key request to a second network element in the service network corresponding to the UE.
In an embodiment of the present disclosure, if it is determined that the UE is in a roaming state and it is determined that the current AF is connected to a serving network corresponding to the UE, that is, the network to which the AF is connected is the serving network of the UE in the roaming state, as a first optional embodiment, in response to the current AF not having an AKMA application key associated with an AKMA key identifier, a second AKMA application key request carrying at least UE information and the AKMA key identifier may be sent to a second network element in the serving network corresponding to the UE. After sending the second AKMA application key request, an error response may be received from the second network element in response to the sent second AKMA application key response or the failure of the AKMA key request, where the second AKMA application key response includes at least a subscription permanent identifier, a common public user identifier, an AKMA application key, and an expiration time of the AKMA application key.
It should be noted that, in the embodiment of the present disclosure, before sending a second AKMA application key request carrying at least UE information and an AKMA key identifier to a second network element in a service network corresponding to the UE, it is further required to determine in advance whether the current AF exists in the third generation partnership project operator domain; if it is determined that the current AF exists in the third generation partnership project operator domain, the second AKMA application key request carrying at least UE information and an AKMA key identifier may be sent to a second network element in the UE-to-serving network, and the above optional embodiments may be performed.
As a second alternative embodiment, if it is determined that the current AF does not exist in the third generation partnership project operator domain, a second AKMA application key request carrying at least UE information, an AKMA key identifier and an AKMA application identifier may be sent to a second network element in the UE-specific serving network through the network opening function NEF. The AKMA application identity may consist of a fully qualified domain name (Fully Qualified Domain Name, FQDN) of the AF and a User Agent (UA) identifier for identifying the security protocol that the AF will use with the UE.
In a second optional embodiment of the embodiments of the present disclosure, after receiving a second AKMA application key request that at least carries UE information, an AKMA key identifier and an AKMA application identifier, a second network element in a service network corresponding to a UE may determine, according to a second preset configuration policy and the AKMA application identifier, whether a first network element relayed by the current second network element may provide a service to an AF, and if yes, may further receive a second AKMA application key response sent by a second network element response; if not, an error response of failure of the AKMA key request sent by the second network element response can be further received. The second preset configuration policy is a service authority of the first network element configured by the operator and can be stored in a local storage space of the second network element. In some possible embodiments, each first network element may be configured with an AF list that can provide a service, where an AKMA application identifier that can provide the service may be included in the AF list. For the embodiment of the present disclosure, the second network element may determine whether an AKMA application identifier in the second AKMA application key request is in an AF list that the relayed first network element may provide services, and if the AKMA application identifier in the second AKMA application key request is in the AF list of the relayed first network element, it is indicated that the relayed first network element may provide services for an AF corresponding to the AKMA application identifier, and further send a second AKMA application key response to the AF; if the AKMA application identifier in the second AKMA application key request is not in the AF list of the relayed first network element, it is indicated that the relayed first network element cannot provide service for the AF corresponding to the AKMA application identifier, and an error response of failure of the AKMA key request is further sent to the AF.
Step 303, an application session establishment response is sent to the UE according to the second AKMA application key response, or an error response of an application session establishment failure is sent to the UE according to an error response of the AKMA key request failure.
In an embodiment of the present disclosure, if a second AKMA application key response sent by the second network element response is received based on embodiment step 302, an application session establishment response may be sent to the UE according to at least a subscription permanent identifier, a common public user identifier, an AKMA application key, and an expiration time of the AKMA application key, which are included in the second AKMA application key response, that is, an application session connection is successfully established with the UE; if an error response is received based on the embodiment step 302 that the AKMA key request sent by the second network element response fails, an error response that the application session establishment fails may be sent to the UE, so as to reject the application session establishment. The UE may then trigger a new application session establishment request with the latest AKMA key identification to the AF. It can be understood that the error response of the application session establishment failure may further include a failure reason (such as AKMA key request failure) and corresponding prompt information (such as text prompt information, audio prompt information, video prompt information, vibration prompt information), which is not limited specifically.
In summary, according to the method for requesting an application authentication and key management AKMA application key under a roaming condition of a UE according to the embodiments of the present disclosure, whether the UE is in a roaming state may be first determined, and if the UE is determined to be in a roaming state and the current AF is determined to be connected to a service network corresponding to the UE, an AKMA application key request is sent to a second network element in the service network corresponding to the UE. The determination of the roaming state can be incorporated when secure communication management between the user equipment and the application function is performed based on the AKMA characteristics. Further, under the conditions that the UE is in a roaming state and the current AF is judged to be connected to a service network corresponding to the UE, the AKMA is enabled to support application session establishment in a roaming scene so as to meet the potential use case requirement of the AKMA.
Fig. 4 is a flowchart of an application authentication and key management AKMA application key request method under roaming condition of a user equipment UE according to an embodiment of the present disclosure. The method is applied to a first network element in a corresponding home network of the UE, and may comprise the following steps.
Step 401, acquiring a home network identifier of the UE according to the AKMA key identifier, acquiring an identifier of a public land mobile network used by the UE to establish connection with the AF according to the UE information, and judging whether the UE is in a roaming state according to the home network identifier and the identifier of the public land mobile network used by the UE to establish connection with the AF.
In the embodiment of the disclosure, after receiving a first AKMA application key request sent by an AF, a first network element in a UE corresponding to a home network may extract a home network identifier of the UE according to an AKMA key identifier carried in the first AKMA application key request, obtain, according to UE information carried in the first AKMA application key request, an identifier of a public land mobile network used by the UE to establish connection with the AF, and determine whether the UE is in a roaming state according to the home network identifier and the identifier of the public land mobile network used by the UE to establish connection with the AF.
In some optional embodiments of the disclosure, when determining whether the UE is in a roaming state according to the home network identification and an identification of a public land mobile network used by the UE to establish a connection with the AF, a first mobile device country code and a first mobile network code in the home network identification may be extracted; and extracting a second mobile device country code and a second mobile network code in an identity of a public land mobile network used by the UE to establish a connection with the AF; and if the country code of the first mobile equipment is different from the country code of the second mobile equipment and/or the first mobile network code is different from the second mobile network code, determining that the UE is in a roaming state. In such alternative implementations, determining that the UE is in a roaming state may be divided into three alternative scenarios: (1) The first mobile device country code is different from the second mobile device country code and the first mobile network code is the same as the second mobile network code; (2) The first mobile device country code is the same as the second mobile device country code, and the first mobile network code is different from the second mobile network code; (3) The first mobile device country code is different from the second mobile device country code and the first mobile network code is different from the second mobile network code.
In some optional embodiments of the present disclosure, the determination result of whether the UE sent by the AF is in the roaming state may also be directly received, and the specific determination process may be referred to the related description in embodiment step 101, which is not described herein. In this case, embodiment step 401 of the present disclosure may be skipped directly, and embodiment step 402 may be performed directly.
Step 402, in response to the UE being in a roaming state, and the AKMA application key request is initiated by an application function AF of the UE corresponding to the home network, sending a first AKMA application key response related to the AKMA application key to the AF, and simultaneously sending an AKMA application key confirmation request message to a second network element in the UE corresponding to the serving network.
In the embodiment of the disclosure, if the UE is in the roaming state and the AKMA application key request is initiated by the AF of the UE corresponding to the home network, that is, the UE is in the roaming state and the AF is connected to the home network corresponding to the UE, the first AKMA application key request sent by the AF of the UE corresponding to the home network may be received. Wherein the first AKMA application key request is at least carried inThe method comprises the steps that UE information of the UE and an AKMA key identification are carried, and a first AKMA application key request is sent by AF when the AF is connected to a home network corresponding to the UE and an AKMA application key associated with the AKMA key identification is not available; further, it may be determined whether an AKMA anchor key (K) exists in the AKMA key identifier carried in the first AKMA application key request AKMA ) The method comprises the steps of carrying out a first treatment on the surface of the If the AKMA anchor key exists in the AKMA key identification carried in the first AKMA application key request, the AKMA application key is derived from the AKMA anchor key, and when the AF is connected to the home network corresponding to the UE, a first AKMA application key response related to the AKMA application key is sent to the AF, wherein the first AKMA application key response at least comprises a subscription permanent identifier, a general public user identifier, the AKMA application key and expiration time of the AKMA application key; if the AKMA key identification carried in the first AKMA application program key request is judged to not have the AKMA anchor key, when the AF is connected to the home network corresponding to the UE, an error response of failure of the AKMA key request is sent to the AF.
