CN112087724A - A communication method, network equipment, user equipment and access network equipment - Google Patents

Abstract

The present application provides a communication method, including: a first network device receiving an encrypted first group list sent by a user equipment UE, where the first group list includes identifiers of one or more groups that the UE requests to access; A network device decrypts the encrypted first group list to obtain the first closed access service identification group; the first network device determines the subscription group list stored in the unified data management UDM; the first network device determines the subscription group list stored in the unified data management UDM; a group list, determining a second group list, where the second group list includes an identifier of a group that the UE is allowed to access; when there is a second group list, the first network device sends the second group to the access network device list. The access group list of the UE request sent by the UE in an encrypted manner is received by the first network device and decrypted, thereby avoiding data leakage and protecting the privacy of the UE.

Description

A communication method, network equipment, user equipment and access network equipment

technical field

The present application relates to the field of communications, and in particular, to a communication method, user equipment, access network equipment, and network equipment.

Background technique

A group allows access to a group of subscribers of one or more specific cells. Access to a group requires the support of user equipment (user equipment, UE), access network equipment, and a core network. When the UE accesses the group, the core network and the UE transmit information to complete the verification. In the process of information transmission, it is required that the signal for realizing data interaction between the core network device and the UE is reliable and effective, no data leakage occurs, and the privacy of the UE is protected.

SUMMARY OF THE INVENTION

The present application provides a communication method, network equipment, user equipment and access network equipment, which can avoid data leakage and protect the privacy of UE.

In a first aspect, a communication method is provided, comprising: a first network device receiving an encrypted first group list sent by a user equipment UE, where the first group list includes one or more groups that the UE requests to access The identification of the group; the first network device decrypts the encrypted first group list to obtain the first closed access service identification group; the first network device determines the subscription group list saved by the unified data management UDM; The first network device determines a second group list according to the first group list and the subscription group list, where the second group list includes an identifier of a group that the UE is allowed to access; When the second group list is selected, the first network device sends the second group list to the access network device.

The first network device receives and decrypts the request access group list sent by the UE in an encrypted manner, thereby avoiding data leakage and protecting the privacy of the UE. The first network device sends the identifier of the group that the UE is allowed to access to the access network device, and the access network device can prepare for data transmission after the UE accesses the group.

With reference to the first aspect, in some possible implementation manners, the receiving, by the first network device, the encrypted first group list sent by the UE includes: the first network device receiving, by the first network device, that the UE uses a non-access stratum NAS security The encrypted first group list sent by the mode SM completion message; or, the first network device receiving the encrypted first group list sent by the UE through an uplink NAS message protected by a NAS security context.

Through the NASSM completion message or the uplink NAS message protected by the NAS security context, the first network device receives the encrypted first group list, and realizes encrypted transmission of the first group list without adding additional procedures. Receiving the encrypted first group list sent by the UE through the NAS SM message can reduce information interaction between the UE and the first network device and reduce the impact on the system.

With reference to the first aspect, in some possible implementations, the method further includes: when the second group list does not exist, the first network device according to the relationship between the UE and the first network device The shared key is calculated to obtain a message verification code; the first network device sends a registration rejection message to the access network device, and the message verification code is used for the UE to verify the registration rejection message.

Through the message verification code sent by the first network device, the UE can verify the registration rejection message, so as to prevent the UE from being unable to access the group due to the forged or modified registration rejection message.

With reference to the first aspect, in some possible implementations, the method includes: receiving, by the first network device, a third group list sent by the access network device, where the third group list includes the access network device. The identifier of the group supported by the network access device, the first network device determining the second group list according to the first group list and the subscription group list, including: the first network device according to the The first group list, the third group list and the subscription group list determine the second group list.

The first access network device verifies the group list supported by the access network device, the group list that the UE requests to access, and the subscription group list, so as to ensure the accuracy of the groups that the UE is allowed to access.

With reference to the first aspect, in some possible implementations, the method includes: receiving, by the first network device, access group request information sent by the access network device, where the access group request information is used to instruct the UE Request to join the group.

In a second aspect, a communication method is provided, comprising: a user equipment UE encrypting a first group list by using a non-access stratum NAS security context to obtain an encrypted first group list, the first group list Including the identifiers of one or more groups that the UE requests to access; the UE sends the encrypted first group list.

The UE sends a request to access the group list in an encrypted manner, which avoids data leakage and protects the privacy of the UE.

With reference to the second aspect, in some possible implementations, the UE sending the encrypted first group list includes: the UE sending the encrypted first group list to the first network device through a NAS security mode SM completion message or, the UE sends the encrypted first group list through an uplink NAS message protected by a NAS security context.

The UE sends the encrypted first group list through the NASSM completion message or the uplink NAS message protected by the NAS security context, so as to realize the encrypted transmission of the first group list without adding additional procedures. The UE completes the message sending of the encrypted first group list through the NAS SM, which can reduce the information interaction between the UE and the first network device and reduce the impact on the system.

With reference to the second aspect, in some possible implementations, the method further includes: the UE receiving a registration rejection message sent by the first network device, the registration rejection message including a message verification code, and the UE according to the message The verification code verifies the registration rejection message.

The registration rejection message is verified by the UE according to the message verification code, so as to prevent the UE from being unable to access the group due to the forged or modified registration rejection message.

With reference to the second aspect, in some possible implementations, the method includes: the UE sends access group request information to the access network device, where the access group request information is used to instruct the UE to request an access group Group.

In a third aspect, a communication method is provided, comprising: an access network device receiving an encrypted first group list sent by a user equipment UE, where the first closed access service identifier group includes one or more groups that the UE requests to access. The identifier of the group service; the access network device sends the encrypted first group list; the access network device receives the second group list sent by the first network device, the second group list Including the identification of one or more groups that the UE is allowed to access; the access network device sends the quality of service QoS of the one or more groups to the UE.

With reference to the third aspect, in some possible implementations, the method includes: receiving, by the access network device, access group request information sent by the UE to the UE, where the access group request information is used to instruct the UE to request an access into the group.

In the process of the UE accessing the group, the access network device receives the identifier of the group that the UE is allowed to access sent by the network device, and prepares for the subsequent UE access to the group, which can reduce the system delay.

In a fourth aspect, a network device is provided, comprising: a transceiver module, a decryption module, and a determination module; a transceiver module for receiving an encrypted first group list sent by a user equipment UE, where the first group list includes the The identifiers of one or more groups that the UE requests to access; a decryption module, used for decrypting the encrypted first group list to obtain a first closed access service identifier group; a determination module, used for determining unified data The management UDM network element determines the saved subscription group list; the determining module is further configured to, according to the first group list and the subscription group list, determine a second group list, where the second group list includes allowing the The identifier of the group accessed by the UE; the transceiver module is further configured to, when the second group list exists, the first network device sends the second group list to the access network device.

With reference to the fourth aspect, in some possible implementations, the transceiver module is configured to receive the encrypted first group list that the UE completes message sending through the non-access stratum NAS security mode SM.

With reference to the fourth aspect, in some possible implementations, the user equipment further includes a computing module, and the computing module is configured to, when the second group list does not exist, The shared key between them is calculated to obtain a message verification code; the transceiver module is further configured to send a registration rejection message to the access network device, and the message verification code is used for the UE to verify the registration rejection message.

With reference to the fourth aspect, in some possible implementations, the transceiver module is further configured to receive a third group list sent by the access network device, where the third group list includes the access network device The identification of the supported groups, the determining module is configured to determine the second group list according to the first group list, the third group list and the subscription group list.

In a fifth aspect, a user equipment is provided, comprising: an encryption module and a transceiver module; the encryption module is configured to encrypt the first group list by using the non-access layer NAS security context to obtain the encrypted first group list, The first group list includes identifiers of one or more groups that the UE requests to access; the transceiver module is configured to send the encrypted first group list.

With reference to the fifth aspect, in some possible implementations, the transceiver module is configured to send the encrypted first group list to the first network device through a NAS security mode SM completion message; or, the transceiver module is configured to: The encrypted first group list is sent through an uplink NAS message protected by a NAS security context.

With reference to the fifth aspect, in some possible implementations, the transceiver module is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code; the user equipment further includes a verification module , the verification module is used to verify the registration rejection message according to the message verification code.

A sixth aspect provides an access network device, characterized by comprising: a transceiver module and a generation module; the transceiver module is configured to receive an encrypted first group list sent by a user equipment UE, the first closed access service The identifier group includes identifiers of one or more group services that the UE requests to access; the transceiver module is further configured to send the encrypted first group list; the transceiver module is further configured to receive the data sent by the first network device. a second group list, where the second group list includes identifiers of one or more groups that the UE is allowed to access; the generating module is configured to generate the one or more groups according to the identifiers of the one or more groups quality of service QoS information of multiple groups; the transceiver module is further configured to send the quality of service QoS information to the UE.

In a seventh aspect, a network device is provided, including: a processor and a communication interface; the communication interface is configured to receive an encrypted first group list sent by a user equipment UE, where the first group list includes the UE identifiers of one or more groups requesting access; the processor is configured to decrypt the encrypted first group list to obtain a first closed access service identifier group; the processor is further configured to: determining the stored subscription group list determined by the unified data management UDM network element; the processor is further configured to, according to the first group list and the subscription group list, determine a second group list, the second group The list includes identifiers of groups that the UE is allowed to access; when the second group list exists, the first network device sends the second group list to the access network device.

With reference to the seventh aspect, in some possible implementations, the communication interface is configured to receive the encrypted first group list sent by the UE through the non-access stratum NAS security mode SM completion message.

With reference to the seventh aspect, in some possible implementations, when the second group list does not exist, the processor is further configured to, according to the shared key between the UE and the first network device A message verification code is obtained by calculation; the communication interface is further configured to send a registration rejection message to the access network device, and the message verification code is used for the UE to verify the registration rejection message.

With reference to the seventh aspect, in some possible implementations, the communication interface is further configured to receive a third group list sent by the access network device, where the third group list includes the access network device An identifier of a supported group, and the processor is configured to determine the second group list according to the first group list, the third group list, and the subscription group list.

In an eighth aspect, a user equipment is provided, including: a processor and a communication interface; the processor is configured to encrypt the first group list by using a non-access stratum NAS security context to obtain the encrypted first group list , the first group list includes identifiers of one or more groups that the UE requests to access; the communication interface is configured to send the encrypted first group list.

With reference to the eighth aspect, in some possible implementations, the communication interface is configured to send the encrypted first group list to the first network device through a NAS security mode SM completion message; or, the communication The interface is configured to send the encrypted first group list through an uplink NAS message protected by a NAS security context.

With reference to the eighth aspect, in some possible implementations, the communication interface is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code, and the message verification code is used for all The UE verifies the registration rejection message.

In a ninth aspect, an access network device is provided, including: a processor and a communication interface; the communication interface is configured to receive an encrypted first group list sent by a user equipment UE, the first closed access service identification group including the identifiers of one or more group services that the UE requests to access; the communication interface is further configured to send the encrypted first group list; the communication interface is further configured to receive a first network device The sent second group list, where the second group list includes identifiers of one or more groups that the UE is allowed to access; the communication interface is further configured to send the one or more groups to the UE quality of service QoS for each group.

In a tenth aspect, a communication system is provided, including the access network equipment, network equipment, and user equipment described above.

In an eleventh aspect, a computer program storage medium is provided, the computer program storage medium having program instructions that, when executed, cause the above-described method to be performed.

In a twelfth aspect, a chip is provided, the chip includes at least one processor, and when program instructions are executed by the at least one processor, the method described above is performed.

Description of drawings

FIG. 1 is a schematic diagram of a network architecture suitable for the method provided by the embodiment of the present application.

Fig. 2 is a schematic flowchart of a method for a terminal device to access a group.

FIG. 3 is a schematic flowchart of a communication method provided by an embodiment of the present application.

FIG. 4 is a schematic flow chart of establishing an access layer security mode.

FIG. 5 is a schematic flow chart of establishing a non-access stratum security mode.

FIG. 6 is a schematic flowchart of authentication and authentication.

FIG. 7 is a schematic flowchart of a communication method provided by another embodiment of the present application.

FIG. 8 is a schematic flowchart of a communication method provided by another embodiment of the present application.

FIG. 9 is a schematic flowchart of a communication method provided by another embodiment of the present application.

FIG. 10 is a schematic flowchart of a communication method provided by another embodiment of the present application.

FIG. 11 is a schematic flowchart of a communication method provided by another embodiment of the present application.

FIG. 12 is a schematic flowchart of a communication method provided by another embodiment of the present application.

