WO2020052613A1 - Switching method and terminal device - Google Patents

Abstract

The present application provides a switching method and a terminal device. The switching method is applied to a scene where a terminal device switches from a third network to a first network and then returns to a second network. The method comprises: a terminal device receives first information, the first information comprising instruction information for instructing the terminal device to switch from a first network to a second network; if the terminal device stores a security context of a third network and the security context of the third network is a native security context, the terminal device deletes the security context of the first network, and sets the security context of the third network as the currently used security context; the terminal device sends, to a mobility management entity in the second network, tracking area update (TAU) request information protected by the security context of the third network. The switching method of embodiments of the present application can prevent the leakage of security contexts, thereby ensuring the security of network communications and improving user experience.

Description

Switching method and terminal equipment

This application claims priority from a Chinese patent application filed with the Chinese Patent Office on September 15, 2018, with application number 201811077476.X, and with the application name "switching method and terminal device", the entire contents of which are incorporated herein by reference. .

Technical field

The present application relates to the field of communications, and more particularly, to a handover method and a terminal device.

Background technique

New air interface voice (voNR) is a technology that uses the fifth generation (5G) new air interface to carry voice. In the initial stage of 5G network deployment, VoNR coverage faces the same problems as long-term evolution bearer voice (VoLTE). That is, if a user who uses VoNR for a call moves to a circuit-switched (CS) coverage area, it is also necessary to ensure that the call is not interrupted.

A 5G single wireless voice call continuity (SRVCC) is defined in the standard, which can solve the switch between the 5G network and the 3rd generation (3G) network, thereby ensuring that the call is not interrupted. As the 3G network is not capable of high-speed data transmission of the 5G network, if the user stays on the 3G network after ending the 3G network's voice service, the user experience will be greatly affected. Therefore, if the user is in the 4th generation (4G) or 5G network coverage at this time, the user should be returned to the 4G or 5G network.

When the user is instructed to return to the 4G network, the user will deduce the 4G security context based on the 3G security context. Since the security of the 3G network is worse than 4G, this makes the derived 4G security context risk leakage. For example, the 4G security context can be compromised. The 3G network is known and then obtained by the attacker. At the same time, if the user returns to the 5G network, the 5G security context will be deduced according to the 4G security context described above, which will cause the insecurity of the 3G network to spread to the 5G network and seriously affect the security of network communications.

Summary of the Invention

The present application provides a handover method and terminal equipment to avoid the leakage of the 4G security context, thereby affecting the security of the 5G network and improving the security of network communication.

In a first aspect, a switching method is provided. The method is applied to a scenario in which a terminal device returns to a second network after switching from a third network to the first network. The method includes: the terminal device receives first information, and the first One piece of information includes instruction information that instructs the terminal device to switch from the first network to the second network; when the terminal device has a native security context of the third network, the terminal device uses The security context of the third network is set to the currently used security context; the terminal device sends a tracking area update using the security context protection of the third network to a mobility management entity in the second network. , TAU) request (TAU request) information.

Based on the above technical solution, when a terminal device switches from a first network (such as a 2G / 3G network) to a second network (such as a 4G network), the terminal network can infer the performance of the second network based on the security context of the third network (such as a 5G network) Security key. The security context on the terminal device can be divided into at least the currently used security context and the non-currently used security context according to the state. When the terminal device resides on the first network, the security context of the first network is the currently used security context. After the terminal device receives the instruction to switch to the second network, if the security context of the second network is deduced based on the security context of the first network, the security context of the second network may occur due to the poor security of the first network. There are leaks. Therefore, the present application proposes that the security context currently used can be changed, for example, the security context of the third network is set to the currently used security context, and the security secret of the second network can be derived based on the security context of the third network. Key, which can improve security and user experience. In addition, the terminal device uses the currently used security context (the security context of the third network) to protect the TAU request information that is subsequently sent to the mobility management entity, instead of protecting the TAU request message from the 4G mapping security context derived from the 3G security context. , Can prevent Kasme from leaking, and ensure the security of 5G networks and improve the security of network communications.

With reference to the first aspect, in some implementations of the first aspect, after the terminal device receives the first information, the method further includes: the terminal device deleting the security context of the first network.

