Search

EP-4120619-B1 - COMMUNICATION SYSTEM, METHOD AND APPARATUS

EP4120619B1EP 4120619 B1EP4120619 B1EP 4120619B1EP-4120619-B1

Inventors

  • LI, HE
  • WU, RONG
  • WU, Yizhuang

Dates

Publication Date
20260506
Application Date
20210330

Claims (15)

  1. A communication system, wherein the system is configured to implement authentication and key management for applications, AKMA, service-based data transmission between a terminal device (101) and an application function network element (106), and the system comprises an AKMA anchor function network element (104) and a network exposure function network element (105), wherein the network exposure function network element (105) is configured to: receive (602, 802) second identification information from the application function network element (106); send (604, 804) a first request message to a unified data management network element (103) when determining that the application function network element (106) authorizes the network exposure function network element (105) to request a key, wherein the first request message, comprising the second identification information, requests the unified data management network element (103) to determine first identification information based on the second identification information; and receive (605, 805) a first response message from the unified data management network element (103), wherein the first response message comprises the first identification information; wherein the first identification information is used to determine an authentication server function network element (102) corresponding to the terminal device (101), and send (606, 806) the first identification information to the AKMA anchor function network element (104); and the AKMA anchor function network element (104) is configured to obtain (608), from the unified data management network element (103) based on the first identification information, identification information of the authentication server function network element (102) corresponding to the terminal device (101).
  2. The system according to claim 1, wherein the second identification information comprises identification information of a key of the AKMA service, and the first identification information comprises a subscriber permanent identifier, SUPI, of the terminal device (101).
  3. The system according to claim 1, wherein the second identification information comprises identification information of a key of the AKMA service and temporary identity information of the terminal device (101), and the first identification information comprises an SUPI of the terminal device (101).
  4. The system according to claim 2 or 3, wherein when being configured to obtain, from the unified data management network element (103) based on the first identification information, the identification information of the authentication server function network element (102) corresponding to the terminal device (101), the AKMA anchor function network element (104) is specifically configured to: send a second request message to the unified data management network element (103), wherein the second request message comprises the SUPI of the terminal device (101), and the second request requests the unified data management network element (103) to determine, based on the SUPI of the terminal device (101), the identification information of the authentication server function network element (102) corresponding to the terminal device (101); and receive a second response message from the unified data management network element (103), wherein the second response message comprises the identification information of the authentication server function network element (102) corresponding to the terminal device (101).
  5. The system according to any one of claims 1 to 3. wherein the authentication server function network element (102) corresponding to the terminal device (101) is an authentication server function network element (102) corresponding to an intermediate key of the terminal device (101), and stores the intermediate key generated by the authentication server function network element (102) in a primary authentication process.
  6. A communication method, wherein the method is used to implement AKMA service-based data transmission between a terminal device (101) and an application function network element (106), and the method comprises: receiving (606, 806), by an AKMA anchor function network element (104), first identification information from a network exposure function network element (105); wherein the first identification information comprises an SUPI of the terminal device (101); and sending (607, 807), by the AKMA anchor function network element (104), a second request message to a unified data management network element (103), wherein the second request message comprises the SUPI of the terminal device (101); and receiving (608, 808), by the AKMA anchor function network element (104), a second response message from the unified data management network element (103), wherein the second response message comprises identification information of an authentication server function network element (102) corresponding to the terminal device (101).
  7. The method according to claim 6, wherein the second response message further comprises subscription data of an AKMA service of the terminal device (101).
  8. The method according to claim 6 or 7, wherein the method further comprises: receiving (808), by the AKMA anchor function network element (104), an identifier of the application function network element (106) from the network exposure function network element (105); obtaining (611, 811), by the AKMA anchor function network element (104) from the authentication server function network element (102) corresponding to the terminal device (101), a key that is of the AKMA service and that is identified by identification information of the key of the AKMA service; generating (612, 812), by the AKMA anchor function network element (104), a communication key between the application function network element (106) and the terminal device (101) based on the identifier of the application function network element (106) and the key of the AKMA service; and sending (613, 614), by the AKMA anchor function network element (104), the communication key to the application function network element (106) by using the network exposure function network element (105).
  9. The method according to claim 8, wherein the method further comprises: performing, by the AKMA anchor function network element (104), authorization detection on the terminal device (101) or the application function network element (106), and when completing the authorization detection, determining (609, 809) the authentication server function network element (102) identified by the identification information of the authentication server function network element (102) corresponding to the terminal device (101).
  10. The method according to claim 6 or 7, wherein the authentication server function network element (102) corresponding to the terminal device (101) is an authentication server function network element (102) corresponding to an intermediate key of the terminal device (101), and stores the intermediate key generated by the authentication server function network element (102) in a primary authentication process.
  11. A communication method, wherein the method is used to implement AKMA service-based data transmission between a terminal device (101) and an application function network element (106), and the method comprises: receiving (602, 802), by a network exposure function network element (105), second identification information from the application function network element (106); sending (604, 804), by the network exposure function network element (105), a first request message to a unified data management network element (103) when determining that the application function network element (106) authorizes the network exposure function network element (105) to request a key, wherein the first request message, comprising the second identification information, requests the unified data management network element (103) to determine first identification information based on the second identification information; receiving (605, 805), by the network exposure function network element (105), a first response message from the unified data management network element (103), wherein the first response message comprises the first identification information; wherein the first identification information is used to determine an authentication server function network element (102) corresponding to the terminal device (101); and sending (606, 806), by the network exposure function network element (105), the first identification information to an AKMA anchor function network element (104).
  12. The method according to claim 11, wherein the second identification information comprises identification information of a key of the AKMA service, and the first identification information comprises an SUPI of the terminal device (101).
  13. The method according to claim 11, wherein the second identification information comprises identification information of a key of the AKMA service and temporary identity information of the terminal device (101), and the first identification information comprises an SUPI of the terminal device (101).
  14. The method according to any one of claims 11 to 13, wherein the authentication server function network element (102) corresponding to the terminal device (101) is an authentication server function network element corresponding to an intermediate key of the terminal device (101), and stores the intermediate key generated by the authentication server function network element (102) in a primary authentication process.
  15. A communication apparatus, comprises means for performing the method of any one of claims 6 to 10, or 11 to 14.