FIG. 13 is a schematic structural diagram of a user equipment provided by an embodiment of the present application.

FIG. 14 is a schematic structural diagram of a network device provided by an embodiment of the present application.

FIG. 15 is a schematic structural diagram of an access network device provided by an embodiment of the present application.

FIG. 16 is a schematic structural diagram of a user equipment provided by another embodiment of the present application.

FIG. 17 is a schematic structural diagram of a network device provided by another embodiment of the present application.

FIG. 18 is a schematic structural diagram of an access network device provided by another embodiment of the present application.

Detailed ways

The technical solutions in the present application will be described below with reference to the accompanying drawings.

The technical solutions of the embodiments of the present application can be applied to various communication systems, for example, a global system for mobile communications (GSM) system, a code division multiple access (CDMA) system, a wideband code division multiple access (wideband) system code division multiple access (WCDMA) system, general packet radio service (GPRS), long term evolution (long termevolution, LTE) system, LTE frequency division duplex (FDD) system, LTE time division duplex (time division duplex, TDD), universal mobile telecommunication system (UMTS), worldwide interoperability for microwave access (WiMAX) communication system, future fifth generation (5th generation, 5G) system or new Wireless (new radio, NR) and so on.

It should be understood that the embodiments of the present application do not specifically limit the specific structure of the execution body of the methods provided by the embodiments of the present application, as long as the program in which the codes of the methods provided by the embodiments of the present application are recorded can be executed according to the embodiments of the present application. The provided method only needs to perform communication. For example, the execution subject of the method provided by the embodiment of the present application may be a terminal or a network device, or a functional module in a UE or a network device that can call a program and execute the program.

To facilitate understanding of the embodiments of the present application, an application scenario of the embodiments of the present application is first described in detail with reference to FIG. 1 .

FIG. 1 is a schematic diagram of a network architecture suitable for the method provided by the embodiment of the present application. The network architecture shown in Figure 1 may specifically include the following network elements:

1. User equipment (UE): can be called terminal equipment, terminal, access terminal, subscriber unit, subscriber station, mobile station, mobile station, remote station, remote terminal, mobile equipment, user terminal, wireless communication equipment, User Agent or User Device. The UE may also be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), a wireless communication capable Handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, end devices in future 5G networks or end devices in future evolved public land mobile networks (PLMN) It can also be terminal devices, logical entities, smart devices, such as terminal devices such as mobile phones and smart terminals, or communication devices such as servers, gateways, base stations, controllers, or IoT devices, such as sensors, electricity meters, water meters, etc. (Internet of things, IoT) devices. The UE may also be a wired device, such as a computer, a laptop, and the like. This embodiment of the present application does not limit this.

2. An access network (AN): provides a network access function for authorized users in a specific area, and can use transmission tunnels of different qualities according to user levels and service requirements. The access network may be an access network using different access technologies. There are two types of current radio access technologies: 3rd Generation Partnership Project (3GPP) access technologies (such as those used in 3G, 4G or 5G systems) and non-3rd generation partnership Planned (non-3GPP) access technology. 3GPP access technology refers to an access technology that conforms to 3GPP standards and specifications. An access network using 3GPP access technology is called a Radio Access Network (RAN). Among them, the access network equipment in the 5G system is called a radio access network (RAN). Next generation Node Base station (gNB). The non-3GPP access technology refers to an access technology that does not conform to 3GPP standard specifications, for example, an air interface technology represented by an access point (access point, AP) in wifi.

An access network that implements an access network function based on a wired communication technology may be referred to as a wired access network.

An access network that implements an access network function based on a wireless communication technology may be referred to as a radio access network (radio access network, RAN). The radio access network can manage radio resources, provide access services for terminals, and then complete the forwarding of control signals and user data between the terminal and the core network.

The radio access network may be, for example, a base station (NodeB), an evolved NodeB (evolved NodeB, eNB or eNodeB), a base station (gNB) in a 5G mobile communication system, a base station in a future mobile communication system, or an AP in a WiFi system, etc., It can also be a wireless controller in a cloud radio access network (CRAN) scenario, or the access network device can be a relay station, an access point, a vehicle-mounted device, a wearable device, and a network in the future 5G network equipment or network equipment in a future evolved PLMN network, etc. The embodiments of the present application do not limit the specific technology and specific device form adopted by the wireless access network device.

3. Access and mobility management function (AMF) entity: mainly used for mobility management and access management, etc., and can be used to implement mobility management entity (mobility management entity, MME) functions in addition to session management Other functions other than that, such as lawful interception, or access authorization (or authentication) and other functions. In the embodiments of the present application, the functions of the access and mobility management network elements can be implemented.

4. Session management function (SMF) entity: mainly used for session management, UE's Internet Protocol (IP) address allocation and management, selection of manageable user plane functions, policy control, or charging function interfaces. Endpoints and downlink data notifications, etc. In this embodiment of the present application, it can be used to implement the function of the session management network element.

5. A user plane function (UPF) entity: that is, a data plane gateway. It can be used for packet routing and forwarding, or quality of service (QoS) processing of user plane data, etc. User data can be accessed to a data network (DN) through the network element. In this embodiment of the present application, it can be used to implement the function of the user plane gateway.

6. Data Network (DN): A network for providing data transmission. For example, an operator's service network, an Internet (Internet) network, a third-party service network, and the like.

7. Authentication server function (AUSF) entity: mainly used for user authentication and the like.

8. A network exposure function (NEF) entity: used to safely open services and capabilities provided by the 3GPP network function to the outside.

9. Network function (NF) repository function (NRF) entity: used to store the description information of the network function entity and the services it provides, and to support service discovery, network element entity discovery, and the like.

10. Policy control function (PCF) entity: a unified policy framework for guiding network behavior, providing policy rule information and the like for control plane function network elements (eg, AMF, SMF network elements, etc.).

11. Unified data management (unified data management, UDM) entity: used to process user identification, access authentication, registration, or mobility management, etc.

12. Application function (application function, AF) entity: used to perform data routing affected by applications, access network open function network elements, or interact with a policy framework to perform policy control, and the like.

In this network architecture, the N1 interface is the reference point between the terminal and the AMF entity; the N2 interface is the reference point between the AN and the AMF entity, and is used for sending non-access stratum (NAS) messages; N3 The interface is the reference point between the (R)AN and UPF entities, which is used to transmit data on the user plane, etc.; the N4 interface is the reference point between the SMF entity and the UPF entity, which is used to transmit, for example, the tunnel identification information of the N3 connection, data Cache indication information, and downlink data notification messages and other information; the N6 interface is the reference point between the UPF entity and the DN, and is used to transmit data on the user plane.

The name of the interface between each network element in FIG. 1 is just an example, and the name of the interface in the specific implementation may be other names, which are not specifically limited in this application. In addition, the names of the messages (or signaling) transmitted between the above network elements are only an example, and do not constitute any limitation on the functions of the messages themselves.

It should be understood that the above-mentioned network architecture applied to the embodiments of the present application is only a network architecture described from the perspective of a traditional point-to-point architecture and a service-oriented architecture, and the network architecture applicable to the embodiments of the present application is not limited thereto. Any network architecture capable of implementing the functions of the foregoing network elements is applicable to the embodiments of the present application.

It should also be understood that the AMF network elements, SMF network elements, UPF network elements, NSSF network elements, NEF network elements, AUSF network elements, NRF network elements, PCF network elements, and UDM network elements shown in FIG. 1 can be understood as The network elements used to implement different functions in the core network, for example, can be combined into network slices as needed. These core network elements may be independent devices, or may be integrated into the same device to implement different functions, which is not limited in this application. A device that performs core network element functions may also be referred to as a core network device or a network device.

The above names are only used to distinguish different functions, and do not mean that these network elements are independent physical devices. This application does not limit the specific forms of the above network elements. are different physical devices. In addition, the above naming is only for the convenience of distinguishing different functions, and should not constitute any limitation to the present application, and the present application does not exclude the possibility of adopting other nomenclature in the 5G network and other future networks. For example, in a 6G network, some or all of the above-mentioned network elements may use the terms in 5G, and may also use other names. A unified description is provided here, and details are not repeated below.

For ease of understanding, before describing the embodiments of the present application, several terms involved in the present application are briefly introduced first.

1. Authentication and key agreement (AKA): The user can perform the AKA process with the network during the startup registration process. Through the AKA process, the two-way authentication between the terminal and the network can be realized, so that the terminal and the network can reach the same key, so as to ensure the secure communication between the two.

2. Key KSEAF: the key sent by the AUSF to the SEAF during the UE registration process; the SEAF calculates the KAMF, and then sends the KAMF to the AMF. SEAF and AMF can be deployed independently or combined.

3. Key KAMF: the key KAMF obtained by the UE and the AMF respectively during the UE registration process. The key KAMF is determined from the key KSEAF. KAMF is related to the Key Set Identifier (KSI in 5G, ngKSI) in 5G. For example, the UE and the AMF may respectively store in advance a one-to-one correspondence between at least one KAMF and at least one ngKSI. Thus each ngKSI can be used to uniquely indicate a KAMF. KAMF can be used to subsequently generate the key KgNB.

4. Key KgNB: a key derived from the key KAMF, that is, the key KgNB that can be determined according to the key KAMF. For example, the key KgNB may be generated based on an algorithm such as a key derivation function (key derivation function, KDF), KAMF, and the like.

It should also be understood that the names of the intermediate keys and root keys listed above are named for the convenience of distinction, and should not constitute any limitation to this application, and this application does not exclude the use of other names to replace the above-mentioned intermediate keys or root keys. key to achieve the same or similar functionality.

5. Encryption key: The parameter input when the sender encrypts the plaintext according to the encryption algorithm to generate the ciphertext. If symmetric encryption is used, the encryption key and decryption key are the same. The receiver can decrypt the ciphertext according to the same encryption algorithm and encryption key. In other words, the sender and receiver can encrypt and decrypt based on the same key.

6. Integrity protection key: the parameter input by the sender when the plaintext or ciphertext is integrity protected according to the integrity protection algorithm. The receiving end can perform integrity verification on the integrity-protected data according to the same integrity-protection algorithm and integrity-protection key.

7. Security capabilities: including but not limited to: security algorithms, security parameters, keys, etc. In this embodiment of the present application, the security capability may include, for example, the security capability of the UE, the security capability of the user plane gateway, and the like.

8. Security algorithm: the algorithm used in data security protection. For example, it may include: encryption/decryption algorithms, integrity protection algorithms, and the like.

9. Security context: information that can be used to implement data encryption, decryption and/or integrity protection. The security context may include, for example, encryption/decryption keys, integrity protection keys, freshness parameters (such as NAS Count), ngKSI, and security algorithms.

A normal cell may allow access to all legitimate subscribers (and roaming users) of the operator. A group, on the other hand, allows access to a group of subscribers of one or more specific cells. That is, the users who can access the group are limited and conditional. The same user can belong to multiple groups, that is, can access multiple groups. Each group corresponds to a group ID. The access of the group requires the support of the UE, the access network equipment and the core network.

The embodiment of the present application is applicable to a scenario where the UE needs to access a group, and the group may be, for example, a closed access group (CAG), or a closed subscriber group (CSG), or the like. The following description takes CAG as an example.

FIG. 2 is a schematic flowchart of a method for a UE to access a group.

The user identity decryption function (subscription identifier de-concealing function, SIDF) network element can be configured in a unified data management function (unified data management, UDM) network element, or can be deployed independently. That is to say, the UDM network element can provide the user identity decryption function through the SIDF deployed by itself or by calling the SIDF.

The UE is configured with a list 1, which may be referred to as an allowed CAG identification (ID) list (allowed CAG ID list). List 1 includes the identities of the CAGs that the UE can access.

In step 101, the access network device sends a list 2 to the UE, the list 2 is a list of CAG IDs supported by the cell, and the list 2 includes the IDs of the CAGs supported by the cell.

The access network device sends the list 2 by broadcasting. The broadcast content may not be protected by encryption, that is, devices within the coverage of the access network device can obtain the information broadcast by the access network device. Therefore, all devices within the coverage area of the access network device can obtain List 2.

The access network device can also send List 2 through unicast. The unicast content may not be protected by encryption, that is, devices within the coverage of the access network device can obtain the unicast information of the access network device. Therefore, all devices within the coverage area of the access network device can obtain List 2.