Based on the above technical solution, the terminal device first deletes the security context of the first network (such as the 2G / 3G network), and then sets the security context of the third network (such as the 5G network) to the currently used security context, which can further ensure the terminal device. When deriving the security context of the second network (such as a 4G network), the security context of the third network is used, thereby ensuring the security of the security context of the second network.

With reference to the first aspect, in some implementations of the first aspect, the tracking area update request information includes a fifth-generation 5G globally unique temporary terminal equipment identifier mapping and a fourth-generation 4G globally unique temporary terminal equipment identifier and key set. Identifier.

With reference to the first aspect, in some implementation manners of the first aspect, the first information is radio resource control RRC release information.

With reference to the first aspect, in some implementations of the first aspect, the method further includes: when the terminal device does not have a native security context of the third network, the terminal device deletes the first A network security context; the terminal device sends a tracking area update request message without integrity protection to the mobility management entity, so that the mobility management entity performs a re-authentication process.

Based on the above technical solution, if the 5G (that is, the third network) native security context is not saved, or the 5G native security context is not available, the 3G (that is, the first network) security context that is currently in use is deleted, and the mobility management entity is Send the tracking area update request information without integrity protection so that the mobility management entity performs a re-authentication process to establish a 4G security context.

With reference to the first aspect, in some implementations of the first aspect, the first network is a third-generation 3G / second-generation 2G network, the second network is a fourth-generation 4G network, and the third network For the fifth generation 5G network.

In a second aspect, a switching method is provided. The method is applied to a scenario where a terminal device returns to the second network after switching from the third network to the first network. The method includes: the mobility management entity switches from the third network to the terminal device During the process of going to the first network, the security context of the second network is acquired and saved; when the terminal device switches from the first network to the second network, the mobility management entity according to the second network The security context protects communication with the terminal device.

Based on the above technical solution, when a terminal device switches from a first network (such as a 2G / 3G network) to a second network (such as a 4G network), the terminal device can make full use of the process of switching from a third network (such as a 5G network) to the first network. The security context of the second network obtained in this way can avoid the re-authentication process when the first network switches back to the second network. Before the terminal device is switched from the first network to the second network, it is switched from the third network to the first network, and during the process of switching from the third network to the first network, it will be deduced according to the security context of the third network. The security context of the second network is then used to derive the security context of the first network according to the security context of the second network, so that the terminal device switches from the third network to the first network. This application makes full use of the security context of the second network obtained by the terminal device during the process of switching from the third network to the first network, and then the mobility management entity uses the security context of the second network to protect communication with the terminal device, avoiding The delay caused by the re-authentication process when the terminal device is switched from the first network to the second network is improved, and the user experience is improved.

With reference to the second aspect, in some implementations of the second aspect, the security context of the second network includes a root key of the second network and a security algorithm of the second network; the mobility management entity The acquiring and saving the security context of the second network during the terminal device switching from the third network to the first network includes: during the switching of the terminal device from the third network to the first network, the mobility The management entity receives first request information from the access and mobility management network element, the first request information includes single radio frequency voice call continuity SRVCC handover indication information and a root key of the second network; the mobility management The entity selects a security algorithm of the second network for the terminal according to a preset policy; the mobility management entity determines to save the root secret of the second network and the second network according to the SRVCC handover instruction information. Network security algorithms.

Based on the above technical solution, before the terminal device is switched from the first network (such as a 2G / 3G network) to the second network (such as a 4G network), the terminal device is switched from the third network (such as a 5G network) to the first network, During the process of switching from the third network to the first network, the root key of the second network is derived from the root key of the third network, and then the security key of the first network is derived from the root key of the second network. So that the terminal device switches from the third network to the first network. In the prior art, after the mobility management entity derives the security key of the first network, it does not save the root key of the second network, nor does it select and save the security algorithm of the second network. In this application, when the terminal device is switched from the first network to the second network, the mobility management entity stores the second network obtained by the terminal device from the third network to the first network according to the received SRVCC switch instruction. The root key. In addition, the mobility management entity also selects and saves the security algorithm of the second network, which can avoid the delay caused by the re-authentication process when the terminal device switches from the first network to the second network, and improves the user experience.

With reference to the second aspect, in some implementations of the second aspect, the method further includes: during a handover of the terminal device from a third network to the first network, the mobility management entity sends the terminal device to the terminal device Sending the security algorithm of the second network.

