Search

US-12621280-B2 - Communication method and apparatus

US12621280B2US 12621280 B2US12621280 B2US 12621280B2US-12621280-B2

Abstract

This application provides a communication method and apparatus. The method includes: A first network element receives a first request message from a second network element, where the first request message is used to request to perform a first operation on a first terminal device. The first network element determines, based on the first request message, whether the second network element is authorized to request to perform the first operation on the first terminal device. Whether a network element that sends a request message is authorized to request to perform a related operation is verified, to determine whether the network element is an attacker. This reduces impact on a system service resulting from requests of an attacker and improves system security.

Inventors

  • He Li
  • Ao LEI
  • Rong Wu

Assignees

  • HUAWEI TECHNOLOGIES CO., LTD.

Dates

Publication Date
20260505
Application Date
20230821
Priority Date
20210221

Claims (20)

  1. 1 . A communication method, comprising: receiving, by a first network element, a first request message from a second network element through a security link between the first network element and the second network element, wherein the first request message is used to request to perform a first operation on a first terminal device; and determining, by the first network element based on the first request message, whether the second network element is authorized to request to perform the first operation on the first terminal device, wherein the determining comprises: obtaining, by the first network element, a first identifier associated with the first terminal device from the first request message; and determining, by the first network element, whether a third identifier associated with the first identifier is the same as a fourth identifier that is associated with the second network element and the security link, wherein the fourth identifier is obtained during establishment of the security link or after establishment of the security link.
  2. 2 . The method of claim 1 , wherein the first operation comprises authentication and authorization revocation or pairing authentication and authorization revocation.
  3. 3 . The method of claim 2 , wherein before the receiving, by the first network element, the first request message from the second network element, the method further comprises: performing, by the first network element, a second operation on the first terminal device, wherein the second operation is authentication and authorization.
  4. 4 . The method of claim 1 , wherein the determining, by the first network element, whether the third identifier associated with the first identifier is the same as the fourth identifier comprises: determining, by the first network element, the third identifier based on the first identifier and a mapping between the third identifier and the first identifier.
  5. 5 . The method of claim 4 , wherein the third identifier is an identity identifier of a third network element, and the mapping indicates that the third network element is authorized to perform the first operation on the first terminal device.
  6. 6 . The method of claim 5 , further comprising: storing the mapping in or after an uncrewed aerial vehicle registration procedure or an uncrewed aerial vehicle authentication and authorization procedure.
  7. 7 . The method of claim 1 , wherein the forth identifier comprises an identity identifier of the second network element; and the first identifier comprises an identity identifier of the first terminal device.
  8. 8 . The method of claim 1 , wherein the first network element is an uncrewed aerial vehicle network function, the second network element is an uncrewed aerial system traffic management network function or an unmanned aerial system service supplier, and the first terminal device is an uncrewed aerial vehicle.
  9. 9 . The method of claim 1 , further comprising: when the first network element determines that the third identifier is the same as the fourth identifier, performing, by the first network element, the first operation; or when the first network element determines that the third identifier is different from the fourth identifier, terminating, by the first network element, the first operation.
  10. 10 . An apparatus, comprising: at least one processor; and at least one memory coupled to the at least one processor and storing programming instructions, that executed by the at least one processor, cause the apparatus to perform operations comprising: receiving a first request message from a second network element through a security link between the first network element and the second network element, wherein the first request message is used to request to perform a first operation on a first terminal device; and determining, based on the first request message, whether the second network element is authorized to request to perform the first operation on the first terminal device, wherein the determining comprises: obtaining, by the first network element, a first identifier associated with the first terminal device from the first request message; and determining, by the first network element, whether a third identifier associated with the first identifier is the same as a fourth identifier that is associated with the second network element and the security link, wherein the fourth identifier is obtained during establishment of the security link or after establishment of the security link.
  11. 11 . The apparatus of claim 10 , wherein the first operation comprises authentication and authorization revocation or pairing authentication and authorization revocation.
  12. 12 . The apparatus of claim 11 , wherein the operations further comprise: before the receiving the first request message from the second network element, performing, a second operation on the first terminal device, wherein the second operation is authentication and authorization.
  13. 13 . The apparatus of claim 10 , wherein determining whether the third identifier associated with the first identifier is the same as the fourth identifier comprises: determining the third identifier based on the first identifier and a mapping between the third identifier and the first identifier.
  14. 14 . The apparatus of claim 10 , wherein the forth identifier comprises an identity identifier of the second network element; and the first identifier comprises an identity identifier of the first terminal device.
  15. 15 . The apparatus of claim 10 , wherein the first network element is an uncrewed aerial vehicle network function, the second network element is an uncrewed aerial system traffic management network function or an unmanned aerial system service supplier, and the first terminal device is an uncrewed aerial vehicle.
  16. 16 . The apparatus of claim 10 , wherein the apparatus is further caused to perform: determining the third identifier based on the first identifier and a mapping between the third identifier and the first identifier, wherein the third identifier is an identity identifier of a third network element, and the mapping indicates that the third network element is authorized to perform the first operation on the first terminal device.