In step 102, the UE matches the list 1 and the list 2, and obtains the CAG ID included in both the list 1 and the list 2, that is, a matching CAG ID (selected matching CAG ID). The UE acquires a first matching group, where the first matching group includes one or more matching CAG IDs. List 1 includes CAG IDs in the first matching group, and List 2 includes CAG IDs in the first matching group. In other words, both List 1 and List 2 include the first matching group.

In step 103, the UE sends registration request (registration request, RR) information and the first matching group to the access network device.

The RR information includes a Subscriber Concealed Identifier (SUCI). The SUCI is obtained by encrypting a user permanent identifier (subscription permanent identifier, SUPI) according to a public key corresponding to a home network public key identifier (home network public key identifier). The Home Network Public Key Identifier is used to indicate the public and/or private keys used for SUPI encryption and SUCI decryption. That is, the UE uses a protection scheme with the original public key (ie, the home network public key) to generate the SUCI.

The UDM stores the private key corresponding to the public key identifier of the home network. Algorithms for user privacy should be executed in the secure environment of UDM.

SIDF is used to decrypt according to SUCI to get SUPI. When the home network public key is used for encryption of SUPI, the SIDF will use the home network private key, which is securely stored in the home operator's network, to decrypt SUCI. Decryption should take place in UDM. Access rights to SIDF should be defined so that only network elements of the home network are allowed to request SIDF.

The first matching group is sent through the radio resource control (RRC) layer.

In step 104, the access network device sends the RR information and the second matching group to an access and mobility management function (AMF) network element.

The second matching group may be the same as the first matching group.

Before step 104, optionally, the access network device may match the first matching group with List 2 to obtain a second matching group. The second matching set includes one or more CAG IDs. Both the first match group and list 2 include the second match group. Through the matching of the access network equipment, the probability of the UE accessing the CAG registration error can be reduced.

The RR information and the second matching group are sent through the N2 interface between the access network device and the AMF network element.

Before step 105, the AMF sends an authentication request message to an authentication server function (AUSF) to a unified data management function (UDM)/(subscription identifier de-concealing function, SIDF) network element, wherein Carry SUCI. AUSF sends UDM before the request, which carries SUCI

The UDM/SIDF network element determines the SUPI of the UE according to the SUCI.

At step 105, authentication and security procedures are performed.

For the authentication process and security process, please refer to the 3rd generation partnership project (3GPP) technical specification (TS) 33.501V15.4.0 (2019-03) of the protocol. During the identity authentication process, the UDM/SIDF network element generates an authentication vector and sends it to the AUSF network element.

In the authentication and authentication process, after the authentication process between the AUSF network element, the SEAF network element and the UE, the AUSF network element sends the key KSEAF to the SEAF network element. The SEAF network element generates the key KAMF according to the key KSEAF, and sends the key KAMF to the AMF network element. The SEAF network element can also be deployed in the device where the AMF network element is located. The SEAF network element sends a keyset identifier (keyset identifier, KSI) to the UE. The KSI may be a 5G key set identifier (key set identifier in 5G, ngKSI). The UE can determine the key KAMF through the KSI. In the above manner, the UE and the AMF network element realize the sharing of the key KAMF. The above provides an authentication implementation method, which does not exclude the further evolution of the authentication method and other two-way authentication mechanisms. This patent will not go into details.

After the authentication process, the non-access stratum (NAS) security mode command (SMC) and the access stratum (AS) security mode command (SMC) can be executed. .

Before step 106, the UDM/SIDF network element determines the subscription data of the UE according to the SUPI. The contract data may also be referred to as contract information. The subscription data of the UE includes a list 3, and the list 3 includes the CAG IDs that the network side allows the UE to access. List 3 includes one or more CAG IDs.

In step 106, the AMF network element receives the list 3 sent by the UDM/SIDF network element.

In step 107, the AMF network element matches the second matching group with List 3. The AMF checks whether the second matching set and List 3 include at least one identical CAG ID. the at least one identical CAG ID as the target CAG ID

If the target CAG ID exists, go to step 108a.

In step 108a, the AMF sends registration acceptance information to the UE.

If the target CAG ID does not exist, go to step 108b.

In step 108b, the AMF sends registration rejection information to the UE.

After step 108b, the UE deletes the CAG ID corresponding to the first matching group from list 1.

In the above manner, the UE can be made to perform the corresponding CAG service.

The CAG service that the UE wants to perform is related to the type of the UE, and each CAG service can only be accessed and used by a specific UE. Therefore, the CAG service that the UE wishes to perform involves privacy. When the UE sends the first matching group to the access network device, the attacker obtains the CAG ID requested by the UE to access by eavesdropping on the air interface, thereby revealing privacy.

In order to solve the above problem, an embodiment of the present application provides a communication method. The CAG ID that the UE requests to access is sent in an encrypted manner. In this way, the possibility of privacy leakage can be reduced.

FIG. 3 is a schematic flowchart of a communication method provided by an embodiment of the present application.

In step 201, the UE generates an encrypted first group list.

The group list may also be referred to as a set of group identifiers. The first group list includes identities of one or more groups that the UE requests to access. A group may be, for example, a CAG, CSG, or the like.

The identities of the one or more groups that the UE requests to access may be all or part of the identities of the second group list configured for the UE.

At step 202, the UE sends the encrypted first group list.

The UE may send the encrypted first group list to the AMF network element.

In some embodiments, the UE may establish a NAS security context with an AMF network element, ie, establish a NAS security mode. The establishment of the NAS security context can be seen in FIG. 4 .

The UE may send the first group group to the AMF network element through the NASSM complete message in the process of establishing the NAS security context. The UE may also send the encrypted first group list to the AMF network element after the NAS security context is established, that is, the UE may send the first group list to the AMF network element through a NAS message protected by the NAS security context.

The UE can authenticate with the AMF network element to obtain the shared key. The authentication of the UE can refer to FIG. 6 . The UE can establish a NAS security context with the AMF network element according to the shared key. The establishment of the NAS security context can be seen in FIG. 4 .

The AMF may decrypt the encrypted first group list sent by the UE. The AMF can decrypt the encrypted first group list through a confidentiality algorithm.

In other embodiments, the UE may encrypt the first group list with the AMF public key. The UE may send the encrypted first group list to the AMF network element. The AMF public key may be sent by the AMF to the UE, or may be pre-configured by the UE.

The AMF network element is configured with the AMF private key corresponding to the AMF public key. The AMF network element may decrypt the encrypted first group list according to the AMF private key.

The UE may send the encrypted first group list to the UDM network element.

The UE may encrypt the first group list according to the home network key to obtain an encrypted first group list.

The UE may send the encrypted first group list and the home network public key identifier to the UDM network element. The home network public key identifier is used to indicate the home network key.

The UDM network element receives the encrypted first group list and the home network public key identifier. The UDM network element may determine the home network private key according to the home network public key identifier. The UDM network element may decrypt the encrypted first group list according to the home network private key.

The UE may send the encrypted first group list to the access network device.

In some embodiments, the UE may establish an AS security context with an access network device, that is, establish an AS security mode. The establishment of the AS security context can be seen in Figure 5.

The UE may send the first group list to the access network device through the ASSM complete message in the process of establishing the AS security context. The UE may also send the encrypted first group list to the access network device after the AS security context is established, that is, the UE may send the first group to the access network device through the AS message protected by the AS security context.

AMF distributes KgNB to access network equipment. The UE generates KgNB according to the KAMF. Afterwards, the UE and the access network device may establish the access stratum AS security mode SM.

The access network device may decrypt the encrypted first group list sent by the UE. The access network device may decrypt the encrypted first group list through a confidentiality algorithm.

The access network device may decrypt the received encrypted first group list. The access network device may decrypt the encrypted first group list through a confidentiality algorithm. In other embodiments, the UE may encrypt the first group list by using the access network device public key. The UE may send the encrypted first group list to the access network device. The access network device public key may be sent by the access network device to the UE, or may be pre-configured by the UE. The access network device is configured with an AMF private key corresponding to the access network device public key. The access network device may decrypt the encrypted first group list according to the access network device private key.

Optionally, the UE may receive a registration rejection message sent by the AMF network element. The registration rejection message includes a message verification code for the UE to verify the registration rejection message. The registration rejection message may also include a rejection code. The rejection code may be used to indicate the rejection of the UE registration, or the rejection code may be used to indicate the reason for the rejection of the UE registration. The reason for rejecting the registration of the UE may be that the verification of the AMF network element fails, or the authentication of the UE fails. The AMF network element verification failure means that the AMF network element determines that the second group list does not exist. The second group list includes the identifiers of the same groups in the subscription group list saved by the UDM and the first group list.

Optionally, the UE may send access group request information to the access network device, where the access group request information is used to instruct the UE to request to access the group.

Through steps 201 to 202, the UE sends the first group list in an encrypted manner, which can avoid leakage.

FIG. 4 is a schematic flow chart of establishing a NAS security context.

In step 301a, the AMF network element initiates integrity protection.

In step 301b, the AMF network element sends a NAS SM command message to the UE. The NAS SM command message includes an integrity algorithm, an encryption algorithm, a NAS message authentication code (message authentication code, MAC), a UE security capability, a KSI, and the like. The NAS MAC can be used to verify the integrity of the NAS SM Command message.

At step 301c, the AMF network element initiates uplink decryption

At step 302a, the UE verifies the NAS SM complete message integrity. If the verification is successful, the UE initiates uplink encryption, downlink decryption and integrity protection

In step 302b, the UE sends a NAS security mode complete message to the AMF network element. The NAS Security Mode Complete message includes the NAS MAC. The NAS MAC can be used to verify the integrity of the NAS SM Completion message.

In step 301d, the AMF network element initiates downlink encryption.

The AMF network element triggers the NAS SMC process and sends a NAS security mode command to the UE; the UE sends a NAS security mode completion message. In step 301b, the AMF network element sends a NAS SM command message to the UE, with only integrity protection. In step 302b, the UE sends a NAS security mode completion message to the AMF network element, which has confidentiality and integrity protection. After that, the UE shares the NAS security context with the AMF. The UE and the AMF network element can protect the message to be sent through the NAS security context, and the NAS message has integrity and confidentiality protection through the NAS security context. Through steps 301a-302d, a NAS security context is established.

It should be noted that, for ease of understanding, FIG. 4 only briefly describes the processing flow of the NAS SMC, and other processing procedures and/or parameters may be added, or some of the above-mentioned processing procedures and/or parameters may be reduced in specific applications.

FIG. 5 is a schematic flow chart of establishing an AS security context.

Before step 401a, the RAN receives the key KgNB. The key KgNB is determined by the AMF network element according to the key KAMF. The AMF shall generate the key KgNB and send it to the RAN.

At step 401a, the RAN initiates RRC integrity protection.

In step 401b, the RAN sends an AS SM command message to the UE, where the AS SM command message includes an integrity algorithm, an encryption algorithm, and a MAC-I, wherein the MAC-I is determined according to the key KgNB.

At step 401c, the RAN initiates RRC downlink ciphering.

At step 402a, the UE verifies the integrity of the AS SM command message. The UE verifies the integrity of the AS SM command message according to the MAC-I. If the verification is successful, the UE starts RRC integrity protection and RRC downlink decryption. The UE decrypts the RRC downlink according to the encryption algorithm indicated by the AS SMC information.

At step 402b, the UE sends an AS SM complete message to the RAN. The AS SM Complete message includes MAC-I, which is determined according to the key KgNB. The RAN can decrypt the AS SM Completion message according to the MAC-I, and verify the integrity of the AS SM Completion message.

At step 402c, the UE initiates RRC uplink ciphering.

At step 401d, the RAN initiates RRC uplink deciphering.

The RAN triggers the AS SMC process and sends the AS security mode command message to the UE. The UE sends an AS security mode complete message to the RAN. Wherein, the message in step 401b is only integrity protected, and the message in step 402b is simultaneously protected by confidentiality and integrity. According to the key KgNB, the integrity and confidentiality of the messages transmitted between the UE and the RAN in the AS security mode can be protected. After that, the UE and the access network device share the AS security context, and the UE and the access network device can send the AS message through the AS security context protection, and the AS message protected by the AS security context has integrity and confidentiality protection. Through steps 401a-402d, the AS security context is established.

It should be noted that, for the convenience of understanding, FIG. 5 only briefly describes the processing flow for establishing the AS security context. Specifically, other processing procedures and/or parameters may be added in the application, or some of the above-mentioned processing procedures and/or parameters may be reduced.

Fig. 6 is a schematic flow chart of a method for authentication and authentication. Authentication can also be called identity authentication.