Based on the above technical solution, when the terminal management device switches from the first network to the second network, the mobility management entity sends the saved security algorithm of the second network to the terminal device, so that the terminal device can The root key of the second network deduces the security key used by the terminal device in the second network. The security key can protect communication between the mobility management entity and the terminal device.

With reference to the second aspect, in some implementations of the second aspect, the method further includes: the mobility management entity sending a security algorithm of the second network to a mobile switching center in the first network, so as to facilitate When the terminal device switches from the first network to the second network, the terminal device can obtain a security algorithm of the second network.

Based on the above technical solution, before the terminal device is switched from the first network (such as a 2G / 3G network) to the second network (such as a 4G network), the terminal device is switched from the third network (such as a 5G network) to the first network, During the process of switching from the third network to the first network, the mobility management entity will select and save the security algorithm of the second network based on the SRVCC handover instruction information from the access and mobility management network elements. The mobility management entity sends the security algorithm of the selected second network to the mobile switching center, so that when the terminal device needs to switch from the first network to the second network, it can obtain the security algorithm of the second network from the mobile switching center, so that it can Avoid re-authentication processes and improve user experience.

With reference to the second aspect, in some implementations of the second aspect, the preset policy includes at least one of the following factors: the security capability of the terminal device, the security capability of the mobility management entity, and the security of the service A priority list of requirements, security capabilities of the mobility management entity.

Based on the above technical solution, the preset policy may include the security capability of the terminal device, that is, the mobility management entity selects the security algorithm of the second network based on the security capability of the terminal device (such as a security algorithm supported by the terminal device). The preset policy may also include the security capability of the mobility management entity itself, that is, the mobility management entity selects the security algorithm of the second network based on its own security capability (such as a security algorithm supported by the mobility management entity itself). Alternatively, the preset policy may also include a priority list of security capabilities. For example, the mobility management entity determines the security algorithms supported by the terminal device and itself, and then may select the algorithm with the highest security emphasis or the highest priority as the security of the second network. algorithm.

With reference to the second aspect, in some implementations of the second aspect, the first network is a third-generation (3G) / second-generation (2G) network, and the second network is a fourth-generation (4G) network The third network is a fifth generation (5G) network.

According to a third aspect, a switching method is provided. The method is applied to a scenario in which a terminal device returns to a second network after switching from a third network to a first network. The method includes: the terminal device receives first information, and the first information Including instruction information for instructing the terminal device to switch from a first network to a second network; the terminal device deducing the terminal device according to a root key of the second network and a security algorithm of the second network A security key used in the second network, wherein the root key of the second network is stored when the terminal device is switched from the third network to the first network, or the The root key of the second network is derived from the root key of the third network.

Based on the above technical solution, when a terminal device switches from a first network (such as a 2G / 3G network) to a second network (such as a 4G network), the terminal device can make full use of the process of switching from a third network (such as a 5G network) to the first network. The root key of the second network stored in the or derived from the root key of the third network. Then the terminal device derives the security key of the second network based on the root key and the security algorithm of the second network, avoiding the delay caused by the re-authentication process when switching from the first network to the second network, and Improved user experience.

With reference to the third aspect, in some implementations of the third aspect, the security algorithm of the second network is a mobility management entity in a process in which the terminal device switches from the third network to the first network Selected; before the terminal device receives the first information, the method includes: the terminal device receives and saves a security algorithm of the second network from the mobility management entity.

Based on the above technical solution, the terminal device acquires and saves the second network (such as the 4G network) from the mobility management entity during the process of switching from the third network (such as the 5G network) to the first network (such as the 2G / 3G network). Security algorithm, so that during the process of switching from the first network to the second network, the terminal device can directly use the saved security algorithm of the second network, which can further reduce latency and improve user experience.

With reference to the third aspect, in some implementation manners of the third aspect, the first information includes a security algorithm of the second network.

Based on the above technical solution, when the terminal device is instructed to switch from the first network (such as a 2G / 3G network) to the second network (such as a 4G network), the security algorithm of the second network is also sent to the terminal device, so that the terminal device can be made The security key of the second network is derived from the root key of the second network and the security algorithm of the second network.