It should be noted that, in an embodiment of the present disclosure, the received first AKMA application key request may further carry an AKMA application identifier sent by the AF, where the AKMA application identifier is sent by the AF when it determines that the current AF does not exist in the third generation partnership project operator domain, and the AKMA application identifier may be composed of a fully qualified domain name (Fully Qualified Domain Name, FQDN) of the AF and a User Agent (UA) identifier, where the UA identifier is used to identify a security protocol that the AF will use with the UE. Under the condition that the received first AKMA application program key request also carries an AKMA application identifier, before judging whether an AKMA anchor key exists in the AKMA key identifier carried in the first AKMA application program key request, judging whether the current first network element can provide service for AF according to a first preset configuration strategy and the AKMA application identifier, if so, judging whether the AKMA anchor key exists in the AKMA key identifier carried in the first AKMA application program key request; if not, rejecting the first AKMA application key request. The first preset configuration policy is a service authority of a first network element configured by an operator and can be stored in a local storage space of the first network element. In some possible embodiments, each first network element may be configured with an AF list that can provide a service, where an AKMA application identifier that can provide the service may be included in the AF list. For the embodiment of the present disclosure, the first network element may determine whether an AKMA application identifier in the first AKMA application key request is in an AF list that the first network element may provide services currently, and if the AKMA application identifier in the first AKMA application key request is in the AF list of the first network element currently, it is indicated that the first current network element may provide services for an AF corresponding to the AKMA application identifier, and then the above determination on whether the AKMA anchor key exists in the AKMA key identifier carried in the first AKMA application key request may be further performed; if the AKMA application identifier in the first AKMA application key request is not in the AF list of the current first network element, it is indicated that the current first network element cannot provide services for the AF corresponding to the AKMA application identifier, and the first AKMA application key request sent by the AF can be further refused.
In the embodiment of the disclosure, if it is determined that the UE is in a roaming state and the AKMA application key request is initiated by the AF of the home network corresponding to the UE, that is, the UE is in the roaming state and the AF is connected to the home network corresponding to the UE, at this time, an AKMA application key confirmation request message may be simultaneously sent to a second network element in the service network corresponding to the UE, where the AKMA application key confirmation request message includes at least an AKMA application identifier, a subscription permanent identifier, a common public user identifier, an AKMA application key, and an expiration time of the AKMA application key; and receiving an AKMA application key confirmation response sent by a second network element in the service network corresponding to the UE.
It should be noted that, in the embodiment of the present disclosure, before sending the AKMA application key confirmation request message to the second network element in the service network corresponding to the UE, it is further required to determine whether the current first network element can provide the service to the second network element according to the first preset configuration policy. In some possible embodiments, it may be determined whether the second network element is located in the service network of the UE, and if it is determined that the second network element is located in the service network of the UE, the first network element in the home network of the UE may provide services for the second network element, then the above operation of sending the AKMA application key confirmation request message to the second network element in the service network corresponding to the UE may be further performed; if the second network element is not located in the service network of the UE, it is indicated that the current first network element cannot provide service for the second network element, so that the above operation of sending the AKMA application key confirmation request message to the second network element in the service network corresponding to the UE may not be performed.
Step 403, in response to the UE being in the roaming state, and the AKMA application key request being initiated by a second network element of the UE corresponding service network, sending a second AKMA application key response regarding the AKMA application key to the second network element in the UE corresponding service network.
In the embodiment of the present disclosure, if it is determined that the UE is in a roaming state and the AKMA application key request is initiated by a second network element of the service network corresponding to the UE, that is, the UE is in the roaming state and the AF is connected to the service network corresponding to the UE, the second AKMA application key request relayed by the second network element in the service network corresponding to the UE may be received, where the second AKMA application key request at least carries UE information of the UE and an AKMA key identifier, and the second AKMA application key request is sent by the AF when the AF is connected to the service network corresponding to the UE and there is no AKMA application key associated with the AKMA key identifier; further, whether an AKMA anchor key exists in an AKMA key identifier carried in the second AKMA application program key request can be judged; if the AKMA key identification carried in the second AKMA application key request is judged to have the AKMA anchor key, the AKMA application key is derived from the AKMA anchor key and is sent to a second network element in the service network corresponding to the UE, so that the second network element in the service network corresponding to the UE sends a second AKMA application key response related to the AKMA application key to the AF when the AF is connected to the service network corresponding to the UE, and the second AKMA application key response at least comprises a subscription permanent identifier, a general public user identifier, the AKMA application key and the expiration time of the AKMA application key; if the AKMA key identification carried in the second AKMA application program key request is judged to not have the AKMA anchor key, an error response of failure of the AKMA key request is sent to a second network element in the corresponding service network of the UE.
It should be noted that, in the embodiment of the present disclosure, before determining whether the AKMA key identifier carried in the second AKMA application key request has the AKMA anchor key, it is further required to determine, according to the first preset configuration policy, whether the current first network element may provide a service to the second network element of the relayed second AKMA application key request. In some possible embodiments, it may be determined whether the second network element is located in the service network of the UE, if it is determined that the second network element is located in the service network of the UE, which indicates that the current first network element may provide services for the second network element, then the determining operation of whether the AKMA anchor key exists in the AKMA key identifier carried in the second AKMA application key request may be further performed; if the second network element is not located in the service network of the UE, it is indicated that the current first network element may not provide services for the second network element, and then the subsequent operations in the embodiments of the present disclosure may not be performed.
In summary, according to the application authentication and key management AKMA application key request method under the roaming condition of the UE provided by the embodiments of the present disclosure, the first network element may first determine whether the UE is in a roaming state, and if it is determined that the UE is in a roaming state and the AKMA application key request is initiated by the AF of the UE corresponding to the home network, send a first AKMA application key response related to the AKMA application key to the AF, and send an AKMA application key confirmation request message to the second network element in the UE corresponding to the serving network; if the UE is in the roaming state and the AKMA application key request is initiated by a second network element of the service network corresponding to the UE, a second AKMA application key response about the AKMA application key is sent to the second network element in the service network corresponding to the UE. The method can integrate the judgment of the roaming state when the secure communication management between the user equipment and the application function is carried out based on the AKMA characteristic, so that the AKMA can support the roaming scene to meet the potential use case requirement of the AKMA.
Fig. 5 is a flowchart of an application authentication and key management AKMA application key request method under roaming condition of a user equipment UE according to an embodiment of the present disclosure. The method is applied to a second network element in the UE corresponding visited network, and may comprise the following steps.
Step 501, a second AKMA application key request sent by the application function AF is received.
The second AKMA application key request at least carries UE information and an AKMA key identifier of the UE, where the second AKMA application key request is sent when the AF is connected to a service network corresponding to the UE and there is no AKMA application key associated with the AKMA key identifier when the UE is in a roaming state.
Step 502, relay the second AKMA application key request to the first network element in the UE's corresponding home network.
In the embodiment of the present disclosure, after receiving a second AKMA application key request sent by an AF, a second network element in a UE corresponding access network may further relay the second AKMA application key request to a first network element in a UE corresponding home network, so as to determine, by using the first network element, whether an AKMA anchor key exists in an AKMA key identifier carried in the second AKMA application key request; if the first network element judges that the AKMA anchor key exists in the AKMA key identification carried in the second AKMA application key request, the AKMA application key is derived from the AKMA anchor key, and the AKMA application key is sent to the current second network element; if the first network element judges that the AKMA anchor key does not exist in the AKMA key identification carried in the second AKMA application program key request, an error response of failure of the AKMA key request is sent to the current second network element.
It should be noted that, in an embodiment of the present disclosure, the received second AKMA application key request may further carry an AKMA application identifier sent by the AF, where the AKMA application identifier is sent by the AF when it determines that the current AF does not exist in the third generation partnership project operator domain, and the AKMA application identifier may be composed of a fully qualified domain name (Fully Qualified Domain Name, FQDN) of the AF and a User Agent (UA) identifier, where the UA identifier is used to identify a security protocol that the AF will use with the UE. Under the condition that the received second AKMA application program key request also carries an AKMA application identifier, before the second AKMA application program key request is relayed to a first network element in a home network corresponding to the UE, judging whether the first network element in the home network corresponding to the UE can provide service for AF or not according to a second preset local configuration strategy and the AKMA application identifier; if yes, relaying the second AKMA application program key request to a first network element in the corresponding home network of the UE; if not, rejecting the second AKMA application key request. The second preset configuration policy is a service authority of the first network element configured by the operator and can be stored in a local storage space of the second network element. In some possible embodiments, each first network element may be configured with an AF list that can provide a service, where an AKMA application identifier that can provide the service may be included in the AF list. For the embodiment of the present disclosure, the second network element may determine whether the AKMA application identifier in the second AKMA application key request is in the AF list that the relayed first network element may provide services, if the AKMA application identifier in the second AKMA application key request is in the AF list of the relayed first network element, which indicates that the relayed first network element may provide services for the AF corresponding to the AKMA application identifier, then the second AKMA application key request may be further relayed to the first network element in the UE corresponding home network, and the following steps 503 and 504 of the disclosed embodiments are continuously performed; if the AKMA application identifier in the second AKMA application key request is not in the AF list of the relayed first network element, it is indicated that the relayed first network element may not provide services for the AF corresponding to the AKMA application identifier, and then the subsequent operations in the embodiments of the present disclosure may not be performed, and the steps 503 and 504 of the embodiments of the disclosure described below may not be performed.