In a communication network, when a UE requests to access a service provided by a service provider, it is checked whether the UE has access authority. The authentication process can be found in

In step 501, the UDM/ARPF network element generates an authentication vector.

In step 502, the UDM/ARPF network element sends a first authentication reply message to the AUSF network element, where the first authentication reply message may be a Nudm_UEAuthentication_Get Response message. The first authentication reply message includes an authentication vector.

In step 503, the UE performs bidirectional authentication with the AUSF network element.

At step 504, the AUSF generates and sends the key KSEAF to the SEAF network element.

In step 505, the SEAF network element generates the key KAMF according to the key KSEAF, and sends the KSI to the UE, where the KSI is used to indicate the key KAMF.

SEAF network elements can be deployed independently of AMF network elements, or can be deployed independently. The SEAF network element may send the KAMF to the AMF network element.

Figure 6 only shows one authentication method, and also includes other authentication methods, such as 5G authentication and key agreement; the authentication may also include UE and AMF authentication, UE and AUSF authentication, etc., which are not implemented in this embodiment of the application. limit.

FIG. 7 is a schematic flowchart of a communication method provided by an embodiment of the present application.

The first network device includes an AMF network element. The first network device may also include network elements of a network function (network function, NF) such as an SMF network element, an AUSF network element, a SEAF network element, and a UDM network element, which are not limited in this embodiment of the present application.

In step 1101, the UE encrypts the first group list using the NAS security context to obtain an encrypted first group list. The first group list includes identifiers of one or more groups that the UE requests to access.

The first group list may include all or part of the identities in the UE group list configured for the UE.

The UE may use the UE group list as the first group list.

Before step 1101, the UE receives an access network group list sent by the access network device, where the access network group list includes an identifier of a group supported by the access network device. The UE may determine the first group list according to the access network group list and the UE group list, where the first group list includes an identifier of the same group in the access network group list and the UE group list.

At step 1102, the UE sends the encrypted first group list.

Before step 1102, the UE may establish a NAS security context with the AMF. The UE may send the encrypted first group list through a NAS message protected by a NAS security context.

Alternatively, in the process of establishing the NAS security context between the UE and the AMF, after the UE establishes the NAS security context, the UE sends the encrypted first group list to the first network device through a NAS SM complete message.

The first network device receives the encrypted first group list. The first network device decrypts the encrypted first group list.

In step 1103, the first network device performs verification. The AMF determines the second group list according to the first group list and the subscription group list. The second group list includes the identifiers of the same groups in the first group list and the subscription group list. The second group list includes identifications of groups that the UE is allowed to access. That is, the identity of the same group is used as the identity of the group that the UE is allowed to access.

Before step 1103, the first network device determines the subscription group list stored by the UDM network element. That is, the first network device does not include the UDM network element, and the first network device may receive the subscription group list sent by the UDM network element. The first network device includes a UDM network element, and the first network device may acquire a subscription group list saved by the UDM network element.

When the second group list exists, step 1104 is performed.

In step 1104, the first network device sends the second group list to the access network device. The access network device receives the second group list, and obtains the identifiers of the groups that allow the UE to access.

Optionally, after step 1104, step 1105 may be performed.

In step 1105, the access network device sends the radio resource allocation information and/or quality of service (QoS) information of the group corresponding to each identifier in the second group list to the UE.

When the second group list does not exist, go to step 1106 .

In step 1106, the first network device sends a registration rejection message to the UE. In order to avoid attackers modifying or forging registration rejection messages, AMF can send registration rejection messages in the following ways.

The first network device may send a registration rejection message to the UE through a NAS message. Before step 1106, whether the AMF and the UE establish a NAS security context is not limited in this embodiment of the present application. In the case of establishing the NAS security context, the first network device may send a registration rejection message to the UE through the NAS security context. That is, the registration reject message may be a NAS message protected by a NAS security context.

Referring to FIG. 11 , the first network device can calculate and obtain the message verification code according to the shared key between the UE and the AMF. The first network device may send a registration rejection message to the UE, where the registration rejection message includes a message verification code. The message verification code is used by the UE to verify the registration rejection message.

Referring to Fig. 12, the first network device can also calculate the digital signature according to the AMF private key. The first network device may send a registration rejection message to the UE, where the registration rejection message includes the digital signature. The UE decrypts the digital signature according to the AMF public key.

Optionally, the UE may send access group request information to the access network device, where the access group request information is used to instruct the UE to request to access the group.

Through steps 1101-1106, the UE sends the identifier of the group that requests access to in an encrypted manner, which can avoid leakage of the UE's privacy.

A group may be, for example, a CAG, CSG, or the like. The following takes the UE requesting access to the CAG as an example for description.

FIG. 8 is a schematic flowchart of a communication method provided by an embodiment of the present application.

The UE may send the first matching group to the AMF network element through an encrypted NAS message.

The UE stores a list 1, and the list 1 may be referred to as an allowed CAG ID list (allowed CAG ID list). List 1 includes the identification of the CAGs configured to the UE. That is, List 1 indicates the CAGs that the UE supports to access. There is no specific limitation on how the UE obtains the list 1. For example, the list 1 may include the CAG ID that the UE may obtain from the operator, may include the CAG ID configured by the network management, may include the CAG ID configured when the UE leaves the factory, and the like.

In step 601, the access network equipment broadcasts system information, and the system information includes list 2, which is a list of CAG IDs supported by a cell, which is the cell where the UE is located in one or more cells covered by the access network equipment. The broadcast content may not be encrypted and protected, and devices within the coverage of the access network device can obtain the information broadcast by the access network device.

Optionally, in step 601, the access network device unicast sends system information, the system information includes list 2, and list 2 includes CAG IDs supported by the cell. The unicast content may not be protected by encryption, and devices within the coverage of the access network device can obtain the unicast information of the access network device.

In step 602, the UE matches the list 1 and the list 2, that is, the UE checks whether there is a first matching group, and the first matching group includes at least one CAG ID. The CAG IDs in the first matching group belong to both list 1 and list 2 at the same time. The CAG IDs in the first matching group may be referred to as matched CAG IDs (selected matching CAG IDs).

In step 603, the UE sends a registration request (registration request, RR) message to the access network device, where the registration request message includes SUCI. The registration request message may be a control plane message.

Before step 603, the UE calculates the SUCI, where the SUCI is the encapsulation of the permanent identity SUPI, so that the attacker cannot obtain the SUPI by eavesdropping on the air interface. SUPI is the permanent identity of the UE. That is, the UE encrypts SUPI to obtain SUCI.

SUCI may include one or more of SUPI type, routing indicator, protection scheme identifier, home network public key identifier, and other information. The routing indicator and the home network public key identifier are not encrypted. The protection scheme identifier is used to indicate the protection scheme adopted by the mall SUCI, that is, the scheme for encrypting SUPI. The routing indicator can be used to indicate the UDM network elements that can serve the UE.

Optionally, the UE sends the first indication information to the access network device. The first indication information is used to instruct the UE to request to access the CAG.

The first indication information that the UE may send to the access network device is used to instruct the UE to request to access the CAG. Since the information related to the UE registration in the RR message is sent by the UE to the AMF network element, the access network device needs to forward the information and cannot perceive the information. Therefore, by sending the first indication information to the access network device by the UE, the access network device can be instructed to perform a process corresponding to the UE requesting to access the CAG.

Optionally, the first indication information is carried in a registration request message or other messages. For example, the first indication information may be sent through a radio resource control (radio resource control, RRC) message. The first indication information may take various forms, for example, the first indication information may include the list 2 received by the UE, or the first indication information may occupy a certain field of the registration request message.

In step 604, the access network device forwards the registration request message to the AMF network element. The registration request message includes SUCI. The forwarded registration request message may be sent through the N2 interface between the access network device and the AMF network element, that is, the forwarded registration request message may be an N2 message.

Optionally, the access network device may send the second indication information to the AMF network element. For example, if the access network device receives the first indication information, the access network device sends the second indication information to the AMF network element. The second indication information indicates that the UE requests to access the CAG service.

The second indication information sent by the access network device may instruct the AMF to perform a procedure corresponding to the UE requesting to access the CAG.

The second indication information may be carried in the forwarded registration request message. The second indication information may also be carried in other messages.

Optionally, the access network device may send List 2 to the AMF network element. The second indication information may include list 2. For example, if the access network device receives the first indication information, the access network device sends the list 2 to the AMF network element.

In step 605, the AMF network element sends the SUCI to the AUSF. The SUCI may be carried in the first identity authentication request message. The first authentication request message may be a Nausf_UEAuthentication_Authenticate Request message.

Optionally, the AMF may receive the second indication information and/or List 2.

In step 606, the AUSF network element sends the SUCI to the UDM/SIDF network element. The SUCI may be carried in the second identity authentication request message. The second authentication request message may be a Nudm_UEAuthentication_Get Request message.

In step 607, the UDM/SIDF network element decrypts the SUCI to obtain the SUPI, performs authentication algorithm selection, and generates an authentication vector according to the selected authentication algorithm.

Step 608 is an authentication process, which is used for identity authentication of the UE.

Specifically, the UDM/SIDF network element sends the authentication vector to the AUSF network element. The authentication vector may be carried in the authentication reply message. The authentication reply message may be a Nudm_UEAuthentication_Get ReSponse message.

The UE and the AUSF network element perform bidirectional authentication. The AUSF generates and sends the key KSEAF to the SEAF network element. The SEAF network element generates the key KAMF according to the key KSEAF. SEAF sends KSI to UE, KSI is used to indicate key KAMF. The UE can determine the key KAMF according to the KSI. SEAF sends KAMF to AMF. Here SEAF can be deployed independently of AMF, or it can be deployed separately. The embodiments of the present application do not limit the specific details and processes of the above-mentioned steps for authenticating the UE and the AUSF network element.

Through the above steps, the AMF network element shares the key KAMF with the UE.

In steps 609-610, the AMF network element and the UE perform a non access stratum security mode command (NAS SMC) process.

According to the key K _AMF , the UE and the AMF network element can determine the integrity key and the confidentiality key between the UE and the AMF network element, so as to perform integrity protection and confidentiality protection on the messages between the UE and the AMF network element . Confidentiality protection is performed, that is, the information sender encrypts the information, and the information receiver decrypts the information.

In step 609, the AMF network element sends a NAS security mode instruction message to the UE. NAS Security Mode Command messages have integrity protection. The integrity protection is not described in detail here because of the prior art.

In step 610, the UE sends a NAS security mode complete message to the AMF network element.

Optionally, the NAS security mode complete message may include the first matching group. The NAS Security Mode Completion message is confidentiality and integrity protected. Therefore, the first matching group is sent to the AMF network element in an encrypted manner. At this time, step 611 may not be performed.

During the process of the UE accessing the CAG, the NAS security context is established. Sending the first matching group through the NAS SMC completion message, or sending the first matching group in a NAS message protected by the NAS security context, can encrypt the first matching group without adding additional processing.

Through steps 609-610, the UE and the AMF network element establish a security context through the NAS SMC process, and the messages between the AMF network element and the UE can be encrypted and transmitted. Through the NAS security mode, the messages between the AMF network element and the UE can have integrity protection and confidentiality protection.

In the case where the NAS security mode complete message does not include the first matching group, step 611 may be performed. Step 611 is performed after the UE and the AMF network element establish the security context through the NAS SMC process.

In step 611, the UE sends the first matching group to the AMF through an uplink (uplink, UL) NAS message. That is, the first matching group is sent through NAS security.

In step 612, the AMF network element receives List 3 sent by the UDM network element. List 3 includes the CAG IDs that the network side allows the UE to access. The AMF network element may receive subscription data sent by the UDM network element, and the subscription data includes list 3.

Before step 612, the AMF network element may send a request message to the UDM network element to obtain subscription data corresponding to the SUPI from the UDM. Optionally, the request message includes SUPI. The subscription data includes list 3, and list 3 includes CAG IDs that the network side allows the UE to access.

At step 613, the AMF matches List 3 with the first matching group to determine whether there is a second matching group. List 3 includes the CAG IDs in the second matching group, and the first matching group includes the CAG IDs in the second matching group. That is, the AMF takes the same CAG ID in List 3 and the first matching group as the CAG ID in the second matching group.

Optionally, the AMF matches List 2, List 3, and the first matching group to determine whether there is a second matching group. List 2 includes the CAG IDs in the second matching group, List 3 includes the CAG IDs in the second matching group, and the first matching group includes the CAG IDs in the second matching group. That is, the AMF takes the same CAG ID in List 2, List 3, and the first matching group as the CAG ID in the second matching group.

