Search

US-12621657-B2 - Secure communication method and device

US12621657B2US 12621657 B2US12621657 B2US 12621657B2US-12621657-B2

Abstract

A method includes: User equipment determines whether confidentiality protection is activated for communication data between the user equipment and an application function device. The user equipment sends a user plane message to the application function device. The user plane message includes an identifier of the user equipment, and the identifier is an encrypted identifier in a case in which the confidentiality protection is inactivated.

Inventors

  • He Li
  • Yizhuang Wu
  • Rong Wu

Assignees

  • HUAWEI TECHNOLOGIES CO., LTD.

Dates

Publication Date
20260505
Application Date
20230707

Claims (20)

  1. 1 . A secure communication method, comprising: determining, by a communication apparatus, to implement a procedure with privacy protection of interaction between user equipment and an application function device when the communication apparatus determines that a user plane message will carry a permanent identifier of the user equipment; determining, by the communication apparatus based on the procedure with privacy protection, a communication key for interaction with the application function device and a non-null encryption algorithm; and sending, by the communication apparatus, the user plane message to the application function device, wherein the user plane message comprises the permanent identifier of the user equipment, and wherein confidentiality protection is performed on the user plane message by using the communication key and the non-null encryption algorithm.
  2. 2 . The method according to claim 1 , wherein the procedure with privacy protection comprises an authentication and key management for applications (AKMA) procedure.
  3. 3 . The method according to claim 1 , wherein determining, by the communication apparatus, to implement the procedure with privacy protection comprises: determining, by the communication apparatus, to implement the procedure with privacy protection when an application started by the communication apparatus indicates the communication apparatus to select the procedure with privacy protection, wherein a server of the application is comprised in the application function device.
  4. 4 . The method according to claim 1 , wherein determining, by the communication apparatus, to implement the procedure with privacy protection comprises: determining, by the communication apparatus, to implement the procedure with privacy protection when an application indicates that one of a plurality of interaction procedures can be selected, wherein the plurality of interaction procedures comprises the procedure with privacy protection, and a server of the application is comprised in the application function device.
  5. 5 . The method according to claim 1 , wherein determining, by the communication apparatus, to implement the procedure with privacy protection comprises: determining, by the communication apparatus, to implement the procedure with privacy protection when an application indicates that one of a plurality of interaction procedures can be selected, wherein the plurality of interaction procedures comprises the procedure with privacy protection, the procedure with privacy protection has a highest priority of the plurality of interaction procedures wherein the plurality of interaction procedures comprises the procedure with privacy protection, and a server of the application is comprised in the application function device.
  6. 6 . The method according to claim 1 , wherein determining, by the communication apparatus, to implement the procedure with privacy protection comprises: determining, by the communication apparatus, to implement the procedure with privacy protection when the communication apparatus receives an indication of preferably selecting the procedure with privacy protection.
  7. 7 . The method according to claim 1 , wherein determining, by the communication apparatus, to implement the procedure with privacy protection comprises: determining, by the communication apparatus, to implement the procedure with privacy protection when the communication apparatus determines that the user equipment has a 5G universal subscriber identity module (SIM).
  8. 8 . The method according to claim 1 , wherein determining, by the communication apparatus, to implement the procedure with privacy protection comprises: determining, by the communication apparatus, to implement the procedure with privacy protection when the communication apparatus determines that the user equipment has a valid public key and a valid private key.
  9. 9 . The method according to claim 1 , wherein the communication apparatus is the user equipment or a chip in the user equipment.
  10. 10 . The method according to claim 1 , wherein determining, by the communication apparatus based on the procedure with privacy protection, the communication key for interaction with the application function device and the non-null encryption algorithm comprises: generating, by the communication apparatus, the communication key based on an anchor key stored in the communication apparatus; sending, by the communication apparatus, a request message to the application function device, wherein the request message comprises a key identifier and information indicating to use the procedure with privacy protection, and the key identifier is used to assist the application function device in obtaining the communication key; and receiving, by the communication apparatus, a response message from the application function device, wherein the response message comprises information about the non-null encryption algorithm.
  11. 11 . The method according to claim 10 , wherein the request message further comprises indication information for negotiating the non-null encryption algorithm.
  12. 12 . The method according to claim 10 , wherein the request message further comprises information about an encryption algorithm supported by the communication apparatus, the information about the encryption algorithm supported by the communication apparatus indicates the application function device to select the non-null encryption algorithm, and the encryption algorithm supported by the communication apparatus is the non-null encryption algorithm.
  13. 13 . A communication apparatus, wherein the communication apparatus comprises at least one processor coupled to at least one memory storing instructions, and configured to execute the instructions to cause the communication apparatus to: determine to implement a procedure with privacy protection of interaction between user equipment and an application function device when the communication apparatus determines that a user plane message will carry a permanent identifier of the user equipment; determine, based on the procedure with privacy protection, a communication key for interaction with the application function device and a non-null encryption algorithm; and send the user plane message to the application function device, wherein the user plane message comprises the permanent identifier to the user equipment, and wherein confidentiality protection is performed on the user plane message by using the communication key and the non-null encryption algorithm.
  14. 14 . The communication apparatus according to claim 13 , wherein the procedure with privacy protection comprises an authentication and key management for applications (AKMA) procedure.
  15. 15 . The communication apparatus according to claim 13 , wherein the instructions to determine to implement the procedure with privacy protection comprise instructions to determine to implement the procedure with privacy protection when one or more of the following conditions are met: an application started by the communication apparatus indicates the communication apparatus to select the procedure with privacy protection, wherein a server of the application is comprised in the application function device; the application indicates that one of a plurality of interaction procedures can be selected, wherein the plurality of interaction procedures comprises the procedure with privacy protection; the communication apparatus receives an indication of selecting the procedure with privacy protection; the communication apparatus determines that the user equipment has a 5G universal subscriber identity module; the communication apparatus determines that the user equipment has a valid public key and a valid private key; or the communication apparatus determines that the user plane message carries the permanent identifier of the user equipment.
  16. 16 . The communication apparatus according to claim 15 , wherein the instructions to determine to implement the procedure with privacy protection comprises instructions to determine to implement the procedure with privacy protection when the application indicates that one of the plurality of interaction procedures can be selected, and the procedure with privacy protection has a highest priority of the plurality of interaction procedures.
  17. 17 . The communication apparatus according to claim 13 , wherein the communication apparatus is the user equipment or a chip in the user equipment.
  18. 18 . A non-transitory computer-readable storage medium, storing a computer program, wherein when the computer program is executed, a communication apparatus is enabled to perform a method of: determining to implement a procedure with privacy protection of interaction between user equipment and an application function device when determining that a user plane message will carry a permanent identifier of the user equipment; determining, based on the procedure with privacy protection, a communication key for interaction with the application function device and a non-null encryption algorithm; and sending the user plane message to the application function device, wherein the user plane message comprises the permanent identifier of the user equipment and wherein confidentiality protection is performed on the user plane message by using the communication key and the non-null encryption algorithm.
  19. 19 . The non-transitory computer-readable storage medium according to claim 18 , wherein the procedure with privacy protection comprises an authentication and key management for applications (AKMA) procedure.
  20. 20 . The non-transitory computer-readable storage medium according to claim 18 , wherein instructions for determining to use the procedure with privacy protection comprise instructions for determining to use the procedure with privacy protection when one or more of the following conditions are met: an application started by the communication apparatus indicates the communication apparatus to select the procedure with privacy protection, wherein a server of the application is comprised in the application function device; the application indicates that one of a plurality of interaction procedures can be selected, wherein the plurality of interaction procedures comprises the procedure with privacy protection; the communication apparatus receives an indication of preferably selecting the procedure with privacy protection; the communication apparatus determines that the user equipment has a 5G universal subscriber identity module (SIM); the communication apparatus determines that the user equipment has a valid public key and a valid private key; or the communication apparatus determines that the user plane message carries the permanent identifier of the user equipment.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application is a continuation of International Application No. PCT/CN2021/070979, filed on Jan. 8, 2021, the disclosure of which is hereby incorporated by reference in its entirety. TECHNICAL FIELD This application relates to the field of communication technologies, and in particular, to a secure communication method and a device. BACKGROUND With rapid development of network technologies, network security becomes an increasingly prominent issue. In an existing internet of things security framework, a secure tunnel may be established between user equipment (UE) and an application function (AF) server by using a generic bootstrapping architecture (GBA) technology. The GBA technology includes GBA authentication and key agreement (AKA) authentication. In addition, with development of the 5th generation (5G) mobile communication, currently, a secure tunnel may alternatively be established between UE and an AF by using a 5G network, that is, a secure communication technology is implemented between the UE and a third-party application server by using the 5G network. For example, the secure communication technology includes an authentication and key management for applications (AKMA) technology in the 5G network. Although the foregoing technology has been used to securely protect information exchanged between the user equipment and a core network device, in an existing communication scenario, for example, in a device-to-device (D2D) communication scenario, a permanent identifier of the user equipment is still leaked during interaction between the user equipment and another device, resulting in a risk of exposing user privacy. In conclusion, how to reduce a risk of leaking the identifier of the user equipment during interaction between the user equipment and the another device to reduce the risk of exposing user privacy is a technical problem urgently to be resolved by a person skilled in the art. SUMMARY This application provides a secure communication method and a device, to reduce a risk of leaking a permanent identifier of user equipment during interaction between the user equipment and another device to reduce a risk of exposing user privacy. According to a first aspect, this application provides a secure communication method. The method includes: user equipment determines whether confidentiality protection is activated for communication data between the user equipment and an application function device; and the user equipment sends a user plane message to the application function device, where the user plane message includes an identifier of the user equipment, and the identifier is an encrypted identifier in a case in which the confidentiality protection is inactivated. In this application, when the confidentiality protection between the user equipment and the application function device is inactivated, the encrypted identifier is used as the identifier of the user equipment that is carried in the user plane message, and the encrypted identifier is obtained by performing processing, for example, encryption, on a permanent identifier of the user equipment, or there is an association mapping relationship between the encrypted identifier and the permanent identifier of the user equipment, or the like. In a word, the user plane message sent by the user equipment to the application function device carries the encrypted identifier instead of the permanent identifier of the user equipment. This can effectively reduce a risk of leaking the permanent identifier of the user equipment to reduce a risk of exposing user privacy. In a possible implementation, the encrypted identifier may be a subscription concealed identifier (SUCI), a generic public subscription identifier (GPSI), an AKMA-key identifier (A-KID), or the like of the user equipment. The permanent identifier of the user equipment may be a subscription permanent identifier (SUPI). In a possible implementation, the user plane message is a discovery request in a proximity-based service (ProSe) procedure. In a possible implementation, the method further includes: The user equipment determines to use a procedure with privacy protection. The procedure with privacy protection is used for interaction between the user equipment and the application function device. In this application, the user equipment selects the procedure with privacy protection, to further improve security of information exchanged between the user equipment and the application function device. In a possible implementation, the procedure with privacy protection includes an authentication and key management for applications AKMA procedure. In a possible implementation, that the user equipment determines to use a procedure with privacy protection includes: the user equipment determines to use the procedure with privacy protection when one or more of the following conditions are met: an application started by the user equipment indicates the user equipment