Step 503, receiving a second AKMA application key response or an error response of failure of the AKMA key request sent by the UE corresponding to the first network element in the home network, where the second AKMA application key response includes at least a subscription permanent identifier, a common public user identifier, an AKMA application key, and an expiration time of the AKMA application key.
Step 504, when the AF is connected to the service network corresponding to the UE, relay the second AKMA application key response or the error response of the AKMA key request failure to the AF.
In summary, according to the method for requesting an application authentication and key management AKMA application key under the roaming condition of the UE provided by the embodiments of the present disclosure, after receiving the second AKMA application key request sent by the AF, the second network element may relay the second AKMA application key request to the first network element in the UE corresponding home network, so as to receive the second AKMA application key response or the error response of the AKMA key request failure sent by the first network element in the UE corresponding home network, and relay the second AKMA application key response or the error response of the AKMA key request failure to the AF when the AF is connected to the service network corresponding to the UE. The determination of the roaming state can be incorporated when secure communication management between the user equipment and the application function is performed based on the AKMA characteristics. Further, under the conditions that the UE is in a roaming state and the current AF is judged to be connected to a service network corresponding to the UE, the AKMA is enabled to support application session establishment in a roaming scene so as to meet the potential use case requirement of the AKMA.
Fig. 6 is a flowchart of an application authentication and key management AKMA application key request method under roaming condition of a user equipment UE according to an embodiment of the present disclosure. The method is applied to a second network element in a corresponding visited network of a UE, and based on the embodiment shown in fig. 5, as shown in fig. 6, the method may include the following steps.
Step 601, receiving an AKMA application key confirmation request message sent by a first network element in a home network corresponding to the UE.
The AKMA application key confirmation request is sent when the UE confirms that the UE is in the service network according to the UE information of the first network element in the UE corresponding home network and the UE establishes connection with the AF connected to the UE corresponding home network.
In the embodiment of the disclosure, when the UE is in a roaming state and the AKMA application key request is initiated by the AF of the UE corresponding to the home network, that is, the UE is in the roaming state and the AF is connected to the home network corresponding to the UE, a first network element in the UE corresponding to the home network derives the AKMA application key from the AKMA anchor key, an AKMA application key confirmation request message sent by the first network element to the current second network element may be received.
Step 602, an AKMA application key confirmation request message is stored, and an AKMA application key confirmation response is sent to a first network element in the home network corresponding to the UE.
In summary, according to the method for requesting an application authentication and key management AKMA application key under the roaming condition of the UE provided by the embodiments of the present disclosure, the second network element may receive an AKMA application key confirmation request message sent by the UE corresponding to the first network element in the home network, store the AKMA application key confirmation request message, and send an AKMA application key confirmation response to the UE corresponding to the first network element in the home network. The synchronization of the AKMA application key confirmation request message from the first network element to the second network element can be supported when the secure communication management between the user equipment and the application function is performed based on the AKMA characteristics, so as to update the AKMA application program key stored in the second network element.
Fig. 7 is a flowchart of an application authentication and key management AKMA application key request method under roaming condition of a user equipment UE according to an embodiment of the present disclosure. The method is applied to a network opening function, NEF, and may include the following steps.
In step 701, in response to the application function AF not existing in the third generation partnership project operator domain, a first AKMA application key request carrying at least UE information, an AKMA key identifier and an AKMA application identifier is sent to a first network element in a corresponding home network of the user equipment UE.
In an embodiment of the present disclosure, if the AF determines that the current AF does not exist in the third generation partnership project operator domain before sending a first AKMA application key request carrying at least UE information and an AKMA key identification to a first network element in the UE corresponding home network, the AF may send the first AKMA application key request carrying at least UE information, an AKMA key identification and an AKMA application identification (Application funciton identity, af_id) to the first network element in the UE corresponding home network through a network opening function NEF. The AKMA application identity may consist of a fully qualified domain name (Fully Qualified Domain Name, FQDN) of the AF and a User Agent (UA) identifier for identifying the security protocol that the AF will use with the UE.
Step 702, in response to the application function AF not existing in the third generation partnership project operator domain, sending a second AKMA application key request carrying at least UE information, an AKMA key identifier and an AKMA application identifier to a second network element in the service network corresponding to the UE.
In the embodiment of the present disclosure, if the AF determines that the current AF does not exist in the third generation partnership project operator domain before sending a second AKMA application key request that at least carries UE information and an AKMA key identifier to a second network element in the UE-corresponding service network, the AF may send the second AKMA application key request that at least carries UE information, an AKMA key identifier and an AKMA application identifier to the second network element in the UE-corresponding service network through the network opening function NEF. The AKMA application identity may consist of a fully qualified domain name (Fully Qualified Domain Name, FQDN) of the AF and a User Agent (UA) identifier for identifying the security protocol that the AF will use with the UE.
In summary, according to the method for requesting an application authentication and key management AKMA application key under a roaming condition of a UE of a user equipment provided by the embodiments of the present disclosure, when it is determined that AF does not exist in a third generation partnership project operator domain, a first AKMA application key request carrying at least UE information, an AKMA key identifier and an AKMA application identifier is sent to a first network element in a corresponding home network of the UE; or when the AF is judged not to exist in the third generation partnership project operator domain, a second AKMA application program key request carrying at least UE information, AKMA key identification and AKMA application identification is sent to a second network element in the corresponding service network of the UE. In another way, authorization information verification of the AF can be implemented in the case that the AF does not exist in the third generation partnership project operator domain, and it is further determined whether the first network element can provide service for the AF, so that pushing and response execution of an AKMA application key request in a roaming scenario are facilitated.
Fig. 8 is a timing diagram of an application authentication and key management AKMA application key request method under roaming conditions of a user equipment UE according to an embodiment of the present disclosure. In order to fully explain the technical solutions in the present disclosure, the technical solutions of the present disclosure are described in detail herein with reference to fig. 8:
1. The user equipment UE sends an application session establishment request comprising an a-KID to the application function AF.
The UE should generate an AKMA anchor key and a-KID before initiating communication with the application function AF. When the UE initiates a communication with the AF (it can be understood that the UE sends an application session establishment request to the application function AF), the application session establishment request contains an a-KID (see 3gpp TS 33.535, clause 6.1).
The AF requests to acquire UE information of the UE from the PCF.
After receiving the application session establishment request message, the AF shall acquire UE information including the current PLMN identifier of the UE, the access type used by the UE and the RAT type used by the UE. According to clause 6.1.3.18 of 3GPP TS 23.503[2], the AF may use an event reporting procedure to obtain UE information from the PCF. The AF may obtain the home network identification from the A-KID sent by the UE. The AF may verify whether the UE is roaming by comparing the home network identifier with the PLMN identifier sent by the PCF. If the mobile device country code and mobile network code in the home network identifier are not the same as those in the PLMN identifier sent by the PCF, it is determined that the UE is roaming. In the UE roaming scenario, the AF needs to request the AKMA application key from different network elements according to whether the AF is in the serving network of the UE.
The AF sends a first AKMA application key request with a-KID, UE information, af_id (whether af_id is present or not is determined depending on whether AF is in the 3GPP operator domain) to AAnF connected to the home network of the UE.
If the AF is connected to the UE's home network and the AF does not have an AKMA application key associated with the A-KID, the AF selects AAnF as defined in 3GPP TS33.535 and sends a first AKMA application key request with the A-KID, UE information to the AAnF, further requesting an AKMA application key for the UE. According to 3GPP TS33.535, if the AF is not in the 3GPP operator domain, the AF needs to send a first AKMA application key request over the NEF, the AF also including its identity (af_id) in the first AKMA application key request.
The AAnF will check whether the AAnF can provide a service to the AF according to a first preset configuration policy of the local configuration or authorization information provided by the NRF using the af_id. If successful, the following procedure is performed. Otherwise, AAnF will reject the first AKMA application key request.
AAnF will identify the UE-specific AKMA anchor key (K AKMA ) To verify whether the user is authorized to use AKMA.
If K is present in AAnF AKMA The AAnF in the UE home network will continue to step 4.
If K is not present in AAnF AKMA The AAnF in the UE home network will continue to step 5a and return an error response. And steps 5b to 5c may be skipped.
The AF sends a second AKMA application key request with a-KID, UE information, af_id (whether af_id is present or not is determined depending on whether AF is in the 3GPP operator domain) to aanfprox connected to the serving network of the UE.