For the case where the AMF matches list 2, list 3, and the first matching group, steps 601-602 may not be performed. The UE may take List 1 as the first matching group.

Since the first matching group is sent to the AMF network element through a NAS message, the access network device cannot check and verify the first matching group sent by the UE, and cannot ensure that the matching result of the UE, that is, the CAG IDs in the first matching group are all lists CAGID in 2. Therefore, the AMF network element can generate the second matching group according to List 2.

Optionally, the AMF network element is preconfigured with a CAG ID supported by the access network device, that is, the AMF is preconfigured with List 2. At this time, in step 604, the access network device may not send list 2 to the AMF network element. Alternatively, List 2 is used as the second indication information, indicating that the UE requests to access the CAG service.

Since the first matching group is obtained by the UE having already performed the matching, in order to reduce the amount of computation, the AMF may no longer perform matching on the list 2. That is, the AMF can proceed to match the first matching group with the list 3. At this time, the list 2 sent by the access network device to the AMF network element may be used as the second indication information, and the second indication information is used to instruct the UE to request to access the CAG service.

If there is a second matching group, the UE is allowed to access the CAG service corresponding to the CAG ID in the second matching group.

In step 614, if the UE is allowed to access, the AMF may send the second matching group to the access network device. The second matching group may be sent via an N2 message. The second matching set includes the identification of the CAGs that the UE is allowed to access. The access network device receives the second matching group to obtain the CAG ID that the UE is allowed to access. Optionally, after receiving the second matching group that allows the UE to access, the access network device performs operations such as radio resource management corresponding to the CAG ID in the second matching group, for example, sending each CAG ID in the second matching group to the UE. The resource configuration information of the corresponding CAG, etc. Optionally, the access network device sends to the UE policy information corresponding to the CAG ID in the second matching group, for example, QoS information of each CAG and the like. The policy information is used to indicate the relevant parameters for data transmission after the UE accesses the CAG. In the embodiment of the present application, the access network device does not limit the specific operation of the CAG ID in the second matching group.

In step 615, the AMF network element sends a registration response message to the UE. The registration response message can be a registration accept message or a registration reject message.

If the UE is allowed to access, the AMF network element sends a registration acceptance message to the UE. Optionally, the AMF network element sends the second matching group to the UE, that is, the CAG ID that the UE is allowed to access.

If the UE is not allowed to access, the AMF network element sends a registration rejection message to the UE. Optionally, the registration rejection message includes verification failure indication information. The verification failure indication information may be used to indicate the reason for the registration rejection, for example, the CAG ID verification fails or the UE identity authentication fails.

Optionally, the AMF sends to the UE information on whether to allow the UE to access the CAG through other downlink NAS messages. .

Optionally, before step 610, further, before step 603, the UE may receive protection indication information, where the protection indication information is used to instruct the UE to send the encrypted first matching group. That is, the protection indication information is used to instruct the UE to encrypt the first matching group, and send the first matching group in an encrypted manner. For example, before step 603, the UE performs a registration process. In this registration access process, the registration reception message includes protection indication information. In the subsequent process of the UE accessing the CAG, the above-mentioned method is used to protect the registration rejection message.

Through steps 601-615, the UE sends the first matching group in an encrypted manner, which can avoid information leakage.

In some embodiments, the UE may send the first indication information to the AMF network element through a NAS message other than the RR message. The AMF determines the process of the UE requesting to access the CAG through the first indication information.

In some embodiments, it is also possible that the base station does not broadcast list 2, or the UE does not perform matching between the base station broadcast list 2 and the list 1; the UE sends the encrypted list 1 to the AMF through a NAS message. Subsequent operations are the same as the following procedures, except that the first matching group is List 1 in this case.

In some embodiments, it is also possible that the UE encrypts the first matching group based on the public key of the AMF to obtain the ciphertext of the first matching group. And the ciphertext of the first matching group is sent to the AMF through a NAS message, for example, sent to the AMF through an RR message together with SUCI; or sent to the AMF through other NAS messages. The AMF decrypts the ciphertext of the first matching group through the private key of the AMF to obtain the first matching group. The flow of the subsequent determination is the same as that of the above-mentioned embodiment. Here, the process for the UE to obtain the public key of the AMF may be preset, or it may be distributed to the UE by the AMF in the previous registration process; there is no limitation.

FIG. 9 is a schematic flowchart of a communication method provided by an embodiment of the present application.

The UE may encrypt the first matching group according to the home network key, and send the encrypted first matching group to the UDM network element. The UDM network element decrypts the encrypted first matching group, and decrypts the decrypted first matching group. Sent to AMF.

The UE stores a list 1, and the list 1 may be referred to as an allowed CAG ID list (allowed CAG ID list). List 1 includes the identification of the CAGs configured to the UE. That is, List 1 indicates the CAGs that the UE supports to access. There is no specific limitation on how the UE obtains the list 1. For example, the list 1 may include the CAG ID that the UE may obtain from the operator, may include the CAG ID configured by the network management, may include the CAG ID configured when the UE leaves the factory, and the like.

In step 601, the access network equipment broadcasts system information, and the system information includes list 2, which is a list of CAG IDs supported by cells covered by the access network equipment. The broadcast content is not encrypted and protected, and devices within the coverage of the access network device can obtain the information broadcast by the access network device.

Optionally, in step 601, the access network device unicast sends system information, the system information includes list 2, and list 2 is a list of CAG IDs supported by the cell. The unicast content may not be protected by encryption, and devices within the coverage of the access network device can obtain the unicast information of the access network device.

In step 602, the UE matches the list 1 and the list 2, that is, the UE checks whether there is a first matching group, and the first matching group includes at least one CAG ID. The CAG IDs in the first matching group belong to both list 1 and list 2 at the same time. The CAG IDs in the first matching group may be referred to as matched CAG IDs (selected matching CAG IDs).

In step 703, the UE sends a registration request message to the access network device, where the registration request message includes SUCI. The registration request message may be a control plane message.

The registration request message also includes the encrypted first matching group.

Before step 703, the UE calculates the SUCI, where the SUCI is the encapsulation of the permanent identity SUPI, so that an attacker cannot obtain the SUPI by eavesdropping on the air interface. SUPI is the permanent identity of the UE. That is, the UE encrypts SUPI to obtain SUCI.

SUCI may include one or more of SUPI type, routing indicator, protection scheme identifier, home network public key identifier, and other information. The routing indicator and the home network public key identifier are not encrypted. The protection scheme identifier is used to indicate the protection scheme adopted by the above-mentioned SUCI, that is, the encryption scheme for SUPI. The routing indicator can be used to indicate the UDM network elements that can serve the UE.

Before step 703, the UE encrypts the first matching group according to the home network public key to obtain the encrypted first matching group. The UE encrypts the first matching group according to the home network public key, which may also be referred to as the UE encapsulating the first matching group.

The UE may encrypt the first matching group by using the same encryption method as the SUCI. The UE may jointly encrypt the SUPI and the first matching group, and encapsulate them in one message. That is, the SUCI and the encrypted first match group may be carried in the same message. Alternatively, the UE may encrypt the SUPI and the first matching group separately. Optionally, the encrypted first matching group includes one or more of information such as a routing indicator, a protection scheme identifier, and a home network public key identifier. The SUCI and the encrypted first matching set may be carried in the same or different messages.

The UE may also encrypt the first matching group by using a different encryption method from that of the SUCI. For example, the SUCI and encrypted first matching groups may correspond to different home network keys, ie, to different home network public key identifiers. The encrypted first matching group includes one or more of routing indicators, protection scheme identifiers, home network public key identifiers, and the like. The SUCI and the encrypted first matching set may be carried in the same or different messages. The home network key includes the home network public key and the home network private key. The UE and the UDM network element include the correspondence between the home network public key identifier, the home network public key, and the home network private key.

Optionally, the UE sends the first indication information to the access network device. The first indication information is used to instruct the UE to request to access the CAG service.

Optionally, the first indication information is carried in a registration request message or other messages. For example, the first indication information may be sent through a radio resource control (radio resource control, RRC) message. The first indication information may take various forms, for example, the first indication information may include the list 2 received by the UE, or the first indication information may occupy a certain field of the registration request message.

In step 704, the access network device sends a registration request message to the AMF network element. The registration request message includes the SUCI and the encrypted first match set. The registration request message may be sent through the N2 interface between the access network device and the AMF network element, that is, the registration request message may be an N2 message.

Optionally, the access network device may send the second indication information to the AMF network element. For example, if the access network device receives the first indication information, the access network device sends the second indication information to the AMF network element. The second indication information indicates that the UE requests to access the CAG service.

The second indication information may be carried in the registration request message. The second indication information may also be carried in other messages.

Optionally, the access network device may send List 2 to the AMF network element. The second indication information may include list 2.

At step 705, the AMF network element sends the encrypted first match group and SUCI to the AUSF. The SUCI may be carried in the first identity authentication request message. The encrypted first matching group may be carried in the first identity authentication request message or other messages. The first identity authentication request message may be a Nausf_UEAuthentication_Authenticate Request message.

Optionally, the AMF may receive the second indication information and/or List 2.

At step 706, the AUSF network element sends the encrypted first matching set and SUCI to the UDM/SIDF network element. SUCI may be carried in the second authentication request message. The encrypted first match group may be carried in the second authentication request message or other message. The second authentication request message type may be a Nudm_UEAuthentication_Get Request message.

In step 707, the UDM/SIDF network element may decrypt the SUCI and the encrypted first matching group according to the home network private key corresponding to the home network public key identifier.

The UDM/SIDF network element decrypts SUCI to obtain SUPI, performs authentication algorithm selection, and generates an authentication vector according to the selected authentication algorithm. The UDM/SIDF network element decrypts the encrypted first matching group to obtain the first matching group.

Or, the UDM/SIDF network element decrypts a piece of information corresponding to the SUPI and the first matching group to obtain the SUPI and the first matching group.

The UDM/SIDF network element determines the subscription data of the UE according to the SUPI. The subscription data of the UE includes a list 3, and the list 3 includes the CAG IDs that the network side allows the UE to access.

The UDM/SIDF network element matches the first matching group with List 3 to obtain the third matching matching group. The third matching group includes the same CAG IDs in the first matching group and list 3.

If the UDM/SIDF network element determines that there is no third matching group, the UE authentication process and step 614 are not performed. In the case that the third matching group does not exist and the verification fails, the subsequent UE authentication process does not need to be performed, which saves the signaling overhead of the system.

The UDM/SIDF network element may reject the registration of the UE. The UDM can send rejection indication information to the AMF network element with or without the AUSF network element.

Before step 615, the UDM network element may send the first rejection indication information to the AMF network element with or without the AUSF network element. The first rejection indication information may include the reason for the registration rejection. That is, the first rejection indication information may be used to indicate that there is no third matching group, that is, the verification fails and there is no CAG that allows the UE to access.

The AMF network element receives the rejection indication information sent by the UDM network element, and determines that there is no second matching group, that is, there is no CAG that allows the UE to access.

In step 615, the AMF network element sends a registration rejection message to the UE.

If the UDM/SIDF network element determines that there is a third matching group, go to steps 709-710. Steps 709-710 are steps in the authentication process, and the authentication process is used for the identity authentication of the UE.

Specifically, in step 709, the UDM/SIDF network element sends the authentication vector to the AUSF network element. The authentication vector may be carried in the first authentication reply message. The first authentication reply message may be a Nudm_UEAuthentication_Get ReSponse message.

At step 710, the AUSF network element sends an authentication vector to the AMF network element. The authentication vector may be carried in the second authentication reply message. The second authentication reply message may be a Nudm_UEAuthentication_Get ReSponse message.

The UDM/SIDF network element may send a third matching set to the AMF network element.

The UDM/SIDF network element may send a third matching set to the AUSF network element. The AUSF network element sends the third matching group to the AMF network element. That is to say, the third matching group may be forwarded by the AUSF network element and sent to the AMF network element. The third matching group may be carried in the first authentication reply message or other message. The third matching group may be carried in the second authentication reply message or other message.

The UDM/SIDF can also send the third matching group to the AMF network element through other messages without being forwarded by other network elements.

The UE and the AUSF network element perform bidirectional authentication. After the authentication is successful, the AUSF generates and sends the key KSEAF to the SEAF network element. The SEAF network element generates the key KAMF according to the key KSEAF, and sends the KSI to the UE, where the KSI is used to indicate the key KAMF. The UE can determine the key KAMF according to the KSI. SEAF sends KAMF to AMF. Here SEAF can be deployed independently of AMF, or it can be deployed separately. The embodiments of the present application do not limit the specific details and procedures of the above-mentioned steps for authenticating the UE and the AUSF network element.

