CN110536293B

CN110536293B - Method, device and system for accessing closed access group

Info

Publication number: CN110536293B
Application number: CN201910754388.7A
Authority: CN
Inventors: 彭锦; 游世林; 林兆骥; 余万涛
Original assignee: ZTE Corp
Current assignee: ZTE Corp
Priority date: 2019-08-15
Filing date: 2019-08-15
Publication date: 2024-10-18
Anticipated expiration: 2039-08-15
Also published as: WO2021027916A1; CN110536293A

Abstract

The application provides a method, a device and a system for accessing a closed access group, wherein the method for accessing the closed access group comprises the following steps: encrypting the CAG ID of the request access to obtain the encrypted CAG ID of the request access; and sending a registration request message, wherein the registration request message comprises the encrypted CAG ID for requesting access and SUCI of the terminal.

Description

Method, device and system for accessing closed access group

Technical Field

The present application relates to wireless communication networks, for example, to a method, apparatus and system for accessing closed access groups.

Background

The third generation partnership project (3rd Generation Partnership Project,3GPP) sets forth specifications for various mobile networks, wherein the 3GPP defines a closed access group (Closed Access Group, CAG) mechanism for supporting private networks over public networks.

A closed access group includes a group of users that can access one or more CAG cells. A closed access group has a closed access group identification (Closed Access Group Identity, CAG ID). Access control to the private network with the terminal may be performed using a closed access group mechanism.

The scheme of access control for private network at present is that a CAG ID allowing access is configured in a mobile terminal, the network carries a CAG ID list supported by a cell in a broadcasted system message, and after the terminal receives the broadcast message, the terminal selects the matched CAG ID as the CAG ID requesting access. The terminal carries the CAG ID of the request access in the registration request message sent to the network, and completes the registration process.

However, the CAG ID in the registration request message is carried in plaintext and sent through an air interface, and is easily intercepted and leaked, so that the security of the private network may be affected.

Disclosure of Invention

The application provides a method, a device and a system for accessing a closed access group, which are used for improving the security of the closed access group.

The embodiment of the application provides a method for accessing a closed access group, which comprises the following steps:

Encrypting the CAG ID of the request access to obtain the encrypted CAG ID of the request access;

and sending a registration request message, wherein the registration request message comprises the encrypted CAG ID for requesting access and SUCI of the terminal.

Receiving a registration request message sent by a terminal, wherein the registration request message comprises an encrypted CAG ID (control access group) for requesting access and SUCI of the terminal;

Analyzing SUCI of the terminal into SUPI of the terminal, and decrypting the encrypted CAG ID requesting access into the CAG ID requesting access;

acquiring a first CAG ID list from a home network of the terminal according to SUPI of the terminal;

judging whether the CAG ID requesting access is matched with the first CAG ID list, and if so, sending a registration acceptance message to the terminal.

encrypting the CAG ID of the request access to obtain a first encrypted CAG ID of the request access;

And sending a registration request message, wherein the registration request message comprises the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal.

Receiving a registration request message sent by a terminal, wherein the registration request message comprises a first encrypted CAG ID (access request) and a 5G-GUTI (5G-GUTI) of the terminal;

judging whether the current AMF is a historical AMF which serves the terminal or not according to the 5G-GUTI of the terminal;

If the current AMF is a historical AMF which serves the terminal once and SUPI of the terminal is stored in the current AMF, acquiring a first CAG ID list from a home network of the terminal according to the SUPI of the terminal, and decrypting the first encrypted CAG ID which is requested to be accessed into a CAG ID which is requested to be accessed;

The embodiment of the application provides a device for accessing a closed access group, which comprises:

The encryption module is used for encrypting the CAG ID of the request access to obtain the encrypted CAG ID of the request access;

the sending module is configured to send a registration request message, where the registration request message includes the encrypted CAG ID for requesting access and SUCI of the terminal.

the receiving module is configured to receive a registration request message sent by the terminal, wherein the registration request message comprises an encrypted CAG ID (card identification) requesting access and SUCI of the terminal;

The decryption module is configured to parse SUCI of the terminal into SUPI of the terminal, and decrypt the encrypted CAG ID requesting access into the CAG ID requesting access;

The acquisition module is used for acquiring a first CAG ID list from a home network of the terminal according to SUPI of the terminal;

the judging module is configured to judge whether the CAG ID requesting access and the first CAG ID list are matched, and if so, the judging module sends a registration acceptance message to the terminal.

The encryption module is used for encrypting the CAG ID of the request access to obtain a first encrypted CAG ID of the request access;

The sending module is configured to send a registration request message, where the registration request message includes the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal.

the receiving module is configured to receive a registration request message sent by the terminal, wherein the registration request message comprises a first encrypted CAG ID (access request) and a 5G-GUTI (5G-global positioning system) of the terminal;

The decryption module is used for judging whether the current AMF is a historical AMF which serves the terminal or not according to the 5G-GUTI of the terminal;

the acquisition module is configured to acquire a first CAG ID list from a home network of the terminal according to the SUPI of the terminal if the current AMF is a historical AMF which serves the terminal once and the SUPI of the terminal is stored in the current AMF, and decrypt the first encrypted CAG ID which is requested to be accessed into the CAG ID which is requested to be accessed;

The embodiment of the application provides a system for accessing a closed access group, which comprises a terminal and network equipment;

the terminal comprises means for accessing the closed access group as shown in the embodiment of fig. 11;

The network device comprises means for accessing the closed access group as shown in the embodiment of fig. 12.

The terminal comprises means for accessing the closed access group as shown in the embodiment of fig. 13;

the network device comprises means for accessing the closed access group as shown in the embodiment of fig. 14.

Drawings

Fig. 1 is a schematic diagram of a private network access control flow provided in an embodiment of the present application;

FIG. 2 is a flow chart of a method of accessing a closed access group according to one embodiment;

FIG. 3 is a flow chart of another method of accessing a closed access group according to one embodiment;

FIG. 4 is a flow chart of another method of accessing a closed access group according to one embodiment;

FIG. 5 is a flow chart of another method of accessing a closed access group according to one embodiment;

FIG. 6 is a flow chart of another method of accessing a closed access group according to one embodiment;

FIG. 7 is a flow chart of another method of accessing a closed access group according to one embodiment;

FIG. 8 is a flow chart of another method of accessing a closed access group according to one embodiment;

FIG. 9 is an interactive flow diagram of a method of accessing a closed access group according to one embodiment;

FIG. 10 is an interactive flow diagram of another method of accessing a closed access group provided by an embodiment;

FIG. 11 is a schematic structural diagram of an apparatus for accessing a closed access group according to an embodiment;

FIG. 12 is a schematic diagram of another apparatus for accessing a closed access group according to one embodiment;

FIG. 13 is a schematic diagram of another apparatus for accessing a closed access group according to an embodiment;

FIG. 14 is a schematic diagram of another apparatus for accessing a closed access group according to one embodiment;

fig. 15 is a schematic structural diagram of a terminal according to an embodiment.

Detailed Description

Hereinafter, embodiments of the present application will be described in detail with reference to the accompanying drawings.

Fig. 1 is a schematic diagram of a private network access control flow provided in an embodiment of the present application, as shown in fig. 1, in which conventional private network access is mainly implemented by an access and mobility management function (ACCESS AND Mobility Management Function, AMF), unified data management (Unified DATA MANAGEMENT, UDM), or Subscription identifier hiding function (Subscription IDENTIFIER DE-concealing Function, SIDF), and an authentication server function (AUthentication Server Function, AUSF) in a network to perform authentication and security verification on a mobile terminal (abbreviated as a terminal). The AMF, UDM, SIDF or AUSF are network elements for realizing authentication and security verification in the network, and can be entity equipment deployed in the network or functional modules deployed in any one or more entity network elements in the network.

In this case, as shown in fig. 1, first, in step S1010, a CAG ID list allowed to access is configured on the terminal, where the CAG ID list allowed to access indicates that the terminal can only access the private network corresponding to the CAG ID in the list, for example, the CAG ID list allowed to access is {2,3,4,5}.