If the AF is connected to the serving network of the UE and the AF does not have an AKMA application key associated with the A-KID, the AF sends a second AKMA application key request with the A-KID, UE information to an AAnFProxy in the serving network of the UE with the A-KID, requests the AKMA application key for the UE, and further the AAnFProxy relays the second AKMA application key request to the AAnF in the home network of the UE. According to 3GPP TS 33.535, if the AF is not in the 3GPP operator domain, the AF needs to send a second AKMA application key request through the NEF, which AF also includes its identity (af_id) in the second AKMA application key request. AAnFProxy will check whether AAnF can provide service to AF according to configured local policy or authorization information provided by NRF using af_id. If successful, step 3c is performed. Otherwise, aanfprox will reject the second AKMA application key request.
Aanfproxy relays the second AKMA application key request to AAnF in the UE home network.
AAnF in the UE home network will verify that aanfprox is authorized to use AKMA. In particular, if AAnFProxy is located at the UE's suitIn the service network, then the AAnF in the UE home network may serve as AAnFProxy, and the AAnF in the UE home network will identify the UE-specific AKMA anchor key (K AKMA ) To verify whether the user is authorized to use AKMA.
If K is present in AAnF AKMA The AAnF in the UE home network will continue to step 4.
If K is not present in AAnF AKMA The AAnF in the UE home network will continue to step 5d and return an error response.
AAnF slave K AKMA An AKMA application key is derived.
If AAnF has not yet had an AKMA application key (K AF ) AAnF slave K AKMA To derive an AKMA application key (K) AF )。
K AF The key derivation of (c) should be performed as specified by annex a.4 of 3gpp TS 33.535.
Aanf should send a first AKMA application key response to AF.
If the AF is connected to the UE's home network, AAnF in the UE's home network should send a first AKMA application key response to the AF. The first AKMA application key response may include SUPI, GPSI, KAF and KAF expiration times. The procedure then proceeds to 5b. If the AF is connected to the serving network of the UE, the flow proceeds to step 5d.
Aanf sends an AKMA application key confirmation request message to AAnFproxy.
If the AAnF confirms that the UE is in the serving network according to the UE information and the UE establishes a connection with the AF connected to the UE home network, the AAnF in the UE home network should send an AKMA application key confirmation request message to the AAnFproxy. The AKMA application key confirmation request message may include AF ID, SUPI, GPSI, K AF And K AF Expiration time. The procedure then proceeds to step 5c.
Aanfproxy sends an AKMA application key confirmation response to AAnF.
If AAnF confirms that the UE is in the service network according to the UE information and the UE is connected with the service networkAF to the UE home network establishes connection, then AAnFProxy shall store AF_ ID, SUPI, GPSI, K after receiving AKMA application key confirmation request message AF And K AF An expiration time. The AAnFProxy should then send an AKMA application key confirmation response to AAnF in the UE home network. The procedure then goes to step 6.
Aanf sends a second AKMA application key response to AAnFproxy.
If the AF is connected to the serving network of the UE, then AAnF in the UE home network sends a second AKMA application key response to AAnFproxy in the UE serving network. The second AKMA application key response may include SUPI, GPSI, K AF And K AF An expiration time. The procedure then proceeds to step 5e.
Aanfprox relays the second AKMA application key response to AF.
If the AF is connected to the serving network of the UE, the AAnFProxy in the serving network should relay the second AKMA application key response to the AF after receiving the second AKMA application key response sent by the AAnF in the home network of the UE when the AF is connected to the serving network. The procedure then goes to step 6.
The AF sends an application session establishment response to the UE.
If the information in step 5 indicates that the AKMA application key request failed, the AF shall reject the application session establishment by including the reason for the failure. The UE may then trigger a new application session establishment request with the latest a-KID to the AF.
In the embodiments provided in the present application, the method provided in the embodiments of the present application is described from the angles of the application function AF, the first network element in the home network corresponding to the UE, the second network element in the visited network corresponding to the UE, and the network opening function NEF, respectively. In order to implement the functions in the method provided in the embodiment of the present application, the application function AF, the first network element in the home network corresponding to the UE, the second network element in the visited network corresponding to the UE, and the network opening function NEF may include a hardware structure, a software module, and implement the functions in the form of a hardware structure, a software module, or a hardware structure plus a software module. Some of the functions described above may be implemented in a hardware structure, a software module, or a combination of a hardware structure and a software module.
The application authentication and key management AKMA application key requesting device under the roaming condition of the UE provided by the embodiments of the present disclosure corresponds to the application authentication and key management AKMA application key requesting method under the roaming condition of the UE provided by the embodiments of the present disclosure, and since the application authentication and key management AKMA application key requesting device under the roaming condition of the UE provided by the embodiments of the present disclosure corresponds to the application authentication and key management AKMA application key requesting method under the roaming condition of the UE provided by the embodiments of the present disclosure, the implementation of the application authentication and key management AKMA application key requesting method under the roaming condition of the UE provided by the embodiment of the present disclosure is also applicable to the application authentication and key management AKMA application key requesting device under the roaming condition of the UE provided by the embodiment of the present disclosure, which will not be described in detail in the embodiment.
Fig. 9 is a schematic structural diagram of an application authentication and key management AKMA application key request device 800 under roaming condition of a UE according to an embodiment of the present disclosure, where the application authentication and key management AKMA application key request device 800 under roaming condition of the UE may be used for an application function AF.
As shown in fig. 9, the apparatus 800 may include:
a sending module 810, configured to send an AKMA application key request to a first network element in a home network corresponding to the UE or a second network element in a serving network corresponding to the UE according to whether the network connected by the AF is a home network of the UE in a roaming state. Wherein, the service network may be a service network used by the roaming UE to establish a connection with the AF.
In some embodiments of the present disclosure, as shown in fig. 9, the apparatus further comprises: a judgment module 820;
a judging module 820, configured to receive an application session establishment request sent by the UE, where the application session establishment request includes an AKMA key identifier; acquiring UE information of the UE from a strategy control function, wherein the UE information at least comprises an identifier of a public land mobile network used by the UE for establishing connection with AF, an access type used by the UE and a radio access technology type used by the UE; and acquiring the home network identifier from the AKMA key identifier, and judging whether the UE is in a roaming state according to the home network identifier and the identifier of the public land mobile network used for establishing connection with the AF by the UE.
In some embodiments of the present disclosure, the determining module 820 may be configured to extract a first mobile device country code and a first mobile network code in the home network identification; and extracting a second mobile device country code and a second mobile network code in an identity of a public land mobile network used by the UE to establish a connection with the AF; and if the country code of the first mobile equipment is different from the country code of the second mobile equipment and/or the first mobile network code is different from the second mobile network code, determining that the UE is in a roaming state.
In some embodiments of the present disclosure, in response to the UE being in a roaming state and the AF being connected to a home network corresponding to the UE, the sending module 810 may be configured to send, to a first network element in the UE corresponding to the home network, a first AKMA application key request that carries at least UE information and an AKMA key identifier, in response to the AF not having the AKMA application key associated with the AKMA key identifier;
as shown in fig. 9, the apparatus 800 may further include: a receiving module 830;
a receiving module 830, configured to receive a first AKMA application key response or an error response that fails to request an AKMA key, where the first AKMA application key response includes at least a subscription permanent identifier, a common public user identifier, an AKMA application key, and an expiration time of the AKMA application key.
In some embodiments of the present disclosure, a determination module 820 may be used to determine whether the current AF is present in the third generation partnership project operator domain; the sending module 810 may be configured to send, when the current AF does not exist in the third generation partnership project operator domain, a first AKMA application key request carrying at least UE information, an AKMA key identifier and an AKMA application identifier to a first network element in a home network corresponding to the UE through a network opening function NEF.
In some embodiments of the present disclosure, in response to the UE being in a roaming state and the AF being connected to a serving network corresponding to the UE, the sending module 810 may be configured to send, to a second network element in the serving network corresponding to the UE, a second AKMA application key request that carries at least UE information and an AKMA key identifier, in response to the AF not having the AKMA application key associated with the AKMA key identifier; the receiving module 830 may be configured to receive a second AKMA application key response or an error response that fails to request an AKMA key sent by the second network element, where the second AKMA application key response includes at least a subscription permanent identifier, a common public user identifier, an AKMA application key, and an expiration time of the AKMA application key.
In some embodiments of the present disclosure, a determination module 820 may be used to determine whether the current AF is present in the third generation partnership project operator domain; the sending module 810 may be configured to send, when the current AF does not exist in the third generation partnership project operator domain, a first AKMA application key request carrying at least UE information, an AKMA key identifier and an AKMA application identifier to a first network element in a home network corresponding to the UE through a network opening function NEF.