Through the above steps, the AMF network element shares the key KAMF with the UE.

After the authentication process, according to the key KAMF, the UE and the AMF can establish the NAS security context, and the UE and the access network device can establish the AS security context.

Before step 614, the AMF network element receives the third matching group sent by the UDM network element. The AMF network element determines the second matching group according to the third matching group.

The AMF network element may use the third matching group as the second matching group.

The AMF network element may match the third matching group with List 2 to determine the second matching group. The second match group includes the same CAG IDs in the third match group as in Listing 2.

Since the first matching group is sent to the UDM network element in an encrypted manner, the access network device cannot check and verify the first matching group sent by the UE, and cannot ensure that the matching result of the UE, that is, the CAG IDs in the first matching group are all CAG ID in Listing 2. Therefore, the AMF network element can generate the second matching group according to List 2.

Optionally, the AMF network element is preconfigured with a CAG ID supported by the access network device, that is, the AMF is preconfigured with List 2. At this time, in step 704, the access network device may not send the list 2 to the AMF network element. Alternatively, the list 2 sent by the access network device to the AMF network element may be used as the second indication information, indicating that the UE requests to access the CAG service.

Since the first matching group is obtained by the UE having already performed the matching, in order to reduce the amount of computation, the AMF may no longer perform matching on the list 2. That is, the AMF can proceed to match the first matching group with the list 3. At this time, the list 2 sent by the access network device to the AMF network element may be used as the second indication information, and the second indication information is used to instruct the UE to request to access the CAG service.

If there is a second matching group, go to step 614 .

At step 614, the AMF network element may send the second matching group to the access network device. The second matching group may be sent via an N2 message. The second matching set includes the identification of the CAGs that the UE is allowed to access. The access network device acquires the CAGID that the UE is allowed to access. Optionally, after receiving the second matching group that allows the UE to access, the access network device performs operations such as radio resource management corresponding to the CAG ID in the second matching group. The embodiments of the present application do not limit the specific operations of the access network device.

In step 615, the AMF network element sends a registration reply message to the UE. The registration reply message can be a registration acceptance message or a registration rejection message.

If the AMF network element determines that there is a second matching group and allows the UE to access, the AMF network element sends a registration acceptance message to the UE. Optionally, the AMF network element sends the second matching group to the UE, that is, the CAG ID that the UE is allowed to access.

If the UE is not allowed to access, the AMF network element sends a registration rejection message to the UE. Optionally, the registration rejection message includes second rejection indication information, where the second rejection indication information is used to indicate the reason for the registration failure, for example, the CAG ID verification fails, or the authentication fails.

Optionally, the registration reply message may be a downlink NAS message.

Through the above steps, the UE sends the first matching group in an encrypted manner, which can avoid information leakage.

Before performing the authentication process of the UE, the UDM/SIDF network element checks whether the UE can access the CAG, that is, matches the first matching group with the list 3.

In some embodiments, the first matching group and list 3 may be matched by the AMF for verification.

In step 707, the UDM/SIDF network element may decrypt the SUCI and the encrypted first matching group according to the home network private key corresponding to the home network public key identifier.

The UDM/SIDF network element decrypts SUCI to obtain SUPI, performs authentication algorithm selection, and generates an authentication vector according to the selected authentication algorithm. The UDM/SIDF network element decrypts the encrypted first matching group to obtain the first matching group.

Or, the UDM/SIDF network element decrypts a piece of information corresponding to the SUPI and the first matching group to obtain the SUPI and the first matching group.

The UDM/SIDF network element determines the subscription data of the UE according to the SUPI. The subscription data of the UE includes a list 3, and the list 3 includes the CAG IDs that the network side allows the UE to access.

After step 707, the authentication process is used for the identity authentication of the UE.

The UDM/SIDF network element sends the first matching group and list 3 to the AMF network element.

The UDM/SIDF network element may send the first matching group and list 3 to the AMF network element. The first matching group and/or list 3 may be carried in the first identity authentication reply message or other messages.

The UDM/SIDF network element may send the first matching group and list 3 to the AUSF network element. The AUSF network element sends the first matching group and the list 3 to the AMF network element. That is to say, the first matching group and the list 3 may be forwarded by the AUSF network element and sent to the AMF network element. The first match group and/or list 3 may be carried in the second authentication reply message or other message.

Before step 614, the AMF network element performs matching according to the first matching group and list 3 to determine the second matching group. The second matching group includes the same CAG ID as the first matching group and List 3 China.

The AMF may use the same CAG ID in List 3 and the first matching group as the CAG ID in the second matching group. , the AMF may also use the same CAG ID in List 2, List 3, and the first matching group as the CAG ID in the second matching group.

In step 614, if the UE is allowed to access, the AMF may send the second matching group to the access network device.

In step 615, the AMF network element sends a registration reply message to the UE. The registration reply message can be a registration acceptance message or a registration rejection message.

In some embodiments, the UE may not perform the matching between List 2 and List 1, and the base station may also not broadcast List 2. The UE sends the encrypted list 1 to the AMF network element through a NAS message. Subsequent operations are the same as the above process. Compared with the above process, the difference of this method is that the first matching group is List 1 at this time. That is, for the case where the AMF matches the third matching group with List 2, steps 601-602 may not be performed. The UE may take List 1 as the first matching group.

FIG. 10 is a schematic flowchart of a communication method provided by an embodiment of the present application.

The UE may send the first matching group to the access network device network element through the encrypted AS message.

The UE is configured with List 1. List 1 includes the CAG IDs for which the UE supports access.

In step 601, the access network device sends List 2 to the UE. List 2 includes the CAG IDs supported by the cells covered by the access network equipment. The cell is a cell where the UE is located in one or more cells covered by the access network device. The broadcast content may not be encrypted and protected, and devices within the coverage of the access network device can obtain the information broadcast by the access network device.

Optionally, in step 601, the access network device unicast sends system information, the system information includes list 2, and list 2 includes CAG IDs supported by the cell. The unicast content may not be protected by encryption, and devices within the coverage of the access network device can obtain the unicast information of the access network device.

In step 602, the UE matches List 1 and List 2 to obtain a first matching group. The first matching group includes the same CAG IDs in List 1 and List 2. The UE matches List 1 and List 2, that is, the UE determines a first matching group, and the first matching group includes at least one CAG ID. The CAG IDs in the first matching group belong to both list 1 and list 2 at the same time. The CAG IDs in the first matching group may be referred to as matched CAG IDs (selected matching CAG IDs).

In step 603, the UE sends a registration request message to the access network device, where the registration request message includes SUCI.

Before step 603, the UE calculates the SUCI, where the SUCI is the encapsulation of the permanent identity SUPI, so that the attacker cannot obtain the SUPI by eavesdropping on the air interface. SUPI is the permanent identity of the UE. That is, the UE encrypts SUPI to obtain SUCI.

SUCI may include one or more of SUPI type, routing indicator, protection scheme identifier, home network public key identifier, and other information. The routing indicator and the home network public key identifier are not encrypted. The protection scheme identifier is used to indicate the protection scheme adopted by the mall SUCI, that is, the scheme for encrypting SUPI. The routing indicator can be used to indicate the UDM network elements that can serve the UE.

Optionally, the UE sends the first indication information to the access network device. The first indication information is used to instruct the UE to request to access the CAG.

The first indication information that the UE may send to the access network device is used to instruct the UE to request to access the CAG. Since the information related to the UE registration in the RR message is sent by the UE to the AMF network element, the access network device needs to forward the information and cannot perceive the information. Therefore, by sending the first indication information to the access network device by the UE, the access network device can be instructed to perform a process corresponding to the UE requesting to access the CAG.

Optionally, the first indication information is carried in a registration request message or other messages. For example, the first indication information may be sent through a radio resource control (radio resource control, RRC) message. The first indication information may take various forms, for example, the first indication information may include the list 2 received by the UE, or the first indication information may occupy a certain field of the registration request message.

In step 604, the access network device sends a registration request message to the AMF network element. The registration request message includes SUCI. The registration request message may be sent through the N2 interface between the access network device and the AMF network element, that is, the registration request message may be an N2 message.

Optionally, the access network device may send the second indication information to the AMF network element. For example, if the access network device receives the first indication information, the access network device sends the second indication information to the AMF network element. The second indication information indicates that the UE requests to access the CAG service.

The second indication information may be carried in the registration request message. The second indication information may also be carried in other messages.

Optionally, the access network device may send List 2 to the AMF network element. The second indication information may include list 2.

In step 605, the AMF network element sends the SUCI to the AUSF. The SUCI may be carried in the first identity authentication request message. The first identity authentication request message may be a Nausf_UEAuthentication_Authenticate Request message.

Optionally, the AMF may receive the second indication information and/or List 2.

In step 606, the AUSF network element sends the SUCI to the UDM/SIDF network element. The SUCI may be carried in the second identity authentication request message. The second identity authentication request message may be a Nudm_UEAuthentication_Get Request message.

In step 607, the UDM/SIDF network element decrypts the SUCI to obtain the SUPI, performs authentication algorithm selection, and generates an authentication vector according to the selected authentication algorithm.

Step 608 is an authentication process, which is used for identity authentication of the UE.

Specifically, the UDM/SIDF network element sends the authentication vector to the AUSF network element. The authentication vector may be carried in the authentication reply message. The authentication reply message may be a Nudm_UEAuthentication_Get ReSponse message.

The UE and the AUSF network element perform bidirectional authentication. The AUSF generates and sends the key KSEAF to the SEAF network element. The SEAF network element generates the key KAMF according to the key KSEAF, and sends the KSI to the UE, where the KSI is used to indicate the key KAMF. The UE can determine the key KAMF according to the KSI. SEAF sends KAMF to AMF. Here SEAF can be deployed independently of AMF, or it can be deployed separately. The embodiments of the present application do not limit the specific details and processes of the above-mentioned steps for authenticating the UE and the AUSF network element.

Through the above steps, the AMF network element shares the key KAMF with the UE.

In steps 809-810a, the access network device and the UE establish an access stratum security mode (access stratum security mode, NAS SM).

Before step 809, the AMF calculates and sends the key KgNB to the access network device. The key KgNB is determined from the key KAMF. According to the key KgNB, the UE and the access network device can determine the integrity key and the confidentiality key between the UE and the access network device, so as to perform integrity protection and confidentiality on the messages between the UE and the access network device sexual protection. Confidentiality protection is performed, that is, the information sender encrypts the information, and the information receiver decrypts the information.

In step 809, the access network device sends an AS security mode instruction message to the UE. The AS security mode instruction message has integrity protection.

In step 810a, the UE sends an AS security mode complete message to the access network device. The AS security mode completion message has confidentiality and integrity protection.

Optionally, the AS security mode complete message may include the first matching group. Therefore, the first matching group is sent to the access network device in an encrypted manner. At this time, step 611 may not be performed.

Through steps 809-810a, the UE and the network element of the access network device establish a security context through the AS SMC process, and messages between the access network device and the UE can be encrypted and transmitted. Through the AS security mode, the message between the AMF network element and the UE can have integrity protection and confidentiality protection.

It is also possible that when the AS security mode completion message does not include the first matching group, the first matching group is sent through step 810b. Step 810b is performed after the UE and the access network device establish the AS security context through the AS SMC process.

In step 810b, the UE sends the first matching group to the AMF through an uplink (UL) AS message. That is, the first matching group is sent under the protection of the AS security context.

Before step 814, the access network device decrypts the first matching group received through the AS security mode complete message or the upstream AS message protected by the AS security context. The access network device decrypts according to the AS security context to obtain the decrypted first matching group.

In some embodiments, prior to step 814, the access network device may check the first matching set.

Optionally, the access network device may match the first matching group with the list 2. The access network device may remove the CAG IDs in the first matching group other than List 2 to obtain a new first matching group.

Optionally, the access network device receives the first matching group sent by the UE. The access network device determines whether the CAG ID in the first matching group is in the list 2 of CAG IDs supported by the access network device. If the first matching group belongs to the list 2, that is, the first matching group is in the list 2, the access network device sends the first matching group to the AMF network element. Otherwise, the access network device does not send the first matching group; optionally, the access network device rejects the access of the UE.

In other embodiments, the first matching group may be matched with List 2 by the AMF network element.