With reference to the third aspect, in some implementations of the third aspect, the first network is a third-generation 3G / second-generation 2G network, the second network is a fourth-generation 4G network, and the third network For the fifth generation 5G network.

According to a fourth aspect, a handover method is provided. The method is applied to a scenario in which a terminal device returns to a second network after switching from a third network to a first network. The method includes: a mobility management entity receives a request from an access and mobility management network. Meta-first information and a root key of the second network, wherein the root key of the second network is used to derive a security key used by the terminal device on the first network, and the first information is used Instructing the terminal device to switch from a third network to the first network; the mobility management entity selects and saves a security algorithm of the second network; the mobility management entity sends the terminal device to the terminal device Security algorithm for the second network.

Based on the above technical characteristics, when a terminal device switches from a third network (such as a 5G network) to a first network (such as a 2G / 3G network), the mobility management entity may select and save a second network (such as a 4G network) based on a preset policy. ), And send the security algorithm of the second network to the terminal device. In this way, when the terminal device needs to switch from the first network to the second network, the security algorithm of the second network can be directly used, which reduces the delay caused by the switching and improves the user experience.

With reference to the fourth aspect, in some implementation manners of the fourth aspect, the first information includes single radio frequency voice call continuity SRVCC handover instruction information, and the mobility management entity determines to save the information according to the SRVCC handover instruction information. Describe the root key of the second network.

Based on the above technical features, when the terminal device needs to switch from the first network to the second network, it can directly use the root key of the second network, which can further reduce the delay.

With reference to the fourth aspect, in some implementations of the fourth aspect, the preset policy includes at least one of the following factors: the security capability of the terminal device, the security capability of the mobility management entity, and the security of the service A priority list of requirements, security capabilities of the mobility management entity.

With reference to the fourth aspect, in some implementations of the fourth aspect, the first network is a third-generation 3G / second-generation 2G network, the second network is a fourth-generation 4G network, and the third network For the fifth generation 5G network.

According to a fifth aspect, a switching method is provided. The method is applied to a scenario in which a terminal device returns to the second network after switching from the third network to the first network. The method includes: switching the terminal device from the third network to the first network. In the process, the terminal device receives and saves a security algorithm of a second network from a mobility management entity; the terminal device receives first information, and the first information includes an instruction for instructing the terminal device from the first Instruction information for a network switch to the second network, the first information further including a network identifier of the second network; the terminal device according to a security algorithm of the second network and a root of the second network The key derives a security key used by the terminal device in the second network.

Based on the above technical characteristics, when a terminal device switches from a third network (such as a 5G network) to a first network (such as a 2G / 3G network), the mobility management entity may select and save a security algorithm of the second network (such as a 4G network) And sending the security algorithm of the second network to the terminal device. In this way, when the terminal device needs to switch from the first network to the second network, the security algorithm of the second network can be directly used, which reduces the delay caused by the switching and improves the user experience.

With reference to the fifth aspect, in some implementation manners of the fifth aspect, the root key of the second network is stored during a process in which the terminal device switches from the third network to the first network.

Based on the above technical characteristics, when the terminal device needs to switch from the first network to the second network, it can directly use the root key of the second network, which can further reduce the delay.

With reference to the fifth aspect, in some implementation manners of the fifth aspect, the terminal device derives that the terminal device is in the second network according to a security algorithm of the second network and a root key of the second network. Before the security key used by the network, the terminal device derives a root key of the second network according to the root key of the third network.

Based on the above technical characteristics, when the terminal device needs to switch from the first network to the second network, it can use the saved root key of the first network to derive the root key of the second network, and then use the root key of the second network. And the security algorithm of the second network deduces the security key of the second network, thereby avoiding re-authentication and improving the user experience.

With reference to the fifth aspect, in some implementations of the fifth aspect, the first network is a third-generation 3G / second-generation 2G network, the second network is a fourth-generation 4G network, and the third network For the fifth generation 5G network

According to a sixth aspect, a switching method is provided. The method is applied to a scenario in which a terminal device returns to a second network after switching from a third network to a first network. The method includes: the terminal device receives first information, and the first information Including instruction information for instructing the terminal device to switch from a first network to a second network, and the first information further includes a network identifier of the second network and a security algorithm of the second network; the terminal The device derives a security key used by the terminal device on the second network according to a security algorithm of the second network and a root key of the second network.