In some embodiments of the present disclosure, the sending module 810 may be configured to send an application session establishment response to the UE according to one of the first AKMA application key response and the second AKMA application key response; or, sending an error response of the application session establishment failure to the UE according to the error response of the AKMA key request failure.
Fig. 10 is a schematic structural diagram of an application authentication and key management AKMA application key request apparatus 900 under roaming condition of a user equipment UE according to an embodiment of the present disclosure. The apparatus 900 for application authentication and key management AKMA application key request under roaming condition of the UE may be used for a first network element in the UE corresponding home network.
As shown in fig. 10, the apparatus 900 may include:
a sending module 910, configured to send, in response to the UE being in a roaming state and the AKMA application key request being initiated by an application function AF of the UE corresponding to the home network, a first AKMA application key response related to the AKMA application key to the AF, and simultaneously send an AKMA application key confirmation request message to a second network element in the UE corresponding to the serving network;
a sending module 910, configured to send, to a second network element in the UE corresponding serving network, a second AKMA application key response regarding the AKMA application key, in response to the UE being in a roaming state and the AKMA application key request being initiated by the second network element of the UE corresponding serving network.
In some embodiments of the present disclosure, the first network element is an AKMA anchor function AAnF in the UE-corresponding serving network.
In some embodiments of the present disclosure, as shown in fig. 10, the apparatus 900 may further include: a receiving module 920 and a judging module 930;
when the UE is in a roaming state and an AKMA application key request is initiated by an AF of a home network corresponding to the UE, the receiving module 920 may be configured to receive a first AKMA application key request sent by the AF of the home network corresponding to the UE, where the first AKMA application key request at least carries UE information of the UE and an AKMA key identifier, and the first AKMA application key request is sent when the AF is connected to the home network corresponding to the UE and there is no AKMA application key associated with the AKMA key identifier; a judging module 930, configured to judge whether an AKMA anchor key exists in an AKMA key identifier carried in the first AKMA application key request; if the AKMA key identifier carried in the first AKMA application key request has an AKMA anchor key, a sending module 910 may be configured to derive an AKMA application key from the AKMA anchor key, and send a first AKMA application key response related to the AKMA application key to the AF when the AF is connected to the home network corresponding to the UE, where the first AKMA application key response includes at least a subscription permanent identifier, a common public user identifier, the AKMA application key, and an expiration time of the AKMA application key; if the AKMA key identifier carried in the first AKMA application key request does not have the AKMA anchor key, the sending module 910 may be configured to send an error response that fails to request the AKMA key to the AF when the AF is connected to the home network corresponding to the UE.
In some embodiments of the present disclosure, the receiving module 920 may be configured to receive an AKMA application identifier sent by the AF, where the AKMA application identifier is sent by the AF when it is determined that the current AF does not exist in the third generation partnership project operator domain; a judging module 930, configured to judge whether the current first network element can provide a service to the AF according to the first preset configuration policy and the AKMA application identifier; if the current first network element can provide service for the AF, a determining module 930 may be configured to determine whether an AKMA anchor key exists in an AKMA key identifier carried in the first AKMA application key request; if the first network element is currently unavailable to provide service to the AF, a decision block 930 may be configured to reject the first AKMA application key request.
In some embodiments of the present disclosure, in response to the UE being in a roaming state, and the AKMA application key request being initiated by the AF of the UE corresponding to the home network, the sending module 910 may be configured to send an AKMA application key confirmation request message to a second network element in the UE corresponding to the serving network, where the AKMA application key confirmation request message includes at least an AKMA application identifier, a subscription permanent identifier, a common public user identifier, an AKMA application key, and an expiration time of the AKMA application key; the receiving module 920 may be configured to receive an AKMA application key acknowledgement response sent by a second network element in the UE corresponding to the serving network.
In some embodiments of the present disclosure, in response to the UE being in a roaming state and the AKMA application key request being initiated by a second network element of the UE-corresponding serving network, in some embodiments of the present disclosure, the receiving module 920 may be configured to receive a second AKMA application key request relayed by the second network element in the UE-corresponding serving network, where the second AKMA application key request carries at least UE information of the UE and an AKMA key identifier, and the second AKMA application key request is sent by the AF when the AF is connected to the serving network corresponding to the UE and there is no AKMA application key associated with the AKMA key identifier; a judging module 930, configured to judge whether the AKMA anchor key exists in the AKMA key identifier carried in the second AKMA application key request; if the AKMA key identifier carried in the second AKMA application key request has the AKMA anchor key, the sending module 910 may be configured to derive the AKMA application key from the AKMA anchor key, and send the AKMA application key to a second network element in the UE corresponding service network, so that the second network element in the UE corresponding service network sends a second AKMA application key response related to the AKMA application key to the AF when the AF is connected to the service network corresponding to the UE, where the second AKMA application key response includes at least a subscription permanent identifier, a common public user identifier, the AKMA application key, and an expiration time of the AKMA application key; if the AKMA anchor key does not exist in the AKMA key identifier carried in the second AKMA application key request, the sending module 910 may be configured to send an error response that fails to request the AKMA key to the second network element in the UE corresponding service network.
In some embodiments of the present disclosure, the determining module 930 may be configured to determine, according to a first preset configuration policy, whether the current first network element is provided with the service to the second network element.
In some embodiments of the present disclosure, the determining module 930 may be configured to obtain, according to the AKMA key identifier, a home network identifier of the UE, obtain, according to UE information, an identifier of a public land mobile network used by the UE to establish a connection with the AF, and determine, according to the home network identifier and the identifier of the public land mobile network used by the UE to establish the connection with the AF, whether the UE is in a roaming state.
Fig. 11 is a schematic structural diagram of an application authentication and key management AKMA application key request apparatus 1000 under roaming condition of a UE according to an embodiment of the present disclosure. The apparatus 1000 for application authentication and key management AKMA application key request under roaming condition of the UE may be used for the UE to access a second network element in the network correspondingly.
As shown in fig. 11, the apparatus 1000 may include:
a receiving module 1010, configured to receive a second AKMA application key request sent by the application function AF, where the second AKMA application key request at least carries UE information of the UE and an AKMA key identifier, where the second AKMA application key request is sent when the AF is connected to a service network corresponding to the UE and there is no AKMA application key associated with the AKMA key identifier when the UE is in a roaming state;
A relay module 1020 operable to relay the second AKMA application key request to a first network element in the UE's corresponding home network;
a receiving module 1010, configured to receive a second AKMA application key response or an error response that fails to request an AKMA key, where the second AKMA application key response includes at least a subscription permanent identifier, a common public user identifier, an AKMA application key, and an expiration time of the AKMA application key, and the second AKMA application key is sent by a first network element in a home network;
the relay module 1020 is further configured to relay, to the AF, an error response that the second AKMA application key response or the AKMA key request fails when the AF connects to the serving network corresponding to the UE.
In some embodiments of the present disclosure, the second network element is an AKMA anchor function proxy AAnFproxy in the UE-corresponding serving network.
In some embodiments of the present disclosure, as shown in fig. 11, the apparatus 1000 may further include: a judgment module 1030;
a receiving module 1010, configured to receive an AKMA application identifier sent by the AF, where the AKMA application identifier is sent by the AF when it is determined that the current AF does not exist in the third generation partnership project operator domain; a judging module 1030, configured to judge whether the first network element in the home network corresponding to the UE can provide service to the AF according to the second preset local configuration policy and the AKMA application identifier; if the first network element can provide service for the AF, the relay module 1020 is configured to relay the second AKMA application key request to the first network element in the UE corresponding home network; if the first network element is not available to provide service to the AF, the relay module 1020 may be configured to reject the second AKMA application key request.
In some embodiments of the present disclosure, as shown in fig. 11, the apparatus 1000 may further include: a storage module 1040;
a receiving module 1010, configured to receive an AKMA application key confirmation request message sent by a first network element in a home network corresponding to a UE, where the AKMA application key confirmation request at least includes an AKMA application identifier, a subscription permanent identifier, a common public user identifier, an AKMA application key, and an expiration time of the AKMA application key, where the AKMA application key confirmation request is sent when the first network element in the home network corresponding to the UE confirms that the UE is in a serving network according to UE information of the UE, and the UE establishes a connection with an AF connected to the home network corresponding to the UE; the storage module 1040 is configured to store the AKMA application key confirmation request message, and send an AKMA application key confirmation response to the first network element in the UE corresponding home network.
In some embodiments of the present disclosure, the determining module 1030 may be configured to determine whether the current second network element can provide the service to the AF according to a second preset configuration policy.
Fig. 12 is a schematic structural diagram of an application authentication and key management AKMA application key request apparatus 1100 under roaming condition of a UE according to an embodiment of the present disclosure. The application authentication and key management AKMA application key requesting means 1100 under roaming conditions for the user equipment UE may be used for the network opening function NEF.