AMF network elements can be preconfigured with List 2. Alternatively, the AMF network element may receive the list 2 sent by the access network device. For example, in step 604, the access network device sends the list 2 to the AMF network element. The AMF network element can match List 2, List 3, and the first matching group. That is, the AMF network element can determine the second matching group, and the second matching group includes List 2, List 3, and the same CAG ID in the first matching group.

Alternatively, neither the access network device nor the AMF may perform the matching between the first matching group and the list 2.

In step 814, the UE sends the decrypted first matching group to the AMF network element. The decrypted first matching group may be the verified first matching group. The second matching group may be sent via an N2 message. The second matching set includes the identification of the CAGs that the UE is allowed to access.

In step 612, the AMF network element receives List 3 sent by the UDM network element. List 3 includes the CAG IDs that the network side allows the UE to access. The AMF network element can receive the subscription data sent by the UDM network element, and the subscription data includes list 3

This embodiment of the present application does not limit the sequence of step 814 and step 612 .

Optionally, before step 612, the AMF network element may send a subscription data request to the UDM network element, and obtain the subscription data corresponding to the UE from the UDM network element. The subscription data includes list 3, and list 3 includes CAG IDs that the network side allows the UE to access.

At step 613, the AMF matches List 3 with the first matching group to determine whether there is a second matching group. List 3 includes the CAG IDs in the second matching group, and the first matching group includes the CAG IDs in the second matching group. That is, the AMF takes the same CAG ID in List 3 and the first matching group as the CAG ID in the second matching group.

If there is a second matching group, the UE is allowed to access the CAG service corresponding to the CAG ID in the second matching group.

In step 615, the AMF network element sends a registration reply message to the UE. The registration reply message can be a registration acceptance message or a registration rejection message.

If the UE is allowed to access, the AMF network element sends a registration acceptance message to the UE. Optionally, the AMF network element sends the second matching group to the UE, that is, the CAG ID that the UE is allowed to access.

If the UE is not allowed to access, the AMF network element sends a registration rejection message to the UE. Optionally, the registration rejection message includes verification failure indication information, where the verification failure indication information is used to indicate that the CAG ID verification fails. The verification failure indication information may indicate the reason for the registration rejection, that is, the CAG ID verification fails.

Optionally, the registration reply message may be a downlink NAS message sent by the AMF to the UE.

In other embodiments, the access network device may also encrypt the first matching group according to other public keys of the access network device. The UE may preconfigure the public key of the access network device, and the UE may receive the public key sent by the access network device. For example, the access network device may broadcast the public key of the access network device.

Optionally, before step 810a, the UE may receive protection indication information, where the protection indication information is used to instruct the UE to send the encrypted first matching group.

The UE sends the encrypted first matching group under the AS SM, or the UE sends the encrypted first matching group through the AS SMC completion message, which can cause information leakage. At the same time, the impact on the UE access CAG process is small.

FIG. 11 is a schematic flowchart of a communication method provided by an embodiment of the present application.

During the process of the UE accessing the CAG, after receiving the registration rejection message, the UE will delete the CAG ID in the first matching group from the list 1. If an attacker can forge registration rejection messages, the attacker may cause the UE to clear list 1 by forging multiple rejection messages. After the list 1 is cleared, the UE cannot use the CAG service.

If the verification of the AMF network element or the UDM network element fails, that is, there is no CAG ID that allows the UE to access, the AMF needs to send a registration rejection message to the UE.

The AMF network element determines that there is no CAG ID that allows the UE to access, then the AMF network element sends a registration rejection message to the UE.

The UDM network element determines that there is no CAG ID that allows the UE to access, and the UDM network element sends verification failure information to the AMF network element. The AMF network element sends a registration rejection message to the UE according to the verification failure information.

After the UE identity authentication is completed, the UE shares the key KAMF with the AMF network element.

If after the establishment of the NAS SM is completed, the security context between the UE and the AMF network element, that is, the NAS protection context, is established. The AMF network element may send a registration rejection message to the UE through the NAS message protected by the NAS security context. Messages protected by the NAS security context have confidentiality protection to prevent attackers from attacking. Alternatively, the AMF network element may send a registration rejection message to the UE through steps 901-902.

In addition, regardless of whether the NAS security context is established, the AMF network element may also send a registration rejection message to the UE through steps 901-902.

Before step 901, UE identity authentication is performed. The UE shares the key KAMF with the AMF network element.

In step 901, the AMF network element determines that the verification fails, and calculates the MAC.

Before step 901, the AMF network element may receive the verification failure message sent by the UDM. The AMF network element may determine that the verification fails according to the verification failure message. Alternatively, the AMF network element may perform verification to determine that the verification fails. AMF for verification, see Figure 2, Figure 7, Figure 9.

The AMF network element first calculates the MAC based on the key KAMF.

MAC, also known as message authentication code, file message authentication code, message authentication code, and information authentication code, is a small piece of information generated after a specific algorithm to check the integrity of a certain message. MAC can be used for authentication. MAC can be used to check whether the content has been changed during the message delivery. At the same time, the MAC can be used as the authentication of the source of the message, confirming the source of the message.

The AMF network element calculates according to the message verification code function to obtain the MAC.

The input parameters of the message verification code function include the key KAMF, and the input parameters of the message verification code function may also include at least one of the following parameters: rejection indication information, ngKSI, NAS uplink counter, NAS downlink counter, first matching group, anti-architecture Between dimensionality reduction attack parameters (ABBA, anti-bidding down between architectures), AMFID, AMF set ID (AMF set ID), SUCI, SUPI, AMF randomly selected fresh parameters, service network identification, etc. The fresh parameter randomly selected by the AMF may be, for example, a random number such as a non-repetitive random number (number used once or number once, nonce) that is used once. The service network identifier is the service network where the AMF is located. The first matching group includes the CAGID for which the UE requests access. The rejection indication information is used to indicate the reason for the registration rejection, for example, the identity verification of the CAG that the UE requests to access has failed, or the registration request of the UE is rejected. The reasons for registration rejection may also be other verification failures, authentication and authentication failures, and the like.

In step 902, the AMF network element sends a registration rejection message to the UE.

The registration reject message includes the MAC.

The registration rejection message may also include rejection indication information.

The registration rejection message can also be ngKSI, which is used to indicate KAMF.

The registration rejection message may further include at least one of the plurality of input parameters of the message verification code function other than KAMF. For example, the registration rejection message may include at least one of the following parameters: NAS uplink counter, NAS downlink counter, first matching group, anti-bidding down between architectures (ABBA), AMF ID, AMF Set ID (AMF set ID), SUCI, SUPI, fresh parameters randomly selected by AMF, service network ID, etc. The first matching group is determined by the UE according to the CAG ID list 1 configured for the UE and the CAG ID list 2 supported by the access network device, and the first matching group includes the same CAG IDs in the list 1 and the list 2.

The AMF network element may also send the input parameters of the message verification code function to the UE through other messages. For example, in the identity authentication process, the AMF network element sends the ngKSI to the UE.

The UE may also store the input parameters of the message verification code function. After determining the first matching group, the UE saves the first matching group. The UE may also store SUCI, SUPI, and the like. The AMF may send the UE unsaved parameters among the input parameters of the message verification code function to the UE.

After step 902, the UE verifies the MAC. The UE calculates the MAC according to the message verification code function and the input parameters of the message verification code function.

The UE determines whether the verification is passed according to the calculated MAC and the MAC in the registration rejection message.

The UE determines that the calculated MAC is the same as the MAC in the registration rejection message, and the verification is passed. The UE may delete the first matching group from the CAG ID list 1 configured for the UE.

If the UE determines that the calculated MAC is different from the MAC in the registration rejection message, the verification fails. The UE determines that the registration rejection message is a forged message.

Through steps 901-902, the AMF network element sends the MAC, and the UE can determine the authenticity of the registration rejection message through the MAC, preventing attackers from modifying and forging the registration rejection message.

FIG. 12 is a schematic flowchart of a communication method provided by an embodiment of the present application.

During the process of the UE accessing the CAG, after receiving the registration rejection message, the UE will delete the CAG ID in the first matching group from the list 1. If an attacker can forge registration rejection messages, the attacker may cause the UE to clear list 1 by forging multiple rejection messages. After the list 1 is cleared, the UE cannot use the CAG service.

The AMF/UDM network element determines that the verification fails, and performs steps 1001-1003.

In step 1001, the AMF/UDM network element calculates a digital signature.

In step 1002, the AMF/UDM network element sends the digital signature to the UE.

In the case of UDM verification, if the UDM verification fails, the digital signature can be calculated based on the private key of the home network and the rejection indication information. UDM performs verification, see Figure 9.

Optionally, the UDM calculates the digital signature according to the digital signature function. The input parameters of the digital signature function include the home network private key. The input parameters of the digital signature function may also include at least one of the following parameters, the first matching group, SUCI, SUPI, fresh parameters (nonce, random number, etc.) randomly selected by UDM, service network identifier (the service network where the AMF is located), Home network identification and rejection indication information. The first matching group includes the CAGID for which the UE requests access. The rejection indication information is used to indicate the reasons for the rejection of the registration, for example, the identity verification of the CAG that the UE requests to access has failed, or the authentication and authentication have failed.

The UDM network element sends the digital signature to the UE. The digital signature may be forwarded by the AMF network element and/or the AUSF network element.

Optionally, the UDM network element may send rejection indication information to the AMF network element to indicate that the verification fails. The AMF sends a registration rejection message to the UE, which carries the digital signature sent by the UDM.

The UE receives the registration rejection message. The UE may verify the digital signature according to the rejection indication information corresponding to the possible rejection reasons, that is, verify the correctness of the digital signature. Alternatively, the UE may verify the digital signature according to the received rejection indication information.

Optionally, the UDM network element may also send the key identifier for signing to the UE through the AMF and/or the AUSF. Optionally, the UDM network element may also send a public key identifier, so that the UE can determine the public key used for the calculation of the digital signature according to the public key identifier.

Optionally, the UDM network element may also send an algorithm indication, and the UE may determine the algorithm used for the digital signature calculation according to the algorithm indication.

Optionally, the parameters sent by the UDM network element may also include at least one of the following parameters: SUCI, SUPI, fresh parameters (nonce, random number, etc.) randomly selected by UDM, service network identifier (the service network where the AMF is located), Home network identification and rejection indication information, etc. The UDM and/or AMF network element may also send other parameters that are not saved by the UE, so that the UE can check the MAC correctly.

In the case of verification of the AMF network element, if the verification of the AMF network element fails, a digital signature can be calculated for the rejection indication information based on the private key of the AMF.

The AMF network element performs verification, see Figure 2, Figure 8, and Figure 10. If the AMF verification fails, the AMF can calculate the digital signature based on the AMF's private key and rejection indication information.

Optionally, the AMF calculates the digital signature according to the digital signature function. The input parameters of the digital signature function include the private key held by the AMF. The input parameters of the digital signature function may also include at least one of the following parameters, the first matching group, SUCI, SUPI, fresh parameters (nonce, random number, etc.) randomly selected by AMF, service network identifier (the service network where AMF is located), AMF public key identification and rejection indication information;

In step 1002, the AMF network element sends a registration rejection message to the UE.

The registration rejection message includes a digital signature.

The registration rejection message may also include rejection indication information.

The registration rejection message may further include a key identifier for calculating the digital signature, and the UE can determine the AMF public key corresponding to the key identifier according to the key identifier, so as to verify the digital signature.

The registration rejection message may also include at least one of the plurality of input parameters of the digital signature function other than the AMF public key. For example, the registration rejection message may include at least one of the following parameters: first matching group, SUCI, SUPI, fresh parameters randomly selected by UDM (nonce, nonce, etc.), fresh parameters randomly selected by AMF (nonce, nonce, etc.) , the service network identifier (the service network where the AMF is located), the AMF public key identifier and the rejection indication information.

In step 1003, the UE verifies the correctness of the digital signature.

The UE receives the digital signature. The UE verifies the digital signature. If the check is passed, it is determined that the UE is not allowed to access the CAG corresponding to the CAG ID in the first matching group.

The UE stores the public key of the home network. The specific way of obtaining the public key of the home network is not limited.

If the verification is passed, the UE may delete the first matching group from the CAG ID list 1 configured for the UE.

If the verification fails, the UE determines that the registration rejection message is a forged message.

Through steps 1001-1003, the AMF/UDM network element sends a digital signature, and the UE can determine the authenticity of the registration rejection message through the digital signature, preventing attackers from modifying and forging the registration rejection message, and completing the protection of the rejection indication information.