Based on the above technical characteristics, when a terminal device needs to switch from a first network (such as a 4G network) to a second network (such as a 4G network), the wireless network subsystem sends the first information (such as radio resource control RRC release information) to the terminal device, Instruct the terminal device to switch from the first network to the second network. The first information also carries the security algorithm of the second network, so that the terminal device can directly use the security algorithm of the second network, thereby further deriving the security key of the second network, reducing the handover delay and improving the user experience. .

With reference to the sixth aspect, in some implementation manners of the sixth aspect, the root key of the second network is stored during a process in which the terminal device switches from the third network to the first network.

Based on the above technical features, when the terminal device switches from the first network to the second network, it can directly use the saved root key of the second network, thereby further reducing the delay.

With reference to the sixth aspect, in some implementation manners of the sixth aspect, the terminal device derives that the terminal device is in the second network according to a security algorithm of the second network and a root key of the second network. Before the security key used by the network, the terminal device derives a root key of the second network according to the root key of the third network.

Based on the above technical characteristics, when the terminal device needs to switch from the first network to the second network, it can use the saved root key of the first network to derive the root key of the second network, and then use the root key of the second network. And the security algorithm of the second network deduces the security key of the second network, thereby avoiding re-authentication and improving the user experience.

With reference to the sixth aspect, in some implementation manners of the sixth aspect, the security algorithm of the second network is selected by a mobility management entity during a handover of the terminal device from the third network to the first network.

With reference to the sixth aspect, in some implementations of the sixth aspect, the first network is a third-generation 3G / second-generation 2G network, the second network is a fourth-generation 4G network, and the third network For the fifth generation 5G network.

According to a seventh aspect, a handover method is provided. The method is applied to a scenario in which a terminal device returns to a second network after switching from a third network to a first network, and the method includes: a mobility management entity receives a request from an access and mobility management network; The first information of the meta and the root key of the second network, wherein the root key of the second network is used to derive a security key used by the terminal device on the first network, and the first information is used to indicate The terminal device switches from a third network to the first network; the mobility management entity selects and saves a security algorithm of the second network according to a preset policy; the mobility management entity reports to the first network The mobile switching center in the network sends the security algorithm of the second network.

Based on the above technical characteristics, when a terminal device switches from a third network (such as a 5G network) to a first network (such as a 2G / 3G network), the mobility management entity may select and save a security algorithm of the second network (such as a 4G network). The security algorithm of the second network is sent to the mobile switching center. In this way, when the terminal device needs to switch from the first network to the second network, the mobile switching center can send the security algorithm of the second network to the terminal device, so that the terminal device can directly use the security algorithm of the second network, which reduces the handover. The resulting delay improves the user experience.

With reference to the seventh aspect, in some implementation manners of the seventh aspect, before the mobility management entity selects and saves the security algorithm of the second network, the method includes: the mobility management entity receiving the security algorithm from the first network Request information of the China Mobile Switching Center, the request information is used to request a security algorithm of the second network.

Based on the above technical characteristics, when the terminal device needs to switch from the first network to the second network, the mobile switching center requests the mobility management entity for the security algorithm of the second network, which can further avoid waste of resources.

With reference to the seventh aspect, in some implementations of the seventh aspect, the preset policy includes at least one of the following factors: the security capability of the terminal device, the security capability of the mobility management entity, and the security of the service A priority list of requirements, security capabilities of the mobility management entity.

With reference to the seventh aspect, in some implementations of the seventh aspect, the first network is a third-generation 3G / second-generation 2G network, the second network is a fourth-generation 4G network, and the third network For the fifth generation 5G network.

According to an eighth aspect, a switching method is provided. The method is applied to a scenario in which a terminal device returns to the second network after switching from the third network to the first network. The method includes: receiving, from a mobility management entity, a mobile switching center in the first network The security algorithm of the second network sent; the mobile switching center in the first network sends the security algorithm of the second network to the wireless network subsystem, so that the terminal device can switch from the first network to the second network Acquiring a security algorithm of the second network.

Based on the above technical features, when the terminal device needs to switch from the first network to the second network, the security algorithm of the second network can be obtained directly from the wireless network subsystem. The security algorithm of the second network may be sent by the mobility management entity to the mobile switching center in advance.