  17. 17 . The apparatus of claim 16 , wherein the apparatus is further caused to perform: storing the mapping in or after an uncrewed aerial vehicle registration procedure or an uncrewed aerial vehicle authentication and authorization procedure.
  18. 18 . The apparatus of claim 10 , wherein the apparatus is further caused to perform: when the first network element determines that the third identifier is the same as the fourth identifier, performing, by the first network element, the first operation; or when the first network element determines that the third identifier is different from the fourth identifier, terminating, by the first network element, the first operation.
  19. 19 . A non-transitory computer-readable storage medium storing instructions that, when executed, cause a processor to perform: receiving a first request message from a second network element through a security link between the first network element and the second network element, wherein the first request message is used to request to perform a first operation on a first terminal device; and determining, based on the first request message, whether the second network element is authorized to request to perform the first operation on the first terminal device, wherein the determining comprises: obtaining a first identifier associated with the first terminal device from the first request message; and determining whether a third identifier associated with the first identifier is the same as a fourth identifier that is associated with the second network element and the security link, wherein the fourth identifier is obtained during establishment of the security link or after establishment of the security link.
  20. 20 . The non-transitory computer-readable storage medium of claim 19 , wherein the forth identifier comprises an identity identifier of the second network element; and the first identifier comprises an identity identifier of the first terminal device.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application is a continuation of International Application No. PCT/CN2022/076667, filed on Feb. 17, 2022, which claims priority to Chinese Patent Application No. 202110194700.9, filed on Feb. 21, 2021. The disclosures of the aforementioned applications are hereby incorporated by reference in their entireties. TECHNICAL FIELD This application relates to the communication field, and more specifically, to a communication method and apparatus. BACKGROUND In some scenarios, attackers may request to perform some operations on another communication apparatus by masquerading an identity. For example, after an authentication procedure between a terminal device and a network slice is completed, attackers may masquerade as an authentication, authorization, and accounting server (authentication, authorization, and accounting server, AAA-S) to request re-authentication or request authentication revocation from a network slice-authentication and authorization function (network slice-specific authentication and authorization function, NSSAAF). For another example, after an uncrewed aerial vehicle authentication and authorization procedure, attackers may masquerade as an uncrewed aerial system traffic management (uncrewed aerial system traffic management, UTM)/unmanned aerial system service supplier (unmanned aerial system service supplier, USS) to request to revoke authentication and authorization from a network element having an uncrewed aerial vehicle function (for example, an uncrewed aerial vehicle network function (uncrewed aerial vehicle network function, UAV-NF)). This severely affects communication security. Therefore, a technology is desired to improve communication security. SUMMARY A communication method and apparatus in embodiments of this application can improve communication security. According to a first aspect, a communication method is provided. The method includes: A first network element receives a first request message from a second network element, where the first request message is used to request to perform a first operation on a first terminal device. The first network element determines, based on the first request message, whether the second network element is authorized to request to perform the first operation on the first terminal device. For example, the second network element requests the first network element to perform an operation on another communication device. For example, the second network element requests the first network element to perform the first operation on the first terminal device. In an example, in a network slice scenario, the second network element is, for example, an AAA-S; the first network element is, for example, an NSSAAF; the first terminal device is, for example, a user equipment UE; and the first operation is, for example, network slice-specific re-authentication. To be specific, the AAA-S sends the first request message to the NSSAAF, to request to perform network slice-specific re-authentication on the UE. The first operation includes the network slice-specific re-authentication or network slice-specific authentication revocation. In another example, in an uncrewed aerial vehicle scenario, the second network element is, for example, a UTM; the first network element is, for example, a UAV-NF; the first terminal device is, for example, a UAV; and the first operation is, for example, uncrewed aerial vehicle authentication and authorization revocation. To be specific, the UTM sends the first request message to the UAV-NF, to request to perform an operation of revoking uncrewed aerial vehicle authentication and authorization on the UAV. The first operation includes authentication and authorization revocation or pairing authentication and authorization revocation. Therefore, according to the communication method in this embodiment of this application, whether a network element that sends a request message is authorized to request to perform a related operation is verified, to determine whether the network element is a malicious attacker. This reduces impact on a system service resulting from requests of an attacker and improves system security. It should be understood that, that the second network element requests, via the first request message, the first network element to perform the first operation on the first terminal device may be understood as that the second network element requests, via the first request message, to perform the first operation on all parameters that are related to a first request and that are used by the first terminal device, or the second network element requests, via the first request message, to perform the first operation on a parameter that is related to a first request and that is used by the first terminal device. For example, in a network slice scenario, a first control device is, for example, an AAA-S; a first communication apparatus is, for example, an NSSAAF; the first terminal device i