Next, in step S1020, the base station in the network carries a CAG ID list supported by the cell in the broadcasted system message, the CAG ID list supported by the cell representing a private network that allows access by the terminal in the cell. The terminal accessing the network through the base station can receive the broadcasted system information, thereby obtaining the CAG ID list supported by the cell. The CAG ID list supported by the cell is, for example {1,2,3}.

In step S1030, when the terminal receives the broadcasted system message, the terminal compares the CAG ID list allowed to access configured by itself with the CAG ID list supported by the received cell, and selects one of the matched CAG IDs as the CAG ID requesting access. For example, after comparison here, the matching CAG ID is {2,3}, from which {2} is selected as the CAG ID for which access is requested.

In step S1040, after determining the CAG ID requested to be accessed, the terminal may start the access procedure in the private network corresponding to the CAG ID requested to be accessed. The terminal sends a registration request message to the network, wherein the registration request message carries the CAG ID of the request access, and the registration request message also carries the user hidden identifier (SUbscription Concealed Identifier, SUCI) of the terminal. After receiving the registration request message sent by the terminal, the base station sends the registration request message to the AMF to realize authentication and security verification of the terminal for accessing the private network.

In step S1050, the authentication and security verification process is performed on the terminal by each network element AMF, AUSF, UDM or the SIDF that performs authentication and security verification on the terminal in the network, where the UDM or the SIDF parses SUCI of the terminal into a permanent user identifier (SUbscription PERMANENT IDENTIFIER, SUPI) of the terminal and returns the SUPI of the terminal to the AMF.

In step S1060, the AMF sends a request message to the home network of the terminal to obtain a CAG ID list of permitted access in the home network, where the request message includes the SUPI of the terminal. The home network returns a list of CAG IDs to the AMF that allow access, here for example {2,3,4,5}.

In step S1070, the AFM determines whether the terminal allows the CAG to which access is requested, that is, the AMF determines whether the CAG ID requested to be accessed in the registration request message is included in the CAG ID list acquired from the home network, if so, access is possible, and if not, access is not possible. Here, the CAG ID of the requested access is {2} included in the CAG ID list {2,3,4,5} of permitted accesses acquired from the home network, thus allowing the terminal to access the private network.

In step S1080, the AMF feeds back a registration acceptance message to the terminal, i.e. allows the terminal to access the private network.

If the AMF determines that the terminal does not permit the CAG to which access is requested in step S1070, the AMF sends a registration rejection message to the terminal in step S1090.

As can be seen from the embodiment shown in fig. 1, when the terminal requests to access the private network, the CAG ID requesting to access is carried in the registration request message through plaintext, and the registration request message is sent through an air interface, so that the CAG ID may be revealed, and the security of the private network may be affected.

Fig. 2 is a flowchart of a method for accessing a closed access group according to an embodiment, and as shown in fig. 2, the method provided in this embodiment includes the following steps.

Step S2010, encrypting the CAG ID of the requested access to obtain the encrypted CAG ID of the requested access.

The method for accessing the closed access group provided by the embodiment is applied to terminal equipment, called a terminal for short, in a mobile communication system. When a terminal needs to access a private network, namely a closed access group, a CAG ID for requesting access needs to be sent to authentication and security verification equipment in the network, and because the CAG ID is sent through a plaintext and a registration request message for bearing the CAG ID is sent through an air interface, the CAG ID is easy to leak, and the security of the closed access group is further affected.

In order to solve the above problem, in this embodiment, when the terminal needs to access the closed access group, after determining the CAG ID requesting access, the CAG ID requesting access is first encrypted to obtain the encrypted CAG ID requesting access. The encryption mode used for encrypting the CAG ID may be any existing encryption mode, and corresponds to a decryption mode in a network element for authenticating and security verifying the terminal. The key used to encrypt the CAG ID may also be one or more of the possible ways and corresponds to a key in the network element that authenticates and securely verifies the terminal.

In step S2020, a registration request message is sent, where the registration request message includes the encrypted CAG ID for requesting access and SUCI of the terminal.

After obtaining the encrypted CAG ID requesting access, the terminal may send a registration request message, where the registration request message includes the encrypted CAG ID requesting access and SUCI of the terminal. The terminal sends a registration request message through an air interface, and a base station to which the terminal is accessed or a service base station of a cell in which the terminal is located receives the registration request message. The base station that receives the registration request message will send the registration request message to the network element that authenticates and securely verifies the terminal, including AMF, AUSF, UDM/SIDF, etc. The network elements may determine the home network of the terminal according to SUCI of the terminal, decrypt the encrypted CAG ID requested to be accessed, obtain the CAG ID of the terminal, and then authenticate and securely verify the terminal according to steps S1050-S1090 in the embodiment shown in fig. 1, so as to determine whether the terminal can access the CAG corresponding to the CAG ID requested to be accessed. When the terminal is allowed to access the CAG corresponding to the CAG ID requested to access, the terminal will receive the registration acceptance message, and the terminal is not allowed to access the CAG corresponding to the CAG ID requested to access, and will receive the registration rejection message.

According to the method for accessing the closed access group, after the CAG ID of the access request is encrypted to obtain the encrypted CAG ID of the access request, a registration request message is sent, wherein the registration request message comprises the encrypted CAG ID of the access request and SUCI of the terminal.

In an embodiment, the method for encrypting the CAG ID of the request access may be that the public key of the home network of the terminal is used to encrypt the CAG ID of the request access, so as to obtain the encrypted CAG ID of the request access. After the terminal sends the registration request message, the registration request message includes the encrypted CAG ID for requesting access and SUCI of the terminal, so that the network element for authenticating and securely verifying the terminal which receives the registration request message can acquire the home network of the terminal according to SUCI of the terminal, and the network element for authenticating and securely verifying the terminal can acquire the public key of the home network of the terminal, so that the acquired public key can be used for decrypting the encrypted CAG ID for requesting access to acquire the CAG ID for requesting access.

In an embodiment, the method for encrypting the CAG ID of the access request may be that the public key of the home network is used to encrypt the CAG ID of the access request and SUCI of the terminal together, so as to obtain the extended SUCI of the terminal. When the terminal sends the registration request message, the network element which receives the registration request message and authenticates and securely verifies the terminal can acquire the home network of the terminal according to the related information of the terminal, and the network element which authenticates and securely verifies the terminal can acquire the public key of the home network of the terminal, so that the acquired public key can be used for decrypting the extended SUCI to acquire the CAG ID which requests access and SUCI of the terminal.

Fig. 3 is a flowchart of another method for accessing a closed access group according to an embodiment, and as shown in fig. 3, the method according to the embodiment includes the following steps.

Step S3010, a system broadcast message carrying the first CAG ID list is received.

When a terminal needs to access a CAG, the terminal needs to be surely allowed to access the CAG first. The base station broadcasts a system broadcast message carrying the first CAG ID list, and a terminal accessing the base station or a terminal located in the coverage area of the base station will receive the system broadcast message. The first CAG ID list includes at least one ID of a CAG that the terminal is allowed to access.

Step S3020, matching the second CAG ID list and the first CAG ID list configured by the terminal, and determining the CAG ID that the terminal requests to access.

A CAG ID list, called a second CAG ID list, is also configured on the terminal, where the second CAG ID list includes the ID of at least one CAG that the terminal is allowed to access. The second CAG ID list is preset on the terminal, may be preconfigured in the terminal, or may be configured for the terminal by the network device when the terminal is registered in the network. And the terminal matches the first CAG ID list with the second CAG ID list, so as to determine the CAG ID which the terminal requests to access.

The method for matching the second CAG ID list and the first CAG ID list configured by the method may be to determine that the same CAG ID in the second CAG ID list and the first CAG ID list is the CAG ID requested to be accessed. The same CAG ID in the first CAG ID list and the second CAG ID list may be one or more, or the first CAG ID list and the second CAG ID list do not have the same CAG ID. If the first CAG ID list and the second CAG ID list do not have the same CAG ID, the terminal will not be allowed to access the CAG, so the terminal will not be able to determine the CAG ID requesting access, and therefore the terminal will not perform subsequent processes. If the first CAG ID list and the second CAG ID list have only one identical CAG ID, then the identical CAG ID may be used as the CAG ID for which access is requested. If the first CAG ID list and the second CAG ID list have two or more identical CAG IDs, one of the two or more identical CAG IDs may be selected as the CAG ID requesting access, or one of the two or more identical CAG IDs may be selected as the CAG ID requesting access according to a preset rule.