As shown in fig. 12, the apparatus 1100 may include:
a sending module 1110, configured to send, to a first network element in a home network corresponding to a UE of a user equipment, a first AKMA application key request that carries at least UE information, an AKMA key identifier, and an AKMA application identifier, in response to an application function AF not existing in a third generation partnership project operator domain; or alternatively, the first and second heat exchangers may be,
a sending module 1110 is configured to send, to a second network element in a serving network corresponding to the UE, a second AKMA application key request that carries at least UE information, an AKMA key identifier and an AKMA application identifier, in response to the application function AF not being in the third generation partnership project operator domain.
Referring to fig. 13, fig. 13 is a schematic structural diagram of a communication device 1200 according to an embodiment of the present application. The communication apparatus 1200 may be a network device, a user device, a chip system, a processor, or the like that supports the network device to implement the above method, or a chip, a chip system, a processor, or the like that supports the user device to implement the above method. The device can be used for realizing the method described in the method embodiment, and can be particularly referred to the description in the method embodiment.
The communications apparatus 1200 can include one or more processors 1201. The processor 1201 may be a general purpose processor, a special purpose processor, or the like. For example, a baseband processor or a central processing unit. The baseband processor may be used to process communication protocols and communication data, and the central processor may be used to control communication devices (e.g., base stations, baseband chips, terminal equipment chips, DUs or CUs, etc.), execute computer programs, and process data of the computer programs.
Optionally, the communication device 1200 may further include one or more memories 1202, on which a computer program 1204 may be stored, and the processor 1201 executes the computer program 1204, so that the communication device 1200 performs the method described in the above method embodiments. Optionally, the memory 1202 may also have data stored therein. The communication device 1200 and the memory 1202 may be provided separately or may be integrated.
Optionally, the communication device 1200 may further include a transceiver 1205, an antenna 1206. The transceiver 1205 may be referred to as a transceiver unit, transceiver circuitry, or the like, for implementing a transceiver function. The transceiver 1205 may include a receiver, which may be referred to as a receiver or a receiving circuit, etc., for implementing a receiving function; the transmitter may be referred to as a transmitter or a transmitting circuit, etc., for implementing a transmitting function.
Optionally, one or more interface circuits 1207 may also be included in the communications device 1200. The interface circuit 1207 is configured to receive code instructions and transmit the code instructions to the processor 1201. The processor 1201 executes code instructions to cause the communication apparatus 1200 to perform the method described in the method embodiments described above.
In one implementation, a transceiver for implementing the receive and transmit functions may be included in the processor 1201. For example, the transceiver may be a transceiver circuit, or an interface circuit. The transceiver circuitry, interface or interface circuitry for implementing the receive and transmit functions may be separate or may be integrated. The transceiver circuit, interface or interface circuit may be used for reading and writing codes/data, or the transceiver circuit, interface or interface circuit may be used for transmitting or transferring signals.
In one implementation, the processor 1201 may store a computer program 1203, where the computer program 1203 runs on the processor 1201, and may cause the communication apparatus 1200 to perform the method described in the above method embodiment. The computer program 1203 may be solidified in the processor 1201, in which case the processor 1201 may be implemented in hardware.
In one implementation, the communications apparatus 1200 can include circuitry that can implement the functions of transmitting or receiving or communicating in the foregoing method embodiments. The processors and transceivers described herein may be implemented on integrated circuits (integrated circuit, ICs), analog ICs, radio frequency integrated circuits RFICs, mixed signal ICs, application specific integrated circuits (application specific integrated circuit, ASIC), printed circuit boards (printed circuit board, PCB), electronic devices, and the like. The processor and transceiver may also be fabricated using a variety of IC process technologies such as complementary metal oxide semiconductor (complementary metal oxide semiconductor, CMOS), N-type metal oxide semiconductor (NMOS), P-type metal oxide semiconductor (positive channel metal oxide semiconductor, PMOS), bipolar junction transistor (bipolar junction transistor, BJT), bipolar CMOS (BiCMOS), silicon germanium (SiGe), gallium arsenide (GaAs), etc.
The communication apparatus described in the above embodiment may be a network device or a user device, but the scope of the communication apparatus described in the present application is not limited thereto, and the structure of the communication apparatus may not be limited by fig. 12. The communication means may be a stand-alone device or may be part of a larger device. For example, the communication device may be:
(1) A stand-alone integrated circuit IC, or chip, or a system-on-a-chip or subsystem;
(2) A set of one or more ICs, optionally including storage means for storing data, a computer program;
(3) An ASIC, such as a Modem (Modem);
(4) Modules that may be embedded within other devices;
(5) A receiver, a terminal device, an intelligent terminal device, a cellular phone, a wireless device, a handset, a mobile unit, a vehicle-mounted device, a network device, a cloud device, an artificial intelligent device, and the like;
(6) Others, and so on.
For the case where the communication device may be a chip or a chip system, reference may be made to the schematic structural diagram of the chip shown in fig. 13. The chip shown in fig. 13 includes a processor 1301 and an interface 1302. Wherein the number of processors 1301 may be one or more, and the number of interfaces 1302 may be a plurality.
Optionally, the chip further comprises a memory 1303, the memory 1303 being configured to store necessary computer programs and data.
Those of skill would further appreciate that the various illustrative logical blocks (illustrative logical block) and steps (steps) described in connection with the embodiments herein may be implemented as electronic hardware, computer software, or combinations of both. Whether such functionality is implemented as hardware or software depends upon the particular application and design requirements of the overall system. Those skilled in the art may implement the functionality in a variety of ways for each particular application, but such implementation should not be understood to be beyond the scope of the embodiments of the present application.
The present application also provides a readable storage medium having instructions stored thereon which, when executed by a computer, perform the functions of any of the method embodiments described above.
The present application also provides a computer program product which, when executed by a computer, implements the functions of any of the method embodiments described above.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer programs. When the computer program is loaded and executed on a computer, the flow or functions according to embodiments of the present application are fully or partially produced. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer program may be stored in or transmitted from one computer readable storage medium to another, for example, a website, computer, server, or data center via a wired (e.g., coaxial cable, fiber optic, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) connection. Computer readable storage media can be any available media that can be accessed by a computer or data storage devices, such as servers, data centers, etc., that contain an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a high-density digital video disc (digital video disc, DVD)), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
Those of ordinary skill in the art will appreciate that: the first, second, etc. numbers referred to in this application are merely for convenience of description and are not intended to limit the scope of the embodiments of the present application, but also to indicate the sequence.
At least one of the present application may also be described as one or more, and a plurality may be two, three, four or more, and the present application is not limited thereto. In the embodiment of the present application, for a technical feature, the technical features of the technical feature are distinguished by "first", "second", "third", "a", "B", "C", and "D", and the technical features described by "first", "second", "third", "a", "B", "C", and "D" are not in sequence or in order of magnitude.
As used herein, the terms "machine-readable medium" and "computer-readable medium" refer to any computer program product, apparatus, and/or device (e.g., magnetic discs, optical disks, memory, programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. The term "machine-readable signal" refers to any signal used to provide machine instructions and/or data to a programmable processor.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel, sequentially, or in a different order, provided that the desired results of the disclosed aspects are achieved, and are not limited herein.
Furthermore, it is to be understood that the various embodiments of the application may be practiced alone or in combination with other embodiments where the schemes allow.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes or substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (29)
- An application authentication and key management AKMA application key request method under a roaming condition of a user equipment UE, wherein the method is applied to an application function AF, the method comprising:and sending an AKMA application key request to a first network element in a home network corresponding to the UE or a second network element in a service network corresponding to the UE according to whether the network connected by the AF is the home network of the UE in a roaming state.
- The method according to claim 1, wherein the serving network is a serving network used by a roaming state UE to establish a connection with the AF.
- The method according to claim 1, wherein before sending an AKMA application key request to a first network element in the UE-corresponding home network or a second network element in the UE-corresponding serving network according to whether the network to which the AF is connected is a home network of a UE in a roaming state, the method further comprises: judging whether the User Equipment (UE) is in a roaming state or not;the determining whether the UE is in a roaming state includes:receiving an application session establishment request sent by UE, wherein the application session establishment request comprises an AKMA key identification;Acquiring UE information of the UE from a strategy control function, wherein the UE information at least comprises an identifier of a public land mobile network used by the UE for establishing connection with the AF, an access type used by the UE and a radio access technology type used by the UE;and acquiring a home network identifier from the AKMA key identifier, and judging whether the UE is in a roaming state according to the home network identifier and the identifier of the public land mobile network used by the UE for establishing connection with the AF.