The method embodiments of the embodiments of the present application are described above with reference to FIGS. 1 to 12 , and the apparatus embodiments of the embodiments of the present application are described below with reference to FIGS. 13 to 18 . It should be understood that the descriptions of the method embodiments correspond to the descriptions of the apparatus embodiments. Therefore, for the parts not described in detail, reference may be made to the foregoing method embodiments.

FIG. 13 is a schematic structural diagram of a user equipment provided by an embodiment of the present application. The user equipment 1300 includes: an encryption module 1310 and a transceiver module 1320 .

The encryption module 1310 is configured to encrypt the first group list by using the non-access stratum NAS security context to obtain an encrypted first group list, where the first group list includes one or more groups that the UE requests to access 's identification.

The transceiver module 1320 is configured to send the encrypted first group list.

Optionally, the transceiver module 1320 is configured to send the encrypted first group list to the first network device through a NAS security mode SM completion message.

Optionally, the transceiver module 1320 is configured to send the encrypted first group list through an uplink NAS message protected by the NAS security context.

Optionally, the transceiver module 1320 is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code.

The user equipment 1300 further includes a verification module for verifying the registration rejection message according to the message verification code.

FIG. 14 is a schematic structural diagram of a network device provided by an embodiment of the present application. The network device 1400 includes: a transceiver module 1410 , a decryption module 1420 and a determination module 1430 .

The transceiver module 1410 is configured to receive an encrypted first group list sent by the user equipment UE, where the first group list includes identifiers of one or more groups that the UE requests to access.

The decryption module 1420 is configured to decrypt the encrypted first group list to obtain the first closed access service identification group.

The determining module 1430 is configured to determine the subscription group list determined and saved by the UDM network element.

The determining module 1430 is further configured to determine a second group list according to the first group list and the subscription group list, where the second group list includes an identifier of a group that the UE is allowed to access.

The transceiver module 1410 is further configured to, when the second group list exists, the first network device sends the second group list to the access network device.

Optionally, the transceiver module 1410 is configured to receive the encrypted first group list that the UE completes the message sending through the non-access stratum NAS security mode SM.

Optionally, the user equipment 1400 further includes a computing module, and the computing module is configured to, when the second group list does not exist, calculate and obtain the message verification code according to the shared key between the UE and the first network device.

The transceiver module 1410 is further configured to send a registration rejection message to the access network device, and the message verification code is used for the UE to verify the registration rejection message.

Optionally, the transceiver module 1410 is further configured to receive a third group list sent by the access network device, where the third group list includes identifiers of groups supported by the access network device.

The determining module 1430 is configured to determine the second group list according to the first group list, the third group list and the subscription group list.

FIG. 15 is a schematic structural diagram of an access network device provided by an embodiment of the present application. The access network device 1500 includes: a transceiver module 1510 and a generation module 1520 .

The transceiver module 1510 is configured to receive the encrypted first group list sent by the user equipment UE, where the first closed access service identifier group includes identifiers of one or more group services that the UE requests to access.

The transceiver module 1510 is further configured to send the encrypted first group list.

The transceiver module 1510 is further configured to receive a second group list sent by the first network device, where the second group list includes identifiers of one or more groups that the UE is allowed to access.

The generating module 1520 is configured to generate QoS information of one or more groups according to the identifiers of one or more groups.

The transceiver module 1510 is further configured to send QoS information to the UE.

FIG. 16 is a schematic structural diagram of a network device provided by an embodiment of the present application. The network device 1600 is characterized in that it includes: a processor 1610 and a communication interface 1620 .

The communication interface 1620 is configured to receive an encrypted first group list sent by the user equipment UE, where the first group list includes identifiers of one or more groups that the UE requests to access.

The processor 1610 is configured to decrypt the encrypted first group list to obtain the first closed access service identification group.

The processor 1610 is further configured to determine the list of subscription groups that the UDM network element determines to save.

The processor 1610 is further configured to determine a second group list according to the first group list and the subscription group list, where the second group list includes an identifier of a group that the UE is allowed to access.

The communication interface 1620 is configured to, when the second group list exists, send the second group list to the access network device.

Optionally, the communication interface 1620 is configured to receive the encrypted first group list that the UE completes message sending through the non-access stratum NAS security mode SM.

Optionally, the processor 1610 is further configured to, when the second group list does not exist, calculate and obtain the message verification code according to the shared key between the UE and the first network device.

The communication interface 1620 is further configured to send a registration rejection message to the access network device, and the message verification code is used for the UE to verify the registration rejection message.

Optionally, the communication interface 1620 is further configured to receive a third group list sent by the access network device, where the third group list includes identifiers of groups supported by the access network device.

The processor 1610 is configured to determine the second group list according to the first group list, the third group list and the subscription group list.

FIG. 17 is a schematic structural diagram of a user equipment provided by an embodiment of the present application. The user equipment 1700 includes: a processor 1710 and a communication interface 1720;

The processor 1710 is configured to encrypt the first group list by using the non-access stratum NAS security context to obtain an encrypted first group list, where the first group list includes one or more groups that the UE requests to access 's identification;

The communication interface 1720 is used for sending the encrypted first group list.

Optionally, the communication interface 1720 is configured to send the encrypted first group list to the first network device through a NAS security mode SM completion message.

Optionally, the communication interface 1720 is configured to send the encrypted first group list through an uplink NAS message protected by the NAS security context.

Optionally, the communication interface 1720 is further configured to receive a registration rejection message sent by the first network device, where the registration rejection message includes a message verification code.

The processor 1710 is further configured to verify the registration rejection message according to the message verification code.

FIG. 18 is a schematic structural diagram of an access network device provided by an embodiment of the present application. The access network device 1800 includes a communication interface 1810 .

The communication interface 1810 is configured to receive the encrypted first group list sent by the user equipment UE, where the first closed access service identifier group includes identifiers of one or more group services that the UE requests to access;

The communication interface 1810 is further configured to send the encrypted first group list;

The communication interface 1810 is further configured to receive a second group list sent by the first network device, where the second group list includes identifiers of one or more groups that the UE is allowed to access;

The communication interface 1810 is further configured to send the quality of service (QoS) information of the one or more groups to the UE.

Optionally, the access network device 1800 includes a processor, and the processor is configured to generate QoS information of the one or more groups according to the second group list.

An embodiment of the present application provides a computer program storage medium, where the computer program storage medium has program instructions, and when the program instructions are executed, the first network device, the access network device, the user, and the user in the above method are enabled. The function of any one of the devices is realized.

An embodiment of the present application provides a chip, where the chip includes at least one processor, and when a program instruction is executed by the at least one processor, the first network device, the access network device, the first network device, the access network device, the The function of any one of the user equipments is realized.

An embodiment of the present application provides a communication system, including the foregoing first network device, user equipment, and access network device.

Those of ordinary skill in the art can realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.

Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the above-described systems, devices and units may refer to the corresponding processes in the foregoing method embodiments, which will not be repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as independent products, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program codes .

The above are only specific embodiments of the present application, but the protection scope of the present application is not limited to this. should be covered within the scope of protection of this application. Therefore, the protection scope of the present application should be subject to the protection scope of the claims.

Claims (20)

1. A method of communication, comprising:

a first network device receives an encrypted first group list sent by a User Equipment (UE), wherein the first group list comprises identifiers of one or more groups requested to be accessed by the UE;

the first network equipment decrypts the encrypted first group list to obtain a first closed access service identifier group;

the first network equipment determines a signing group list stored by a Unified Data Management (UDM);

the first network equipment determines a second group list according to the first group list and the signed group list, wherein the second group list comprises an identifier of a group which the UE is allowed to access;

when the second group list exists, the first network device sends the second group list to the access network device.

2. The method of claim 1, wherein the first network device receives the encrypted first group list sent by the UE, and wherein the method comprises:

the first network equipment receives the encrypted first group list sent by the UE through a non-access stratum (NAS) Security Mode (SM) completion message; or, the first network device receives the encrypted first group list sent by the UE through an uplink NAS message protected by NAS security context.

3. The method according to claim 1 or 2, characterized in that the method further comprises:

when the second group list does not exist, the first network equipment calculates a message verification code according to a shared key between the UE and the first network equipment;

and the first network equipment sends a registration rejection message to the access network equipment, wherein the message verification code is used for verifying the registration rejection message by the UE.

4. A method according to any one of claims 1-3, characterized in that the method comprises:

the first network equipment receives a third group list sent by the access network equipment, wherein the third group list comprises the identification of the group supported by the access network equipment;

the determining, by the first network device, a second group list according to the first group list and the signed group list includes: the first network device determines the second group list according to the first group list, the third group list and the signed group list.

5. A method of communication, comprising:

encrypting a first group list by User Equipment (UE) by using a non-access stratum (NAS) security context to obtain an encrypted first group list, wherein the first group list comprises identifications of one or more groups which the UE requests to access;

the UE sends the encrypted first group list.

6. The method of claim 5,

the UE sending the encrypted first group list, comprising: the UE sends the encrypted first group list to the first network equipment through an NAS Security Mode (SM) completion message; or, the UE sends the encrypted first group list through an uplink NAS message protected by NAS security context.

7. The method according to claim 5 or 6, characterized in that it comprises:

the UE receives a registration rejection message sent by a first network device, the registration rejection message including a message authentication code,

and the UE verifies the registration rejection message according to the message verification code.

8. A method of communication, comprising:

the access network equipment receives an encrypted first group list sent by User Equipment (UE), wherein the first closed access service identification group comprises one or more group service identifications requested to be accessed by the UE;

the access network equipment sends the encrypted first group list;

the access network equipment receives a second group list sent by the first network equipment, wherein the second group list comprises identification of one or more groups allowing the UE to access;

the access network equipment sends the QoS (quality of service) information of the one or more groups to the UE.

9. A network device, comprising: a processor and a communication interface;

the communication interface is configured to receive an encrypted first group list sent by a user equipment UE, where the first group list includes identifiers of one or more groups to which the UE requests access;

the processor is configured to decrypt the encrypted first group list to obtain a first closed access service identifier group;

the processor is further configured to determine a subscription group list that is determined and stored by the unified data management UDM network element;

the processor is further configured to determine a second group list according to the first group list and the subscribed group list, where the second group list includes an identifier of a group to which the UE is allowed to access;

the communication interface is further configured to send the second group list to the access network device when the second group list exists.

10. The network device of claim 9, wherein the communication interface is configured to receive the encrypted first group list sent by the UE via a non-access stratum, NAS, security mode, SM, complete message.

11. Method network device according to claim 9 or 10,

the processor is further configured to, when the second group list does not exist, calculate a message authentication code according to a shared key between the UE and the first network device;

the communication interface is further configured to send a registration rejection message to the access network device, where the message authentication code is used for the UE to authenticate the registration rejection message.

12. The network device of any one of claims 9-11,

the communication interface is further configured to receive a third group list sent by the access network device, where the third group list includes an identifier of a group supported by the access network device;

the processor is configured to determine the second group list according to the first group list, the third group list, and the subscription group list.

13. A user device, comprising: a processor and a communication interface;

the processor is configured to encrypt a first group list using a non-access stratum, NAS, security context to obtain an encrypted first group list, the first group list including an identification of one or more groups to which the UE requests access;

the communication interface is configured to send the encrypted first group list.

14. The user equipment of claim 13,

the communication interface is configured to send the encrypted first group list to the first network device through an NAS security mode SM complete message; or the communication interface is configured to send the encrypted first group list via an upstream NAS message protected by NAS security context.

15. The user equipment according to claim 13 or 14,

the communication interface is further configured to receive a registration rejection message sent by the first network device, the registration rejection message including a message authentication code,

the processor is further configured to validate the registration rejection message based on the message authentication code.

16. An access network device, comprising: a processor and a communication interface;

the communication interface is configured to receive an encrypted first group list sent by a user equipment UE, where the first closed access service identifier group includes identifiers of one or more group services requested to be accessed by the UE;

the communication interface is further configured to send the encrypted first group list;

the communication interface is further configured to receive a second group list sent by the first network device, where the second group list includes an identification of one or more groups to which the UE is allowed to access;

the communications interface is further configured to send quality of service, QoS, information for the one or more groups to the UE.

17. A communication device comprising means for performing the method of any of claims 1 to 8.

18. A computer program storage medium having program instructions which, when executed, cause the method of any one of claims 1 to 8 to be performed.

19. A chip, characterized in that the chip comprises at least one processor, which when program instructions are executed in the at least one processor causes the method according to any one of claims 1 to 8 to be performed.

20. A communication system comprising a network device according to any of claims 9-12, a user equipment according to any of claims 13-15, and an access network device according to claim 16.

Images