In addition, before receiving the system broadcast message carrying the first CAG ID list, a second CAG ID list may be configured in the terminal, where the second CAG ID list includes at least one CAG ID that allows access.

Step S3030 encrypts the CAG ID of the requested access to obtain an encrypted CAG ID of the requested access.

In step S3040, a registration request message is sent, where the registration request message includes the encrypted CAG ID for requesting access and SUCI of the terminal.

Step S3030 and step S3040 are similar to step S2010 and step S2020, and are not described here again.

Fig. 4 is a flowchart of another method for accessing a closed access group according to an embodiment, and as shown in fig. 4, the method according to the embodiment includes the following steps.

Step S4010, a registration request message sent by the terminal is received, where the registration request message includes an encrypted CAG ID for requesting access and SUCI of the terminal.

The method for accessing the closed access group provided in this embodiment is applied to network devices in a mobile communication system, where the network devices are network elements for authenticating and securely verifying a terminal, including but not limited to one or more of AMF, AUSF, UDM/SIDF. When a terminal needs to access a private network, namely a closed access group, a CAG ID for requesting access needs to be sent to authentication and security verification equipment in the network, and because the CAG ID is sent through a plaintext and a registration request message for bearing the CAG ID is sent through an air interface, the CAG ID is easy to leak, and the security of the closed access group is further affected.

In order to solve the above problem, in this embodiment, the network element that performs authentication and security verification on the terminal receives a registration request message sent by the terminal, where the registration request message includes an encrypted CAG ID that requests access and SUCI of the terminal. The terminal's SUPI can be obtained after being analyzed through the terminal SUCI, so that the home network of the terminal can be obtained, and the encrypted CAG ID requesting access can be obtained after being decrypted, so that the network element authenticating and safety verifying the terminal can authenticate and safety verify the terminal through the terminal's SUPI and the CAG ID requesting access, and whether the terminal can access the CAG corresponding to the CAG ID requesting access is judged. The encryption mode used by the terminal for the encrypted CAG ID requesting access can be any existing encryption mode, and corresponds to the decryption mode in the network element for authenticating and safety verifying the terminal. The key used by the terminal to encrypt the CAG ID may also be one or more of the possible ways and corresponds to a key in the network element that authenticates and securely verifies the terminal.

In step S4020, SUCI of the terminal is parsed into SUPI of the terminal, and the encrypted CAG ID for access request is decrypted into the CAG ID for access request.

After receiving SUCI and encrypted CAG ID of the terminal, the network element that authenticates and securely verifies the terminal can decrypt the encrypted CAG ID requesting access into the CAG ID requesting access, and analyze SUCI of the terminal. For example, the UDM/SIDF parses SUCI of the terminal into SUPI of the terminal, and decrypts the encrypted CAG ID requesting access to the CAG ID requesting access by the UDM/SIDF, and then the UDM/SIDF transmits the SUPI of the terminal and the CAG ID requesting access to the AMF.

In an embodiment, the method for encrypting the CAG ID of the access request by the terminal may be that the CAG ID of the access request is encrypted by using a public key of the home network of the terminal, so as to obtain the encrypted CAG ID of the access request. Then the UDM or the SIDF that received the registration request message parses SUCI of the terminal into the SUPI of the terminal and the home network that can be determined after obtaining the SUPI of the terminal, so that the encrypted CAG ID requesting access can be decrypted into the CAG ID requesting access using the public key of the home network of the terminal.

Step S4030, the first CAG ID list is acquired from the home network of the terminal according to the SUPI of the terminal.

After obtaining the SUPI of the terminal, the network element for authenticating and safety verifying the terminal can determine the home network of the terminal according to the SUPI of the terminal, and then can acquire the first CAG ID list from the home network of the terminal according to the SUPI of the terminal. The first CAG ID list includes at least one ID of a CAG that the terminal is allowed to access. For example, an AMF that receives the SUPI of the terminal and the CAG ID requesting access from the UDM/SIDF obtains a first CAG ID list from the home network of the terminal according to the SUPI of the terminal.

In an embodiment, acquiring a first CAG ID list from a home network of a terminal according to a SUPI of the terminal includes: a CAG ID list request message is sent to a home network of the terminal, wherein the CAG ID list request message comprises SUPI; and receiving a first CAG ID list sent by the home network of the terminal.

Step S4040, judging whether the CAG ID requesting access and the first CAG ID list are matched, and if so, sending a registration acceptance message to the terminal.

And then, the network element for authentication and security verification of the terminal judges whether the CAG ID requested to be accessed is matched with the first CAG ID list, and if so, the corresponding CAG of the CAG ID requested to be accessed by the terminal is determined, so that a registration acceptance message can be sent to the terminal. For example, the AMF determines whether the CAG ID requested to be accessed and the first CAG ID list match, and if so, sends a registration acceptance message to the terminal.

In an embodiment, determining whether the CAG ID of the requested access and the first CAG ID list match may be determining whether the CAG ID of the requested access is the same as any CAG ID in the first CAG ID list, and if so, determining that the CAG ID of the requested access and the first CAG ID list match. If the CAG ID of the request access is different from any CAG ID in the first CAG ID list, determining that the CAG ID of the request access is not matched with the first CAG ID list.

In one embodiment, if it is determined that the CAG ID requested for access does not match the first CAG ID list, a registration reject message is sent to the terminal.

Fig. 5 is a flowchart of another method for accessing a closed access group according to an embodiment, and as shown in fig. 5, the method according to the embodiment includes the following steps.

Step S5010, a registration request message sent by the terminal is received, where the registration request message includes an extension SUCI of the terminal, and the extension SUCI of the terminal is obtained by jointly encrypting the CAG ID requested to be accessed and SUCI of the terminal by using the public key of the home network of the terminal.

In the embodiment shown in fig. 4, the received registration request message sent by the terminal includes the encrypted CAG ID and SUCI of the terminal, and in the embodiment, the received registration request message sent by the terminal includes SUCI of the extension of the terminal. The extended SUCI of the terminal is obtained by jointly encrypting the CAG ID of the requested access and SUCI of the terminal using the public key of the home network of the terminal.

Step S5020, the UDM or the SIDF decrypts the extended SUCI of the terminal into the CAG ID requesting access and SUCI of the terminal using the public key of the home network of the terminal, and parses SUCI of the terminal into SUPI of the terminal.

After receiving the extension SUCI, the UDM or the SIDF can acquire the home network of the terminal according to the related information of the terminal, and then the UDM or the SIDF can acquire the public key of the home network of the terminal, so that the UDM or the SIDF can decrypt the extension SUCI by using the acquired public key to acquire the CAG ID of the access request and SUCI of the terminal. The UDM or SIDF may then also parse SUCI of the terminal into SUPI of the terminal.

In step S5030, the UDM or the SIDF transmits the SUPI of the terminal and the CAG ID requesting access to the AMF.

In step S5040, the AMF acquires the first CAG ID list from the home network of the terminal according to the SUPI of the terminal.

In step S5050, the AMF determines whether the CAG ID requested to be accessed and the first CAG ID list match, and if so, sends a registration acceptance message to the terminal.

Step S5030-step S5050 are similar to the authentication and security verification process in the embodiment shown in fig. 1, and will not be described here again.

Fig. 6 is a flowchart of another method for accessing a closed access group according to an embodiment, and as shown in fig. 6, the method according to the embodiment includes the following steps.

Step S6010, encrypting the CAG ID of the requested access to obtain the first encrypted CAG ID of the requested access.

In order to solve the above problem, in this embodiment, when the terminal needs to access the closed access group, after determining the CAG ID requesting access, the CAG ID requesting access is first encrypted to obtain the first encrypted CAG ID requesting access. The encryption mode used for encrypting the CAG ID may be any existing encryption mode, and corresponds to a decryption mode in a network element for authenticating and security verifying the terminal. The key used to encrypt the CAG ID may also be one or more of the possible ways and corresponds to a key in the network element that authenticates and securely verifies the terminal.