- A method according to claim 3, wherein determining whether the UE is in a roaming state based on the home network identity and an identity of a public land mobile network that the UE uses to establish a connection with the AF comprises:extracting a first mobile equipment country code and a first mobile network code in the home network identification; the method comprises the steps of,extracting a second mobile equipment country code and a second mobile network code in an identifier of a public land mobile network used by the UE for establishing connection with the AF;and if the country code of the first mobile equipment is different from the country code of the second mobile equipment and/or the first mobile network code is different from the second mobile network code, determining that the UE is in a roaming state.
- The method of claim 2, wherein the step of determining the position of the substrate comprises,responding to the UE in a roaming state and the AF being connected to a home network corresponding to the UE, sending an AKMA application key request to a first network element in the home network corresponding to the UE, specifically comprising: responding to the AF without the AKMA application program key associated with the AKMA key identification, and sending a first AKMA application program key request carrying at least the UE information and the AKMA key identification to a first network element in a home network corresponding to the UE;and receiving a first AKMA application key response or an error response of failure of an AKMA key request sent by the first network element response, wherein the first AKMA application key response at least comprises a subscription permanent identifier, a universal public user identifier, an AKMA application key and expiration time of the AKMA application key.
- The method of claim 5, further comprising, prior to sending a first AKMA application key request carrying at least the UE information and the AKMA key identification to a first network element in the UE's corresponding home network:determining whether the current AF exists in a third generation partnership project operator domain;If not, the sending, to a first network element in the home network corresponding to the UE, a first AKMA application key request carrying at least the UE information and the AKMA key identifier, including:and sending a first AKMA application program key request carrying at least the UE information, the AKMA key identification and the AKMA application identification to a first network element in a home network corresponding to the UE through a network opening function NEF.
- The method of claim 2, wherein the step of determining the position of the substrate comprises,responding to the UE in a roaming state and the AF being connected to a service network corresponding to the UE, sending an AKMA application key request to a second network element in the service network corresponding to the UE, wherein the method specifically comprises the following steps: responding to the AF without the AKMA application program key associated with the AKMA key identification, and sending a second AKMA application program key request carrying at least the UE information and the AKMA key identification to a second network element in the service network corresponding to the UE;and receiving a second AKMA application key response or an error response of failure of an AKMA key request sent by the second network element response, wherein the second AKMA application key response at least comprises a subscription permanent identifier, a universal public user identifier, an AKMA application key and expiration time of the AKMA application key.
- The method of claim 7, further comprising, prior to sending a second AKMA application key request carrying at least the UE information and the AKMA key identification to a second network element in the UE-specific serving network:determining whether the current AF exists in a third generation partnership project operator domain;if not, the sending, to a second network element in the service network corresponding to the UE, a second AKMA application key request carrying at least the UE information and the AKMA key identifier, including:and sending a second AKMA application program key request carrying at least the UE information, the AKMA key identification and the AKMA application identification to a second network element in the service network corresponding to the UE through a network opening function NEF.
- The method according to any one of claims 5 to 8, further comprising:sending an application session establishment response to the UE according to one of the first AKMA application key response and the second AKMA application key response; or (b)And sending an error response of the application session establishment failure to the UE according to the error response of the AKMA key request failure.
- An application authentication and key management AKMA application key request method under a roaming condition of a user equipment UE, wherein the method is applied to a first network element in a home network corresponding to the user equipment UE, and the method comprises:responding to the roaming state of the UE, initiating an AKMA application key request by an application function AF of a corresponding home network of the UE, sending a first AKMA application key response related to the AKMA application key to the AF, and simultaneously sending an AKMA application key confirmation request message to a second network element in the corresponding service network of the UE;and in response to the UE being in a roaming state, initiating an AKMA application key request by a second network element of a service network corresponding to the UE, and sending a second AKMA application key response about the AKMA application key to the second network element in the service network corresponding to the UE.
- The method according to claim 10, wherein the first network element is an AKMA anchor function AAnF in the UE-corresponding serving network.
- The method of claim 10, wherein in response to the UE being in a roaming state and an AKMA application key request being initiated by an AF of a corresponding home network of the UE, sending a first AKMA application key response to the AF regarding the AKMA application key comprises:Receiving a first AKMA application program key request sent by the AF of the UE corresponding to the home network, wherein the first AKMA application program key request at least carries UE information of the UE and an AKMA key identification, and the first AKMA application program key request is sent by the AF when the AF is connected to the home network corresponding to the UE and does not have an AKMA application program key associated with the AKMA key identification;judging whether an AKMA anchor key exists in the AKMA key identification carried in the first AKMA application program key request;if yes, an AKMA application key is derived from the AKMA anchor key, and when the AF is connected to a home network corresponding to the UE, a first AKMA application key response related to the AKMA application key is sent to the AF, wherein the first AKMA application key response at least comprises a subscription permanent identifier, a universal public user identifier, the AKMA application key and expiration time of the AKMA application key;if not, when the AF is connected to the home network corresponding to the UE, an error response of failure of the AKMA key request is sent to the AF.
- The method of claim 12, wherein prior to determining whether the AKMA key identification carried in the first AKMA application key request is an AKMA anchor key, the method further comprises:Receiving an AKMA application identifier sent by the AF, wherein the AKMA application identifier is sent by the AF when judging that the current AF does not exist in a third generation partnership project operator domain;judging whether the current first network element can provide service for the AF according to a first preset configuration strategy and the AKMA application identifier;if yes, judging whether an AKMA anchor key exists in the AKMA key identification carried in the first AKMA application program key request;if not, rejecting the first AKMA application program key request.
- The method of claim 10, wherein in response to the UE being in a roaming state and the AKMA application key request being initiated by an application function AF of the UE-corresponding home network, sending an AKMA application key confirmation request message to a second network element in the UE-corresponding serving network comprises:sending an AKMA application key confirmation request message to a second network element in a service network corresponding to the UE, wherein the AKMA application key confirmation request message at least comprises an AKMA application identifier, a subscription permanent identifier, a general public user identifier, an AKMA application program key and expiration time of the AKMA application program key;And receiving an AKMA application key confirmation response sent by a second network element in the corresponding service network of the UE.
- The method of claim 10, wherein the sending, in response to the UE being in a roaming state and the AKMA application key request being initiated by a second network element of the UE-corresponding serving network, a second AKMA application key response regarding the AKMA application key to the second network element of the UE-corresponding serving network comprises:receiving a second AKMA application key request relayed by a second network element in a service network corresponding to the UE, wherein the second AKMA application key request at least carries UE information of the UE and an AKMA key identification, and the second AKMA application key request is sent by AF when being connected to the service network corresponding to the UE and an AKMA application key associated with the AKMA key identification is not available;judging whether an AKMA anchor key exists in the AKMA key identification carried in the second AKMA application program key request;if yes, an AKMA application key is derived from the AKMA anchor key, the AKMA application key is sent to a second network element in the service network corresponding to the UE, so that the second network element in the service network corresponding to the UE sends a second AKMA application key response related to the AKMA application key to the AF when the AF is connected to the service network corresponding to the UE, and the second AKMA application key response at least comprises a subscription permanent identifier, a universal public user identifier, the AKMA application key and the expiration time of the AKMA application key;If not, sending an error response of failure of the AKMA key request to a second network element in the service network corresponding to the UE.
- The method according to any one of claims 14 to 15, further comprising:judging whether the current first network element has the function of providing service for the second network element according to a first preset configuration strategy.
- The method according to any one of claims 10 to 15, further comprising:and acquiring a home network identifier of the UE according to the AKMA key identifier, acquiring an identifier of a public land mobile network used for establishing connection with the AF by the UE according to the UE information, and judging whether the UE is in a roaming state according to the home network identifier and the identifier of the public land mobile network used for establishing connection with the AF by the UE.
- An application authentication and key management AKMA application key request method under a roaming condition of a user equipment UE, wherein the method is applied to a second network element in a service network corresponding to the user equipment UE, and the method comprises:receiving a second AKMA application program key request sent by an application function AF, wherein the second AKMA application program key request at least carries UE information of UE and an AKMA key identification, and the second AKMA application program key request is sent when the AF is connected to a service network corresponding to the UE and does not have an AKMA application program key associated with the AKMA key identification when the UE is in a roaming state;Relaying the second AKMA application key request to a first network element in the UE's corresponding home network;receiving a second AKMA application key response or an error response of failure of an AKMA key request sent by a first network element in a corresponding home network of the UE, wherein the second AKMA application key response at least comprises a subscription permanent identifier, a universal public user identifier, the AKMA application key and expiration time of the AKMA application key;and when the AF is connected to a service network corresponding to the UE, relaying the second AKMA application key response or an error response of failure of the AKMA key request to the AF.
- The method according to claim 18, wherein the second network element is an AKMA anchor function proxy AAnFproxy in the UE-corresponding serving network.