Description

TECHNICAL FIELD This application relates to the field of communication technologies, and in particular, to a communication system, method and apparatus. BACKGROUND In a process in which a terminal device registers with a core network, when receiving a registration request from the terminal device, an access network device selects a mobility management network element, and forwards the registration request to the mobility management network element, where the registration request may carry identity information of the terminal device. When receiving the registration request from the access network device, the mobility management network element may select an authentication server function network element based on the identity information of the terminal device that is carried in the registration request. The authentication server function network element may determine, based on the identity information of the terminal device, a unified data management network element serving the terminal device. Currently, the terminal device may support an authentication and key management for applications (authentication and key management for applications, AKMA) service. In the AKMA service, the terminal device may perform data transmission with an application function network element not through the mobility management network element. In this way, the application function network element needs to learn of a communication key between the application function network element and the terminal device. The application function network element obtains the communication key between the application function network element and the terminal device from an AKMA anchor function network element, and the AKMA anchor function network element generates the communication key between the application function network element and the terminal device based on a key of the AKMA service of the terminal device and an identifier of the application function network element. The AKMA anchor function network element obtains the key of the AKMA service of the terminal device from the authentication server function network element corresponding to the terminal device, and the authentication server function network element corresponding to the terminal device stores an intermediate key generated in a primary authentication process. The authentication server function network element corresponding to the terminal device generates the key of the AKMA service of the terminal device based on the intermediate key. There are a plurality of authentication server function network elements in a network. How the AKMA anchor function network element determines the authentication server function network element corresponding to the terminal device is an urgent technical problem to be resolved. ERICSSON: "pCR to TS 33.535: Update of the AKMA procedures", 3GPP DRAFT; S3-200296, 3RD GENERATION PARTNERSHIP PROJECT (3 GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. e-meeting; 20200302 - 20200306, 21 February 2020 (2020-02-21), discloses an update of authentication server function, AUSF, selection for the AKMA key derivation procedure. In addition, the AKMA clause for the application function key derivation is updated to propose a more detailed procedure for the generation of the application function key putting the AUSF selection into context. Finally, the different procedures are updated so that there is an option whether the user equipment, UE, and AUSF pregenerate the AKMA key, Kakma, and Kakma key identifier or generate these on demand. SAMSUNG: "AKMA and Application Key Derivation", 3GPP DRAFT; S3-200171,3RD GENERATION PARTNERSHIP PROJECT (3 GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. e-meeting; 20200302 - 20200306, 21 February 2020 (2020-02-21), discloses a method to derive a key Kakma at the UE and the AUSF. The AUSF sends Kakma to the anchor function. Both the AKMA anchor function network, AAnF, and the UE shall use the Kakma to derive application specific keys needed for AKMA Application Functions (AFs). "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Authentication and key management for applications; based on 3GPP credential in 5G", 3GPP DRAFT; S3-200438, 3RD GENERATION PARTNERSHIP PROJECT (3 GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, 9 March 2020 (2020-03-09), specifies the security features and mechanisms to support authentication and key management aspects for applications based on subscription credential(s) in 5G system as defined in 33.501[2]. "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on authentication and key management for applications: based on 3GPP credential in 5G (Release 16)", 3GPP STANDARD; TECHNICAL REPORT; 3GPP TR 33.835, 3RD GENERATION PART