Step S6020, a registration request message is sent, wherein the registration request message comprises the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal.

After obtaining the first encrypted CAG ID for requesting access, the terminal may send a registration request message, where the registration request message includes the first encrypted CAG ID for requesting access and a 5G globally unique temporary user equipment identifier (5G Globally Unique Temporary UE Identity,5G-GUTI) of the terminal. The terminal sends a registration request message through an air interface, and a base station to which the terminal is accessed or a service base station of a cell in which the terminal is located receives the registration request message. The base station that receives the registration request message will send the registration request message to the network element that authenticates and securely verifies the terminal, including AMF, AUSF, UDM/SIDF, etc. The network elements can determine whether the current network element is the network element which serves the terminal according to the 5G-GUTI of the terminal, if so, the network elements can directly use various information related to the terminal to determine the home network of the terminal, the secret key of the terminal encryption first encrypted CAG ID which is requested to be accessed and other related information of the terminal to decrypt the first encrypted CAG ID which is requested to be accessed to obtain the CAG ID which is requested to be accessed, and obtain a first CAG ID list which is allowed to be accessed by the terminal as the network element which serves the terminal has various information related to the terminal. And then determining whether the terminal can access the CAG corresponding to the CAG ID requested to be accessed. When the terminal is allowed to access the CAG corresponding to the CAG ID requested to access, the terminal will receive the registration acceptance message, and the terminal is not allowed to access the CAG corresponding to the CAG ID requested to access, and will receive the registration rejection message.

According to the method for accessing the closed access group, after the CAG ID of the access request is encrypted to obtain the first encrypted CAG ID of the access request, a registration request message is sent, wherein the registration request message comprises the first encrypted CAG ID of the access request and the 5G-GUTI of the terminal.

In an embodiment, encrypting the CAG ID of the requested access to obtain the first encrypted CAG ID of the requested access includes: and encrypting the CAG ID of the request access by using an encryption key in a security context corresponding to the 5G-GUTI of the terminal to obtain a first encrypted CAG ID of the request access. After the terminal sends the registration request message, because the registration request message includes the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal, the network element that performs authentication and security verification on the terminal that receives the registration request message can learn whether each network element is a network element that is once serving the terminal according to the 5G-GUTI of the terminal, if so, since various information related to the terminal is stored in the network element that is once serving the terminal, including an encryption key in a security context corresponding to the 5G-GUTI of the terminal, the network element that performs authentication and security verification on the terminal can directly use the encryption key in the security context corresponding to the 5G-GUTI of the terminal to decrypt the first encrypted CAG ID for requesting access to obtain the CAG ID for requesting access.

Fig. 7 is a flowchart of another method for accessing a closed access group according to an embodiment, and as shown in fig. 7, the method according to the embodiment includes the following steps.

Step S7010 encrypts the CAG ID of the request access to obtain a first encrypted CAG ID of the request access.

Step S7020, a registration request message is sent, where the registration request message includes the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal.

Step S7010 and step S7020 are the same as step S6010 and step S6020, and are not described here.

Step S7030, an identification request message sent by the AMF is received.

After the terminal sends the registration request message, if the network element that receives the registration request message is the network element that once serves the terminal, information related to the terminal may be stored, so that the CAG ID of the first encrypted request access may be decrypted. If the network element that receives the registration request message does not serve the terminal, or if the network element that times the registration request message serves the terminal but does not store the information about the terminal, then the CAG ID of the first encrypted request access cannot be decrypted. The terminal will receive the identification request message sent by the AMF. The identification request message is received after the first encrypted CAG ID requesting access cannot be decrypted by the terminal's 5G-GUTI.

Step S7040, the CAG ID of the requested access is encrypted using the public key of the home network, to obtain a second encrypted CAG ID of the requested access.

After receiving the identification request message, the terminal can encrypt the CAG ID of the request access by using the public key of the home network to obtain a second encrypted CAG ID of the request access.

Step S7050, an identification response message is sent to the AMF, where the identification response message includes the second encrypted CAG ID for requesting access and SUCI of the terminal.

And then the terminal sends an identification response message to the AMF, wherein the identification response message comprises the second encrypted CAG ID for requesting access and SUCI of the terminal. Because the identification response message includes the second encrypted CAG ID for requesting access and SUCI of the terminal, the AMF receiving the identification response message can acquire the home network of the terminal according to SUCI of the terminal, and then the AMF can acquire the public key of the home network of the terminal, so that the acquired public key can be used to decrypt the second encrypted CAG ID for requesting access to acquire the CAG ID for requesting access. In addition, the AMF may further obtain a first CAG ID list that allows the terminal to access according to SUCI of the terminal. And then determining whether the terminal can access the CAG corresponding to the CAG ID requested to be accessed. When the terminal is allowed to access the CAG corresponding to the CAG ID requested to access, the terminal will receive the registration acceptance message, and the terminal is not allowed to access the CAG corresponding to the CAG ID requested to access, and will receive the registration rejection message.

In an embodiment, after receiving the identification request message sent by the AMF, the terminal may further encrypt the CAG ID requested to be accessed and SUCI of the terminal together by using the public key of the home network, to obtain an extended SUCI of the terminal; the terminal then sends an identification response message to the AMF, the identification response message including the extension SUCI of the terminal. After the terminal sends the identification request message, the AMF receiving the identification request message can acquire the home network of the terminal according to the related information of the terminal, and the AMF can acquire the public key of the home network of the terminal, so that the acquired public key can be used for decrypting the extended SUCI to acquire the CAG ID of the access request and SUCI of the terminal. In addition, the AMF may further obtain a first CAG ID list that allows the terminal to access according to SUCI of the terminal. And then determining whether the terminal can access the CAG corresponding to the CAG ID requested to be accessed. When the terminal is allowed to access the CAG corresponding to the CAG ID requested to access, the terminal will receive the registration acceptance message, and the terminal is not allowed to access the CAG corresponding to the CAG ID requested to access, and will receive the registration rejection message.

In an embodiment, before encrypting the CAG ID of the requested access to obtain the first encrypted CAG ID of the requested access, the method further includes: receiving a system broadcast message carrying a first CAG ID list; and matching the second CAG ID list and the first CAG ID list which are configured by the user, and determining the CAG ID of the request access. The first CAG ID list includes at least one ID of a CAG that the terminal is allowed to access.

In an embodiment, matching the second CAG ID list configured by itself with the first CAG ID list to determine the CAG ID requested to be accessed includes: and matching the second CAG ID list and the first CAG ID list which are configured by the user, and determining that the same CAG ID in the second CAG ID list and the first CAG ID list is the CAG ID which is requested to be accessed. The method for matching the second CAG ID list and the first CAG ID list configured by the method may be to determine that the same CAG ID in the second CAG ID list and the first CAG ID list is the CAG ID requested to be accessed. The same CAG ID in the first CAG ID list and the second CAG ID list may be one or more, or the first CAG ID list and the second CAG ID list do not have the same CAG ID. If the first CAG ID list and the second CAG ID list do not have the same CAG ID, the terminal will not be allowed to access the CAG, so the terminal will not be able to determine the CAG ID requesting access, and therefore the terminal will not perform subsequent processes. If the first CAG ID list and the second CAG ID list have only one identical CAG ID, then the identical CAG ID may be used as the CAG ID for which access is requested. If the first CAG ID list and the second CAG ID list have two or more identical CAG IDs, one of the two or more identical CAG IDs may be selected as the CAG ID requesting access, or one of the two or more identical CAG IDs may be selected as the CAG ID requesting access according to a preset rule.

Fig. 8 is a flowchart of another method for accessing a closed access group according to an embodiment, and as shown in fig. 8, the method according to the embodiment includes the following steps.

Step S8010, a registration request message sent by the terminal is received, where the registration request message includes a first encrypted CAG ID for requesting access and a 5G-GUTI of the terminal.