- The method of claim 18, wherein prior to relaying the second AKMA application key request to the first network element in the UE's corresponding home network, the method further comprises:receiving an AKMA application identifier sent by the AF, wherein the AKMA application identifier is sent by the AF when judging that the current AF does not exist in a third generation partnership project operator domain;Judging whether a first network element in a home network corresponding to the UE can provide service for the AF or not according to a second preset local configuration strategy and the AKMA application identifier;if yes, relaying the second AKMA application program key request to a first network element in the corresponding home network of the UE;if not, rejecting the second AKMA application program key request.
- The method of claim 18, wherein the method further comprises:receiving an AKMA application key confirmation request message sent by a first network element in a home network corresponding to the UE, wherein the AKMA application key confirmation request at least comprises an AKMA application identifier, a subscription permanent identifier, a general public user identifier, an AKMA application program key and expiration time of the AKMA application program key, the AKMA application key confirmation request is sent when the first network element in the home network corresponding to the UE confirms that the UE is in a service network according to UE information of the UE and the UE establishes connection with an AF connected to the home network corresponding to the UE;and storing the AKMA application key confirmation request message, and sending an AKMA application key confirmation response to a first network element in the corresponding home network of the UE.
- The method according to any one of claims 18 to 20, further comprising:and judging whether the current second network element can provide service for the AF according to a second preset configuration strategy.
- An application authentication and key management AKMA application key request method under a roaming condition of a user equipment UE, wherein the method is applied to a network opening function NEF, the method comprising:in response to the application function AF not existing in the third generation partnership project operator domain, a first AKMA application program key request carrying at least UE information, an AKMA key identification and an AKMA application identification is sent to a first network element in a corresponding home network of User Equipment (UE); or alternatively, the first and second heat exchangers may be,and in response to the application function AF not existing in the third generation partnership project operator domain, sending a second AKMA application program key request carrying at least UE information, an AKMA key identification and an AKMA application identification to a second network element in a corresponding service network of the user equipment UE.
- An application authentication and key management AKMA application key requesting device under roaming conditions of a user equipment UE, characterized in that the device is applied to an application function AF, the device comprising:And the sending module is used for sending an AKMA application key request to a first network element in the UE corresponding home network or a second network element in the UE corresponding service network according to whether the network connected by the AF is the home network of the UE in a roaming state.
- An application authentication and key management AKMA application key requesting device under roaming condition of a user equipment UE, wherein the device is applied to a first network element in a home network corresponding to the user equipment UE, the device comprises:a sending module, configured to respond to a roaming state of a UE, where an AKMA application key request is initiated by an application function AF of a corresponding home network of the UE, send a first AKMA application key response related to the AKMA application key to the AF, and send an AKMA application key confirmation request message to a second network element in the corresponding serving network of the UE;the sending module is further configured to send a second AKMA application key response related to the AKMA application key to a second network element in the UE-corresponding serving network, in response to the UE being in a roaming state, and the AKMA application key request being initiated by the second network element of the UE-corresponding serving network.
- An application authentication and key management AKMA application key requesting device under roaming condition of a user equipment UE, wherein the device is applied to a second network element in a service network corresponding to the user equipment UE, the device comprises:a receiving module, configured to receive a second AKMA application key request sent by an application function AF, where the second AKMA application key request at least carries UE information of a UE and an AKMA key identifier, where the second AKMA application key request is sent when the AF is connected to a service network corresponding to the UE and there is no AKMA application key associated with the AKMA key identifier when the UE is in a roaming state;a relay module, configured to relay the second AKMA application key request to a first network element in the UE corresponding home network;the receiving module is further configured to receive a second AKMA application key response or an error response that fails to request an AKMA key, where the second AKMA application key response is sent by the UE corresponding to the first network element in the home network, and the second AKMA application key response includes at least a subscription permanent identifier, a common public user identifier, the AKMA application key, and an expiration time of the AKMA application key;The relay module is further configured to relay, when the AF is connected to a serving network corresponding to the UE, the second AKMA application key response or an error response that fails to the AKMA key request to the AF.
- An application authentication and key management AKMA application key requesting device under roaming conditions of a user equipment UE, characterized in that the device is applied to a network opening function NEF, the device comprising:a sending module, configured to send, to a first network element in a home network corresponding to a UE of a user equipment, a first AKMA application key request that carries at least UE information, an AKMA key identifier, and an AKMA application identifier, in response to an application function AF not existing in a third generation partnership project operator domain; or alternatively, the first and second heat exchangers may be,the sending module is configured to send, to a second network element in a service network corresponding to the UE, a second AKMA application key request that carries at least UE information, an AKMA key identifier and an AKMA application identifier, in response to the application function AF not existing in the third generation partnership project operator domain.
- A communication device, comprising: a transceiver; a memory; a processor, coupled to the transceiver and the memory, respectively, configured to control wireless signal transceiving of the transceiver and to enable the method of any one of claims 1-23 by executing computer-executable instructions on the memory.
- A computer storage medium, wherein the computer storage medium stores computer-executable instructions; the computer executable instructions, when executed by a processor, are capable of implementing the method of any one of claims 1-23.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2022/099963 WO2023245387A1 (en) | 2022-06-20 | 2022-06-20 | Authentication and key management for applications (akma) application key request method and apparatus under user equipment (ue) roaming condition |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117616789A true CN117616789A (en) | 2024-02-27 |
Family
ID=89378986
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202280002210.7A Pending CN117616789A (en) | 2022-06-20 | 2022-06-20 | Application authentication and key management AKMA application program key request method and device under User Equipment (UE) roaming condition |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN117616789A (en) |
| WO (1) | WO2023245387A1 (en) |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020145064A1 (en) * | 2019-01-11 | 2020-07-16 | Nec Corporation | A method and a device for enabling key re-usage in a communication network |
| US12075244B2 (en) * | 2019-03-01 | 2024-08-27 | Nec Corporation | Method for synchronization of home network key |
| WO2020249861A1 (en) * | 2019-06-08 | 2020-12-17 | Nokia Technologies Oy | Communication security between user equipment and third-party application using communication network-based key |
| KR20220114638A (en) * | 2020-01-16 | 2022-08-17 | 지티이 코포레이션 | Method, device, and system for updating an anchor key in a communication network for encrypted communication with a service application |
| CN113543126B (en) * | 2020-03-31 | 2023-02-28 | 华为技术有限公司 | Key obtaining method and device |
-
2022
- 2022-06-20 WO PCT/CN2022/099963 patent/WO2023245387A1/en active Application Filing
- 2022-06-20 CN CN202280002210.7A patent/CN117616789A/en active Pending
Also Published As
| Publication number | Publication date |
|---|---|
| WO2023245387A1 (en) | 2023-12-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11071043B2 (en) | Enhanced handling on forbidden PLMN list | |
| CN114788316A (en) | Network control method for sending UE strategy | |
| CN112566050A (en) | Cellular service account transfer for an accessory wireless device | |
| CN114557031B (en) | Method for moving PDU session on non-3 GPP to 3GPP access | |
| US20230047849A1 (en) | Address obtaining method and apparatus | |
| JP2019525549A (en) | Method for remote provisioning of user equipment in a cellular network | |
| CN113498060A (en) | Method, device, equipment and storage medium for controlling network slice authentication | |
| CN105722072A (en) | Business authorization method, device, system and router | |
| US9467856B2 (en) | Secure mechanism for obtaining authorization for a discovered location server | |
| CN117616789A (en) | Application authentication and key management AKMA application program key request method and device under User Equipment (UE) roaming condition | |
| WO2011079386A1 (en) | Method for unlocking a secure device | |
| CN117616792A (en) | Secure communication method and device | |
| CN114946231A (en) | Techniques to manage access and mobility management function (AMF) relocation | |
| EP4049471A1 (en) | Chip, device and method for maintaining a connection to at least one network | |
| WO2024138389A1 (en) | Relay communication processing method, and apparatus | |
| CN114128329A (en) | Method and apparatus for utilizing the open functionality of a wireless communication network | |
| CN113904781A (en) | Slice authentication method and system | |
| EP4543065A1 (en) | Method and apparatus for authentication of user equipment in wireless communication system | |
| CN118120201A (en) | Access authentication method and device for private internet of things (PINE) | |
| EP4525497A1 (en) | Key management method and apparatus, device, and storage medium | |
| CN118575521A (en) | Authorization method, device, equipment and storage medium for network slice | |
| CN118525560A (en) | User position information credibility determining method and device | |
| WO2018120150A1 (en) | Method and apparatus for connection between network entities | |
| WO2024065706A1 (en) | Connection construction method and apparatus | |
| WO2024164277A1 (en) | Security processing method and device for relay communication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |