Search

US-12627639-B2 - Communication protection method and apparatus

US12627639B2US 12627639 B2US12627639 B2US 12627639B2US-12627639-B2

Abstract

Embodiments of this disclosure provide a communication protection method that includes: a terminal device sends an application session establishment request message to a first application function network element (AF), where the application session establishment request message includes an authentication and key management for application (AKMA) key identifier; and the terminal device receives an application session establishment response message from the first AF, where the application session establishment response message includes a security activation indication. The security activation indication indicates whether to activate security protection on communication between the terminal device and a second AF. The security protection includes confidentiality protection and/or integrity protection performed based on a security key, and the security key is generated based on an AKMA key corresponding to the AKMA key identifier.

Inventors

  • Longhua GUO
  • He Li
  • Rong Wu

Assignees

  • HUAWEI TECHNOLOGIES CO., LTD.

Dates

Publication Date
20260512
Application Date
20221121
Priority Date
20200522

Claims (20)

  1. 1 . A communication protection method performed by a terminal device or a chip in the terminal device, comprising: sending an application session establishment request message to a first application function network element, wherein the application session establishment request message comprises an authentication and key management for application (AKMA) key identifier; and receiving an application session establishment response message from the first application function network element, wherein the application session establishment response message comprises a security activation indication, wherein the security activation indication indicates whether to activate security protection on communication between the terminal device and a second application function network element, the security protection comprises at least one of confidentiality protection or integrity protection performed based on a security key, and wherein the first application function network element and the second application function network element are different application function network elements and the method further comprises: generating a first application function network element key based on an AKMA key corresponding to the AKMA key identifier; generating a second application function network element key based on the first application function network element key and a key generation parameter that is shared by the terminal device and the first application function network element; and generating the security key based on the second application function network element key, wherein the security key comprises at least one of a confidentiality protection key for the confidentiality protection or an integrity protection key for the integrity protection.
  2. 2 . The method according to claim 1 , wherein the application session establishment request message further comprises information about a security algorithm supported by the terminal device, wherein the security algorithm supported by the terminal device comprises at least one of a confidentiality protection algorithm supported by the terminal device or an integrity protection algorithm supported by the terminal device; and the application session establishment response message further comprises information about a security algorithm selected based on the security algorithm supported by the terminal device, wherein the selected security algorithm comprises at least one of a selected confidentiality protection algorithm or a selected integrity protection algorithm.
  3. 3 . The method according to claim 2 , wherein the method further comprises: when the security activation indication indicates to activate the security protection, activating, based on the selected security algorithm and the security key, the security protection on the communication between the terminal and the second application function network element.
  4. 4 . The method according to claim 2 , wherein the generating the security key based on the second application function network element key comprises: generating the security key based on the second application function network element key and the selected security algorithm.
  5. 5 . The method according to claim 1 , wherein the application session establishment request message comprises the key generation parameter; and the key generation parameter comprises at least one selected from the following: identity information used by the terminal device in the first application function network element or the second application function network element; a service type requested by the terminal device from the first application function network element or the second application function network element; identification information of the second application function network element; or a key freshness parameter.
  6. 6 . The method according to claim 1 , wherein the application session establishment response message comprises the key generation parameter, and the key generation parameter comprises a key freshness parameter.
  7. 7 . The method according to claim 1 , wherein the application session establishment response message further comprises a key identifier, the key identifier is for identifying a security context between the terminal device and the second application function network element, and the security context comprises the security key.
  8. 8 . The method according to claim 1 , wherein the application session establishment response message comprises a first integrity verification parameter, and the method further comprises: determining, based on the security key and the first integrity verification parameter, whether the application session establishment response message is tampered with.
  9. 9 . The method according to claim 8 , wherein the method further comprises: sending an application session establishment complete message to the second application function network element when the application session establishment response message is not tampered with, wherein the application session establishment complete message comprises a second integrity verification parameter calculated based on the security key.
  10. 10 . The method according to claim 1 , wherein the first application function network element and the second application function network element have a same application function network element identifier.