In order to solve the above problem, in this embodiment, the network element that performs authentication and security verification on the terminal receives a registration request message sent by the terminal, where the registration request message includes an encrypted CAG ID that requests access and a 5G-GUTI of the terminal. The network element for authenticating and safety verifying the terminal can determine whether each network element is the network element which serves the terminal or not according to the 5G-GUTI of the terminal. The encryption mode used by the terminal for the first encrypted CAG ID requesting access can be any existing encryption mode, and corresponds to the decryption mode in the network element for authenticating and safety verifying the terminal. The key used by the terminal to encrypt the CAG ID may also be one or more of the possible ways and corresponds to a key in the network element that authenticates and securely verifies the terminal.

Step S8020, judging whether the current AMF is a historical AMF which is used for serving the terminal according to the 5G-GUTI of the terminal.

After receiving the 5G-GUTI and the first encrypted CAG ID of the terminal, the network element for authenticating and safety verifying the terminal firstly judges whether the current AMF is a historical AMF which serves the terminal or not according to the 5G-GUTI of the terminal. Because the historical AMF which is used for serving the terminal can store the information related to the terminal, whether the current AMF is the historical AMF which is used for serving the terminal can be judged according to the 5G-GUTI of the terminal.

Step S8030, if the current AMF is a historical AMF which is used for serving the terminal, and the SUPI of the terminal is stored in the current AMF, acquiring a first CAG ID list from the home network of the terminal according to the SUPI of the terminal, and decrypting the first encrypted CAG ID which is requested to be accessed into the CAG ID which is requested to be accessed.

If the current AMF is a historical AMF that has served the terminal, the current AMF may or may not store the SUPI of the terminal. If the current AMF is a historical AMF that serves the terminal, and the current AMF stores the SUPI of the terminal, the current AMF may acquire the first CAG ID list from the home network of the terminal according to the SUPI of the terminal, and decrypt the first encrypted CAG ID that requests access into the CAG ID that requests access. The key and encryption mode used by the current AMF to decrypt the first encrypted CAG ID requested to be accessed may be preset in the terminal and the AMF, or may be stored when the current AMF serves the terminal before. For example, the security context of the terminal is stored in the current AMF, and the encryption key is included in the security context, then the terminal may encrypt the CAG ID requested to be accessed using the encryption key in the security context to obtain the first encrypted CAG ID requested to be accessed, and the current AMF may also decrypt the first encrypted CAG ID requested to be accessed using the encryption key in the stored security context of the terminal to obtain the CAG ID requested to be accessed.

Step S8040, judging whether the CAG ID requesting access and the first CAG ID list are matched, if so, sending a registration acceptance message to the terminal.

This step is the same as step S4040 and will not be described here again.

Step S8050, if the current AMF is a historical AMF which is used for serving the terminal, and SUPI of the terminal is not stored in the current AMF, the current AMF sends an identification request message to the terminal.

If the current AMF is a historical AMF that serves the terminal, and the current AMF does not store the SUPI of the terminal, the current AMF cannot decrypt the CAG ID sent by the terminal and requested to be accessed by the first encryption. Therefore, the current AMF sends an identification request message to the terminal requesting the terminal to send again the CAG ID requesting access.

Step S8060, receiving an identification response message sent by the terminal, where the identification response message includes the second encrypted CAG ID and SUCI of the terminal, which are encrypted by the public key of the home network and requested to be accessed.

After receiving the identification request message, the terminal may encrypt the CAG ID requested to be accessed by using the public key of the home network to obtain a second encrypted CAG ID requested to be accessed in order to ensure security of the CAG ID. Then the current AFM will receive an identification response message sent by the terminal, where the identification response message includes the second encrypted CAG ID and SUCI of the terminal that were encrypted using the public key of the home network and requested to be accessed.

Step S8070, the UDM or the SIDF parses SUCI of the terminal into SUPI of the terminal, and decrypts the second encrypted CAG ID requesting access into a CAG ID requesting access using the public key of the home network of the terminal.

Step S8080, the first CAG ID list is acquired from the home network of the terminal according to the SUPI of the terminal.

Step S8090, judging whether the CAG ID requesting access and the first CAG ID list are matched, if so, sending a registration acceptance message to the terminal.

Step S8070 to step S8090 are similar to step S5020 to step S5050 in the embodiment shown in fig. 4, and are not described here.

In an embodiment, the identifier response message includes an extension SUCI obtained by encrypting, by the terminal, the CAG ID the terminal requests access to and SUCI of the terminal using the public key of the home network. The extended SUCI of the terminal is obtained by jointly encrypting the CAG ID of the requested access and SUCI of the terminal using the public key of the home network of the terminal. The UDM or SIDF decrypts the extended SUCI of the terminal into the CAG ID of the requested access and SUCI of the terminal using the public key of the terminal's home network and parses SUCI of the terminal into SUPI of the terminal. The UDM or SIDF analyzes SUCI of the terminal into SUPI of the terminal, and obtains a first CAG ID list from a home network of the terminal according to the SUPI of the terminal. Judging whether the CAG ID requesting access is matched with the first CAG ID list, and if so, sending a registration acceptance message to the terminal.

In step S8100, if the current AMF does not serve the terminal, the current AMF determines a historical AMF serving the terminal according to the 5G-GUTI of the terminal, and sends a context transmission request message of the terminal to the historical AMF, wherein the context transmission request message of the terminal comprises the 5G-GUTI of the terminal.

If the current AMF is that the terminal is not served, the related information of the terminal is not stored in the current AMF. Then the current AMF may determine the historical AMF that was serving the terminal based on the terminal's 5G-GUTI since the current AMF also received the terminal's 5G-GUTI. Then the current AMF sends a context transmission request message of the terminal to the historical AMF, wherein the context transmission request message of the terminal comprises a 5G-GUTI of the terminal.

In step S8110, the current AMF receives a context transfer response message sent by the history AMF, where the context transfer response message includes the security context of the terminal and the first CAG ID list.

After receiving the context transmission response message sent by the historical AMF, the current AMF can acquire the security context of the terminal, and can acquire the first CAG ID list.

In step S8120, the current AMF decrypts the first encrypted CAG ID requesting access into the CAG ID requesting access using a private key in the security context of the terminal.

Step S8130, judging whether the CAG ID requesting access and the first CAG ID list are matched, and if so, sending a registration acceptance message to the terminal.

If the security context corresponding to the terminal is stored in the historical AMF serving the terminal, the current AMF can receive the security context of the terminal sent by the historical AMF, and then the current AMF can directly decrypt the CAG ID of the first encrypted request access by using the key in the received security context. If the history AMF serving the terminal does not store information about the terminal, the current AMF needs to be processed in other ways.

In step S8140, if the current AMF does not receive the context transfer response message of the terminal sent by the history AMF, the current AMF sends an identification request message to the terminal.

If the current AMF does not receive the context transmission response message of the terminal sent by the historical AMF, the current AMF sends an identification request message to the terminal to request the terminal to resend the CAG ID which can be decrypted by the current AMF.

In step S8150, an identification response message sent by the terminal is received, where the identification response message includes the second encrypted CAG ID and SUCI of the terminal, which are encrypted by the terminal using the public key of the home network and requested to be accessed.

In step S8160, the UDM or the SIDF parses SUCI of the terminal into SUPI of the terminal, and decrypts the second encrypted CAG ID requesting access into a CAG ID requesting access using the public key of the home network of the terminal.

Step S8170, a first CAG ID list is acquired from the home network of the terminal according to the SUPI of the terminal.

Step S8180, judging whether the CAG ID requesting access and the first CAG ID list are matched, and if so, sending a registration acceptance message to the terminal.

Step S8150 to step S8180 are the same as step S8060 to step S8090, and are not described here.

In one embodiment, determining whether the CAG ID of the requested access and the first CAG ID list match comprises: and judging whether the CAG ID of the request access is the same as any CAG ID in the first CAG ID list, and if so, determining that the CAG ID of the request access is matched with the first CAG ID list.

In an embodiment, after determining whether the CAG ID of the requested access and the first CAG ID list match, the method further includes: and if the message is not matched, a registration rejection message is sent to the terminal.

Fig. 9 is an interactive flowchart of a method for accessing a closed access group according to an embodiment, and as shown in fig. 9, the method according to the embodiment includes the following steps.

Step S9010: a list of CAG IDs, e.g., {2,3,4,5}, is configured on the mobile terminal to allow access.

Step S9020: the network carries a list of cell-supported CAG IDs, e.g., {1,2,3}, in the broadcasted system message.

Step S9030: after receiving the message, the terminal compares the two lists, and selects one of the matched CAG IDs as the CAG ID requesting access, for example, selects 2 from {2,3 }.

Step S9040: the terminal encrypts the CAG ID which is requested to be accessed by using the public key of the home network to obtain the encrypted CAG ID which is requested to be accessed; the terminal can encrypt the CAG ID and SUPI of the request access together by the public key of the home network to obtain an extended SUCI; the terminal sends a registration request message to the network, wherein the registration request message carries an encrypted CAG ID for requesting access, and the request message also carries SUCI; in common encryption, the request message carries the extension SUCI (2).

Step S9050: an authentication and security procedure in which the UDM/SIDF parses SUCI into SUPI and the UDM/SIDF also parses the encrypted CAG ID requesting access into the CAG ID requesting access; the UDM/SIDF returns the SUPI and the CAG ID for access request to the AMF.

Step S9060: the AMF obtains a list of CAG IDs to the home network that the access is allowed to, the request message carrying SUPI parameters, e.g., {2,3,4,5}.

Step S9070 (access control): the AMF determines whether the terminal allows access to the CAG, specifically, the AMF determines whether the CAG ID received from the registration message is included in the list of CAG IDs allowed to access acquired from the home network, if yes, access is possible, if no, access is not possible, for example, 2 is possible in {2,3,4,5 }.

Step S9080: if accessible, the AMF returns a registration accept message to the terminal.

Step S9090: if not, the AMF returns a registration rejection message to the terminal.

Fig. 10 is an interactive flowchart of another method for accessing a closed access group according to an embodiment, and as shown in fig. 10, the method according to the embodiment includes the following steps.

Step S10010: a list of CAG IDs, e.g., {2,3,4,5}, is configured on the mobile terminal to allow access.

Step S10020: the network carries a list of cell-supported CAG IDs, e.g., {1,2,3}, in the broadcasted system message.

Step S10030: after receiving the message, the terminal compares the two lists, and selects one of the matched CAG IDs as the CAG ID requesting access, for example, selects 2 from {2,3 }.

Step S10040: if the terminal has a temporary user identifier 5G-GUTI of the visiting network which is requested to be registered and a security context, the terminal encrypts the CAG ID which is requested to be accessed by using an encryption key in the security context to obtain the encrypted CAG ID which is requested to be accessed; the terminal sends a registration request message to the network, wherein the registration request message carries an encrypted CAG ID for requesting access, and the request message also carries a 5G-GUTI.

Step S10050: if the current AMF (new AMF) receiving the registration message is the last historical AMF (old AMF) serving the terminal and SUPI and security context of the terminal still exist, decrypting the encrypted CAG ID requesting access by using the encryption key in the security context to obtain the CAG ID requesting access; if the new AMF is not the old AMF serving the terminal last time, the new AMF sends a terminal context transmission request message to the old AMF, wherein the message carries 5G-GUTI.

Step S10060: the old AMF returns SUPI and security context of the terminal to the new AMF, and the new AMF can decrypt the encrypted CAG ID of the request access by using the encryption key in the security context to obtain the CAG ID of the request access; also included in the return message is a list of CAG IDs that are allowed to be accessed, e.g., {2,3,4,5}.

Step S10070: if the old AMF does not store the SUPI and the context of the terminal, the new AMF sends an identification request message to the terminal.

Step S10080: the terminal encrypts the CAG ID which is requested to be accessed by using the public key of the home network to obtain the encrypted CAG ID which is requested to be accessed; the terminal can encrypt the CAG ID and SUPI of the request access together by the public key of the home network to obtain an extended SUCI; the terminal returns an identification response message to the new AMF, wherein the identification response message carries an encrypted CAG ID for requesting access, and the request message also carries SUCI; in common encryption, the request message carries the extension SUCI (2).

Step S10090: authentication and security procedures, which do not need to include SUCI resolution and CAG ID resolution if step S10060 successfully returns SUPI; if step S10060 is unsuccessful, the UDM/SIDF resolves SUCI to SUPI during this step, and the UDM/SIDF resolves the encrypted CAG ID requesting access to the CAG ID requesting access; the UDM/SIDF returns the SUPI and the CAG ID for access request to the AMF.

Step S10100: if step S10060 is unsuccessful, the AMF obtains a list of allowed visited CAG IDs from the home network, the request message carrying SUPI parameters, e.g., {2,3,4,5}.

Step S10110 (access control): the AMF determines whether the terminal allows access to the CAG, specifically, the AMF determines whether the CAG ID received from the registration message is included in the list of CAG IDs allowed to access acquired from the home network, if yes, access is possible, if no, access is not possible, for example, 2 is possible in {2,3,4,5 }.

Step S10120: if accessible, the AMF returns a registration accept message to the terminal.

Step S10130: if not, the AMF returns a registration rejection message to the terminal.

Fig. 11 is a schematic structural diagram of an apparatus for accessing a closed access group according to an embodiment, and as shown in fig. 11, the apparatus for accessing a closed access group according to the embodiment includes: an encryption module 111 configured to encrypt the CAG ID of the request for access to obtain an encrypted CAG ID of the request for access; the sending module 112 is configured to send a registration request message, where the registration request message includes the encrypted CAG ID for requesting access and SUCI of the terminal.

The device for accessing the closed access group according to the embodiment is used for implementing the method for accessing the closed access group according to the embodiment shown in fig. 2, and the implementation principle and the technical effect of the device for accessing the closed access group according to the embodiment are similar, and are not repeated herein.

Fig. 12 is a schematic structural diagram of another apparatus for accessing a closed access group according to an embodiment, and as shown in fig. 12, the apparatus for accessing a closed access group according to the embodiment includes: a receiving module 121, configured to receive a registration request message sent by a terminal, where the registration request message includes an encrypted CAG ID that requests access and SUCI of the terminal; the decryption module 122 is configured to parse SUCI of the terminal into SUPI of the terminal, and decrypt the encrypted CAG ID requested to be accessed into the CAG ID requested to be accessed; an obtaining module 123 configured to obtain a first CAG ID list from a home network of the terminal according to the SUPI of the terminal; and a judging module 124, configured to judge whether the CAG ID requested to be accessed and the first CAG ID list match, and if so, send a registration acceptance message to the terminal.

The device for accessing the closed access group according to the embodiment is used for implementing the method for accessing the closed access group according to the embodiment shown in fig. 4, and the implementation principle and the technical effect of the device for accessing the closed access group according to the embodiment are similar, and are not repeated herein.

Fig. 13 is a schematic structural diagram of another apparatus for accessing a closed access group according to an embodiment, and as shown in fig. 13, the apparatus for accessing a closed access group according to the embodiment includes: an encryption module 131 configured to encrypt the CAG ID of the request for access to obtain a first encrypted CAG ID of the request for access; the sending module 132 is configured to send a registration request message, where the registration request message includes the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal.

The device for accessing the closed access group according to the embodiment is used for implementing the method for accessing the closed access group according to the embodiment shown in fig. 6, and the implementation principle and the technical effect of the device for accessing the closed access group according to the embodiment are similar, and are not repeated herein.

Fig. 14 is a schematic structural diagram of another apparatus for accessing a closed access group according to an embodiment, and as shown in fig. 14, the apparatus for accessing a closed access group according to the embodiment includes: a receiving module 141, configured to receive a registration request message sent by a terminal, where the registration request message includes a first encrypted CAG ID that requests access and a 5G-GUTI of the terminal; a decryption module 142 configured to determine whether the current AMF is a historical AMF that has served the terminal according to the 5G-GUTI of the terminal; the acquiring module 143 is configured to acquire a first CAG ID list from a home network of the terminal according to the SUPI of the terminal if the current AMF is a historical AMF that has served the terminal and the current AMF stores the SUPI of the terminal, and decrypt the first encrypted CAG ID that requests access into a CAG ID that requests access; the judging module 144 is configured to judge whether the CAG ID requested to be accessed and the first CAG ID list match, and if so, send a registration acceptance message to the terminal.