  11. 11 . A communication protection method, comprising: receiving, by a first application function network element, an application session establishment request message from a terminal device, wherein the application session establishment request message comprises an authentication and key management for application (AKMA) key identifier; and sending, by the first application function network element, an application session establishment response message to the terminal device, wherein the application session establishment response message comprises a security activation indication, wherein the security activation indication indicates whether to activate security protection on communication between the terminal device and a second application function network element, the security protection comprises at least one of confidentiality protection or integrity protection performed based on a security key; wherein the first application function network element and the second application function network element are different application function network elements and the method further comprises: generating, by the first application function network element, a first application function network element key based on an AKMA key corresponding to the AKMA key identifier; generating, by the first application function network element, a second application function network element key based on the first application function network element key and a key generation parameter that is shared by the terminal device and the first application function network element; generating, by the first application function network element, the security key based on the second application function network element key, wherein the security key comprises at least one of a confidentiality protection key for the confidentiality protection or an integrity protection key for the integrity protection; and sending, by the first application function network element, a key notification message to the second application function network element, wherein the key notification message comprises the security key.
  12. 12 . The method according to claim 11 , wherein the application session establishment request message further comprises information about a security algorithm supported by the terminal device, wherein the security algorithm supported by the terminal device comprises at least one of a confidentiality protection algorithm supported by the terminal device or an integrity protection algorithm supported by the terminal device; and the application session establishment response message further comprises information about a security algorithm selected based on the security algorithm supported by the terminal device, wherein the selected security algorithm comprises at least one of a selected confidentiality protection algorithm or a selected integrity protection algorithm.
  13. 13 . The method according to claim 12 , wherein the method further comprises: when the security activation indication indicates to activate the security protection, triggering, by the first application function network element, the second application function network element to activate, based on the selected security algorithm and the security key, the security protection on the communication between the second application function network element and the terminal device.
  14. 14 . The method according to claim 11 , wherein the generating, by the first application function network element, the security key based on the second application function network element key, comprises: generating, by the first application function network element, the security key and a key identifier based on the second application function network element key and the selected security algorithm, wherein the key identifier is for identifying a security context between the terminal device and the second application function network element, the security context comprises the security key, and the application session establishment response message further comprises the key identifier.
  15. 15 . The method according to claim 12 , wherein the security activation indication is indicated by the selected security algorithm, wherein when the selected confidentiality protection algorithm is null, it indicates that the confidentiality protection on the communication between the terminal device and the second application function network element is not activated; when the selected confidentiality protection algorithm is non-null, it indicates that the confidentiality protection on the communication between the terminal device and the second application function network element is activated; when the selected integrity protection algorithm is null, it indicates that the integrity protection on the communication between the terminal device and the second application function network element is not activated; and when the selected integrity protection algorithm is non-null, it indicates that the integrity protection on the communication between the terminal device and the second application function network element is activated.
  16. 16 . The method according to claim 12 , wherein the method further comprises: determining, by the first application function network element, whether to activate the security protection on the communication between the terminal device and the second application function network element; and generating, by the first application function network element, the security activation indication based on a determining result.
  17. 17 . The method according to claim 16 , wherein the determining whether to activate the security protection on the communication between the terminal device and the second application function network element comprises at least one of: determining, depending on whether the confidentiality protection algorithm supported by the terminal device comprises a confidentiality protection algorithm supported by the second application function network element, whether to activate the confidentiality protection on the communication between the terminal device and the second application function network element; or determining, depending on whether the integrity protection algorithm supported by the terminal device comprises an integrity protection algorithm supported by the second application function network element, whether to activate the integrity protection on the communication between the terminal device and the second application function network element.
  18. 18 . The method according to claim 11 , wherein the method further comprises: receiving, by the first application function network element, an application session establishment complete message from the terminal device, wherein the application session establishment complete message comprises a second integrity verification parameter; and determining, by the first application function network element based on the security key and the second integrity verification parameter, whether the application session establishment complete message is tampered with.
  19. 19 . An apparatus comprising a processor configured to execute instructions stored in a memory to cause the apparatus to: send an application session establishment request message to a first application function network element, wherein the application session establishment request message comprises an authentication and key management for application (AKMA) key identifier; and receive an application session establishment response message from the first application function network element, wherein the application session establishment response message comprises a security activation indication, wherein the security activation indication indicates whether to activate security protection on communication between the apparatus and a second application function network element, the security protection comprises at least one of confidentiality protection or integrity protection performed based on a security key, and wherein the first application function network element and the second application function network element are different application function network elements and the apparatus is further caused to: generate a first application function network element key based on an AKMA key corresponding to the AKMA key identifier; generate a second application function network element key based on the first application function network element key and a key generation parameter that is shared by the apparatus and the first application function network element; and generate the security key based on the second application function network element key, wherein the security key comprises at least one of a confidentiality protection key for the confidentiality protection or an integrity protection key for the integrity protection.
  20. 20 . An apparatus comprising a processor configured to execute instructions stored in a memory to cause the apparatus to: receive an application session establishment request message from a terminal device, wherein the application session establishment request message comprises an authentication and key management for application (AKMA) key identifier; and send an application session establishment response message to the terminal device, wherein the application session establishment response message comprises a security activation indication, the security activation indication indicates whether to activate security protection on communication between the terminal device and a second application function network element, the security protection comprises at least one of confidentiality protection or integrity protection performed based on a security key; wherein the apparatus and the second application function network element are different and the apparatus is further caused to: generate a first application function network element key based on an AKMA key corresponding to the AKMA key identifier; generate a second application function network element key based on the first application function network element key and a key generation parameter that is shared by the terminal device and the apparatus; generate the security key based on the second application function network element key, wherein the security key comprises at least one of a confidentiality protection key for the confidentiality protection or an integrity protection key for the integrity protection; and send a key notification message to the second application function network element, wherein the key notification message comprises the security key.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application is a continuation of International Application No. PCT/CN2021/093704, filed on May 13, 2021, which claims priority to Chinese Patent Application No. 202010441150.1, filed on May 22, 2020. The disclosures of the aforementioned applications are hereby incorporated by reference in their entireties. TECHNICAL FIELD Embodiments of this disclosure relate generally to the communication field, and more specifically, to a communication protection method and apparatus. BACKGROUND The fifth generation (5G) communication system defines an authentication and key management for application (AKMA) architecture. A terminal device (for example, user equipment (UE)) and an application function network element (AF) may perform key negotiation based on an AKMA architecture, to separately generate a key for protecting communication between the terminal device and the AF. In an existing AKMA architecture, a key at a granularity of an AF identifier (ID) is negotiated between UE and an AF. Consequently, a key at a finer granularity than the AF identifier cannot be negotiated. As a result, end-to-end security protection between the UE and the AF cannot be implemented for different service requirements. SUMMARY In general, embodiments of this disclosure provide a communication protection method and apparatus, a device, and a computer-readable medium, so that end-to-end security protection between a terminal device and an AF can be implemented for different service requirements. According to a first aspect, a communication protection method is provided, and includes: sending, by a terminal device, an application session establishment request message to a first AF, where the application session establishment request message includes an AKMA key identifier; and receiving, by the terminal device, an application session establishment response message from the first AF, where the application session establishment response message includes a security activation indication, the security activation indication indicates whether to activate security protection on communication between the terminal device and a second AF, and the security protection includes confidentiality protection and/or integrity protection; and when the security activation indication indicates to activate the security protection, activating, by the terminal device based on a security key corresponding to the second AF, the security protection on the communication with the second AF, where the security key is generated based on an AKMA key corresponding to the AKMA key identifier. In this way, embodiments of this disclosure can implement end-to-end security protection between the terminal device and an AF for different service requirements. In some embodiments, the application session establishment request message further includes information about a security algorithm and/or a security policy that are/is supported by the terminal device, where the security algorithm supported by the terminal device includes a confidentiality protection algorithm and/or an integrity protection algorithm that are/is supported by the terminal device, and the security policy supported by the terminal device indicates whether the terminal device supports activation of the security protection on the communication with the second AF. In this way, embodiments of this disclosure can implement security capability negotiation between the terminal device and an AF. The security capability negotiation includes that the terminal device and the AF negotiate whether to activate confidentiality protection and/or integrity protection on communication between the terminal device and the AF, the terminal device and the AF negotiate a confidentiality protection algorithm, an integrity protection algorithm, and/or the like to be jointly used by the terminal device and the AF. In some embodiments, the application session establishment response message further includes information about a selected security algorithm, where the selected security algorithm includes a confidentiality protection algorithm and/or an integrity protection algorithm supported by both the terminal device and the second AF. The activating, by the terminal device based on a security key corresponding to the second AF, the security protection on the communication with the second AF includes: activating, by the terminal device based on the selected security algorithm and the security key, the security protection on the communication with the second AF. In this way, the terminal device and an AF can negotiate a confidentiality protection algorithm and/or an integrity protection algorithm to be jointly used by the terminal device and the AF. In some embodiments, the application session establishment response message further includes a key identifier, the key identifier is for identifying a security context between the terminal device and the second AF, and the security context includes t