The device for accessing the closed access group according to the embodiment is used for implementing the method for accessing the closed access group according to the embodiment shown in fig. 8, and the implementation principle and the technical effect of the device for accessing the closed access group according to the embodiment are similar, and are not repeated here.

The embodiment of the application also provides a system for accessing the closed access group, which comprises a terminal and network equipment, wherein the terminal comprises the device for accessing the closed access group shown in the embodiment of fig. 11, and the network equipment comprises the device for accessing the closed access group shown in the embodiment of fig. 12.

The embodiment of the application also provides a system for accessing the closed access group, which comprises a terminal and network equipment, wherein the terminal comprises the device for accessing the closed access group shown in the embodiment of fig. 13, and the network equipment comprises the device for accessing the closed access group shown in the embodiment of fig. 14.

Fig. 15 is a schematic structural diagram of a terminal according to an embodiment, and as shown in fig. 15, the terminal includes a processor 151, a memory 152, a transmitter 153, and a receiver 154; the number of processors 151 in the terminal may be one or more, and one processor 151 is taken as an example in fig. 15; a processor 151 and a memory 152 in the terminal, a transmitter 1543 and a receiver 154; may be connected by a bus or otherwise, and is illustrated in fig. 15 as being connected by a bus.

The memory 152, which is a computer-readable storage medium, may be configured to store a software program, a computer-executable program, and modules, such as program instructions/modules (e.g., the encryption module 111 and the transmission module 112 in the closed access group device or the encryption module 131 and the transmission module 132 in the closed access group device) corresponding to the method of accessing the closed access group in the embodiments of fig. 2-3 or fig. 6-7 of the present application. The processor 151 performs at least one function application and data processing, i.e., the access closed access group method of fig. 2 to 3 or fig. 6 to 7, by running software programs, instructions and modules stored in the memory 152.

The memory 152 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, at least one application program required for functions; the storage data area may store data created according to the use of the terminal, etc. In addition, memory 152 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device.

The transmitter 153 is a module or combination of devices capable of transmitting radio frequency signals into space, including, for example, a combination of radio frequency transmitters, antennas, and other devices. The receiver 154 is a module or combination of devices capable of receiving a radio frequency signal from a space, including, for example, a combination of radio frequency receivers, antennas, and other devices.

Embodiments of the present application also provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a method of accessing a closed access group, the method comprising: encrypting the CAG ID of the request access to obtain the encrypted CAG ID of the request access; and sending a registration request message, wherein the registration request message comprises the encrypted CAG ID for requesting access and SUCI of the terminal.

Embodiments of the present application also provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a method of accessing a closed access group, the method comprising: receiving a registration request message sent by a terminal, wherein the registration request message comprises an encrypted CAG ID (control access group) for requesting access and SUCI of the terminal; analyzing SUCI of the terminal into SUPI of the terminal, and decrypting the encrypted CAG ID requesting access into the CAG ID requesting access; acquiring a first CAG ID list from a home network of the terminal according to SUPI of the terminal; judging whether the CAG ID requesting access is matched with the first CAG ID list, and if so, sending a registration acceptance message to the terminal.

Embodiments of the present application also provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a method of accessing a closed access group, the method comprising: encrypting the CAG ID of the request access to obtain a first encrypted CAG ID of the request access; and sending a registration request message, wherein the registration request message comprises the first encrypted CAG ID for requesting access and the 5G-GUTI of the terminal.

Embodiments of the present application also provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a method of accessing a closed access group, the method comprising: receiving a registration request message sent by a terminal, wherein the registration request message comprises a first encrypted CAG ID (access request) and a 5G-GUTI (5G-GUTI) of the terminal; judging whether the current AMF is a historical AMF which serves the terminal or not according to the 5G-GUTI of the terminal; if the current AMF is a historical AMF which serves the terminal once and SUPI of the terminal is stored in the current AMF, acquiring a first CAG ID list from a home network of the terminal according to the SUPI of the terminal, and decrypting the first encrypted CAG ID which is requested to be accessed into a CAG ID which is requested to be accessed; judging whether the CAG ID requesting access is matched with the first CAG ID list, and if so, sending a registration acceptance message to the terminal.

It will be appreciated by those skilled in the art that the term user terminal encompasses any suitable type of wireless user equipment, such as a mobile telephone, a portable data processing device, a portable web browser or a car mobile station.

In general, the various embodiments of the application may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. For example, some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device, although the application is not limited thereto.

Embodiments of the application may be implemented by a data processor of a mobile device executing computer program instructions, e.g. in a processor entity, either in hardware, or in a combination of software and hardware. The computer program instructions may be assembly instructions, instruction set architecture (InstructionSet Architecture, ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages.

The block diagrams of any of the logic flows in the figures of this application may represent program steps, or may represent interconnected logic circuits, modules, and functions, or may represent a combination of program steps and logic circuits, modules, and functions. The computer program may be stored on a memory. The Memory may be of any type suitable to the local technical environment and may be implemented using any suitable data storage technology, such as, but not limited to, read-Only Memory (ROM), random access Memory (Random Access Memory, RAM), optical storage devices and systems (digital versatile disk (Digital Video Disc, DVD) or Compact Disk (CD)), and the like. The computer readable medium may include a non-transitory storage medium. The data processor may be of any type suitable to the local technical environment, such as, but not limited to, general purpose computers, special purpose computers, microprocessors, digital signal processors (DIGITAL SIGNAL Processing, DSP), application SPECIFIC INTEGRATED Circuits (ASIC), programmable logic devices (Field-Programmable GATE ARRAY, FGPA), and processors based on a multi-core processor architecture.

Claims

1. A method of accessing a closed access group, comprising: encrypting the closed access group identification (CAG ID) of the request access to obtain a first encrypted CAG ID of the request access;

Sending a registration request message, wherein the registration request message comprises the first encrypted CAG ID for requesting access and a 5G global unique temporary user equipment identifier (5G-GUTI) of a terminal;

Receiving an identification request message sent by a mobility management function (AMF), wherein the identification request message is sent when the AMF does not serve the terminal, if the AMF does not receive a context transmission response message of the terminal, which is sent by a historical AMF which serves the terminal, or is sent when the AMF serves the terminal, if the AMF does not store a user permanent identification (SUPI) of the terminal;

Encrypting the CAG ID requested to be accessed by using a public key of the home network to obtain a second encrypted CAG ID requested to be accessed;

And sending an identification response message to the AMF, wherein the identification response message comprises the second encrypted CAG ID for requesting access and a user hiding identification SUCI of the terminal, so that the UDM or SIDF analyzes SUCI of the terminal into SUPI of the terminal.

2. The method of claim 1, wherein encrypting the CAG ID of the requested access to obtain a first encrypted CAG ID of the requested access comprises:

And encrypting the CAG ID of the request access by using an encryption key in a security context corresponding to the 5G-GUTI of the terminal to obtain a first encrypted CAG ID of the request access.

3. The method of claim 1, further comprising, after the sending the registration request message:

Receiving an identification request message sent by an AMF;

Jointly encrypting the CAG ID requested to be accessed and SUCI of the terminal by using a public key of a home network to obtain an extended SUCI of the terminal;

and sending an identification response message to the AMF, wherein the identification response message comprises SUCI of the extension of the terminal.

4. A method according to any one of claims 1 to 3, wherein, before encrypting the CAG ID of the requested access to obtain the first encrypted CAG ID of the requested access, further comprising:

Receiving a system broadcast message carrying a first CAGID list;

and matching the second CAG ID list configured by the user with the first CAG ID list to determine the CAG ID requesting access.

5. The method of claim 4, wherein the matching the self-configured second CAG ID list with the first CAG ID list, determining the CAG ID to request access, comprises:

And matching the second CAG ID list and the first CAG ID list which are configured by the user, and determining that the same CAG ID in the second CAG ID list and the first CAG ID list is the CAG ID of the request access.

6. The method of claim 4, wherein prior to receiving the system broadcast message carrying the first CAG ID list, further comprising:

and configuring the second CAG ID list, wherein the second CAG ID list comprises at least one CAG ID which is allowed to be accessed.

7. A method of accessing a closed access group, comprising:

Receiving a registration request message sent by a terminal, wherein the registration request message comprises a first encrypted closed access group identifier (CAG ID) for requesting access and a 5G global unique temporary user equipment identifier (5G-GUTI) of the terminal;

Judging whether the current mobility management function AMF is a historical AMF which serves the terminal or not according to the 5G-GUTI of the terminal;

If the current AMF is a historical AMF which serves the terminal once and the current AMF stores a user permanent identifier SUPI of the terminal, acquiring a first CAG ID list from a home network of the terminal according to the SUPI of the terminal, and decrypting the first encrypted CAG ID which is requested to be accessed into a CAG ID which is requested to be accessed;

if the current AMF is a historical AMF which serves the terminal once and SUPI of the terminal is not stored in the current AMF, the current AMF sends an identification request message to the terminal;

receiving an identification response message sent by the terminal, wherein the identification response message comprises a second encrypted CAG ID (access request) encrypted by the terminal by using a public key of a home network and a user hidden identification SUCI of the terminal;

The UDM or SIDF analyzes SUCI of the terminal into SUPI of the terminal, and decrypts the second encrypted CAG ID which is requested to be accessed into the CAG ID which is requested to be accessed by using the public key of the home network of the terminal;

acquiring a first CAG ID list from a home network of the terminal according to the SUPI of the terminal;

Judging whether the CAG ID requesting access is matched with the first CAG ID list, and if so, sending a registration acceptance message to the terminal;

If the current AMF does not serve the terminal, the current AMF determines a historical AMF serving the terminal according to the 5G-GUTI of the terminal, and sends a context transmission request message of the terminal to the historical AMF, wherein the context transmission request message of the terminal comprises the 5G-GUTI of the terminal;

if the current AMF does not receive the context transmission response message of the terminal sent by the historical AMF, the current AMF sends an identification request message to the terminal;

Receiving an identification response message sent by the terminal, wherein the identification response message comprises a second encrypted CAG ID (access request) encrypted by the terminal by using a public key of a home network and SUCI of the terminal;

8. The method of claim 7, wherein after the determining whether the current AMF is the AMF that has served the terminal according to the 5G-GUTI of the terminal, further comprising:

Receiving an identification response message sent by the terminal, wherein the identification response message comprises an extension SUCI obtained by the terminal through common encryption of a CAG ID (access identity) requested to be accessed by the terminal and SUCI of the terminal by using a public key of a home network;

The UDM or SIDF decrypts the extended SUCI of the terminal into a CAG ID requesting access and SUCI of the terminal using the public key of the terminal home network and parses SUCI of the terminal into SUPI of the terminal;

The UDM or SIDF analyzes SUCI of the terminal into SUPI of the terminal, and acquires a first CAG ID list from a home network of the terminal according to the SUPI of the terminal;

9. The method according to claim 7, wherein if the current AMF does not serve the terminal, the current AMF determines a historical AMF that has served the terminal according to the 5G-GUTI of the terminal, and sends a context transfer request message of the terminal to the historical AMF, the context transfer request message of the terminal including the 5G-GUTI of the terminal, further comprising:

the current AMF receives a context transmission response message sent by the historical AMF, wherein the context transmission response message comprises the security context of the terminal and the first CAG ID list;

Decrypting the first encrypted access-requesting CAG ID into the access-requesting CAG ID by the current AMF using a private key in a security context of the terminal;

10. The method of claim 7, wherein if the current AMF does not receive the context transfer response message of the terminal sent by the historical AMF, after the current AMF sends an identification request message to the terminal, further comprising:

11. The method according to any one of claims 7 to 10, wherein said determining whether the CAG ID of the requested access and the first CAG ID list match comprises:

And judging whether the CAG ID of the request access is the same as any CAG ID in the first CAG ID list, and if so, determining that the CAG ID of the request access is matched with the first CAG ID list.

12. The method according to any one of claims 7 to 10, wherein after said determining whether the CAG ID of the requested access and the first CAG ID list match, further comprising:

and if not, sending a registration rejection message to the terminal.

13. An apparatus for accessing a closed access group, comprising:

the encryption module is used for encrypting the closed access group identifier (CAG ID) of the request access to obtain a first encrypted CAG ID of the request access;

the sending module is configured to send a registration request message, where the registration request message includes the first encrypted CAG ID for requesting access and a 5G global unique temporary user equipment identifier 5G-GUTI of the terminal;

A receiving module, configured to receive an identification request message sent by a mobility management function AMF, where the identification request message is sent when the AMF does not receive a context transfer response message of the terminal sent by a history AMF that serves the terminal, or when the AMF serves the terminal, and if the AMF does not store a user permanent identification SUPI of the terminal;

The encryption module is further configured to encrypt the CAG ID requested to be accessed by using a public key of the home network to obtain a second encrypted CAG ID requested to be accessed;

The sending module is further configured to send an identification response message to the AMF, where the identification response message includes the second encrypted CAG ID for requesting access and the user hidden identifier SUCI of the terminal, so that the UDM or the SIDF parses SUCI of the terminal into SUPI of the terminal.

14. An apparatus for accessing a closed access group, comprising:

The receiving module is configured to receive a registration request message sent by a terminal, wherein the registration request message comprises a first encrypted closed access group identifier (CAG ID) for requesting access and a 5G global unique temporary user equipment identifier (5G-GUTI) of the terminal;

The decryption module is used for judging whether the current mobility management function AMF is a historical AMF which serves the terminal or not according to the 5G-GUTI of the terminal;

The acquisition module is configured to acquire a first CAG ID list from a home network of the terminal according to the SUPI of the terminal if the current AMF is a historical AMF serving the terminal once and the current AMF stores a user permanent identifier SUPI of the terminal, and decrypt the first encrypted CAG ID requesting access into a CAG ID requesting access;

The sending module is configured to send an identification request message to the terminal if the current AMF is a historical AMF which serves the terminal once and SUPI of the terminal is not stored in the current AMF;

The receiving module is further configured to receive an identification response message sent by the terminal, where the identification response message includes a second encrypted CAG ID that is encrypted by the terminal using a public key of a home network and a user hidden identifier SUCI of the terminal;

The analysis module is also used for analyzing SUCI of the terminal into SUPI of the terminal through UDM or SIDF, and decrypting the second encrypted CAG ID which is requested to be accessed into the CAG ID which is requested to be accessed by using the public key of the home network of the terminal; acquiring a first CAG ID list from a home network of the terminal according to SUPI of the terminal

The judging module is used for judging whether the CAG ID requested to be accessed is matched with the first CAG ID list, and if so, a registration acceptance message is sent to the terminal;

The sending module is further configured to determine, if the current AMF does not serve the terminal, a historical AMF that serves the terminal according to the 5G-GUTI of the terminal, and send a context transmission request message of the terminal to the historical AMF, where the context transmission request message of the terminal includes the 5G-GUTI of the terminal; if the current AMF does not receive the context transmission response message of the terminal sent by the historical AMF, the current AMF sends an identification request message to the terminal;

the receiving module is further configured to receive an identification response message sent by the terminal, where the identification response message includes CAGID of a second encrypted request access encrypted by the terminal using a public key of a home network and SUCI of the terminal;

The analyzing module is further configured to analyze SUCI of the terminal into SUPI of the terminal by using UDM or SIDF, and decrypt the second encrypted CAG ID requested to be accessed into the CAG ID requested to be accessed by using the public key of the home network of the terminal; acquiring a first CAG ID list from a home network of the terminal according to the SUPI of the terminal;

the judging module is further configured to judge whether the CAG ID requested to be accessed is matched with the first CAG ID list, and if so, send a registration acceptance message to the terminal.

15. A system for accessing a closed access group, comprising a terminal and a network device;

The terminal comprising the apparatus for accessing a closed access group as claimed in claim 13;

The network device comprising the apparatus for accessing a closed access group of claim 14.