With reference to the eighth aspect, in some implementations of the eighth aspect, before the mobile switching center in the first network receives the security algorithm from the second network sent by a mobility management entity, the method includes: the mobile switching center in the first network Receiving notification information sent from the wireless network subsystem, where the notification information is used to notify the mobile switching center to request the mobility management entity for a security algorithm of the second network.

Based on the above technical characteristics, when the terminal device needs to switch from the first network to the second network, the wireless network subsystem may notify the mobile switching center to request a mobility management entity for a security algorithm of the second network.

With reference to the eighth aspect, in some implementations of the eighth aspect, the first network is a third-generation 3G / second-generation 2G network, and the second network is a fourth-generation 4G network.

In a ninth aspect, a switching method is provided. The method is applied to a scenario in which a terminal device returns to a second network after switching from the third network to the first network. The method includes: the wireless network subsystem receives a mobile switching center from the first network. The security algorithm of the second network; the wireless network subsystem sends the security algorithm of the second network to the terminal device, so that the terminal device according to the security algorithm of the second network and the root secret of the second network The key derives the security key of the second network.

Based on the above technical features, when the terminal device needs to switch from the first network to the second network, the security algorithm of the second network can be obtained directly from the wireless network subsystem. The security algorithm of the second network may be sent by the mobility management entity to the mobile switching center in advance.

With reference to the ninth aspect, in some implementations of the ninth aspect, the security algorithm of the second network is that the mobility management entity in the first network switches from the third network to the first network on the terminal device. The process of choosing.

Based on the above technical characteristics, the mobility management entity may select and save the security algorithm of the second network during the process of the terminal device switching from the third network to the first network, so that when the terminal device needs to switch from the first network to the second network , The security algorithm of the second network can be obtained directly from the wireless network subsystem.

With reference to the ninth aspect, in some implementations of the ninth aspect, the first network is a third-generation 3G / second-generation 2G network, the second network is a fourth-generation 4G network, and the third network For the fifth generation 5G network.

According to a tenth aspect, a switching device is provided, including each module or unit for performing the method in any one of the possible implementation manners of the first to ninth aspects.

According to an eleventh aspect, a switching device is provided, including a processor. The processor is coupled to the memory and can be used to execute instructions in the memory to implement the method in any one of the possible implementation manners of the first to ninth aspects described above. Optionally, the switching device further includes a memory. Optionally, the switching device further includes a communication interface, and the processor is coupled to the communication interface.

In an implementation manner, the switching device is a communication device, such as a terminal device, a mobility access entity, an access and mobility management network element, a mobile switching center, and a wireless network subsystem network element in the embodiments of the present application. When the switching device is a communication device, the communication interface may be a transceiver, or an input / output interface.

In another implementation manner, the switching device is a chip configured in a communication device, such as a terminal device, a mobility access entity, an access and mobility management network element, and a mobile switching center configured in the embodiments of the present application. The chip in the network element of the wireless network subsystem. When the switching device is a chip configured in a communication device, the communication interface may be an input / output interface.

Optionally, the transceiver may be a transceiver circuit. Optionally, the input / output interface may be an input / output circuit.

In a twelfth aspect, a processor is provided, including: an input circuit, an output circuit, and a processing circuit. The processing circuit is configured to receive a signal through the input circuit and transmit a signal through the output circuit, so that the processor executes the method in any one of the possible implementation manners of the first to ninth aspects described above.

In a specific implementation process, the processor may be a chip, the input circuit may be an input pin, the output circuit may be an output pin, and the processing circuit may be a transistor, a gate circuit, a flip-flop, and various logic circuits. An input signal received by the input circuit may be received and input by, for example, but not limited to, a receiver, and a signal output by the output circuit may be, for example, but not limited to, output to a transmitter and transmitted by the transmitter, and the input circuit and output The circuits may be the same circuit, which are used as input circuits and output circuits respectively at different times. The embodiments of the present application do not limit specific implementations of the processor and various circuits.

In a thirteenth aspect, a processing device is provided, including a processor and a memory. The processor is used to read instructions stored in the memory, and can receive signals through a receiver and transmit signals through a transmitter to execute the method in any one of the possible implementation manners of the first to ninth aspects described above.

Optionally, there are one or more processors, and one or more memories.

Optionally, the memory may be integrated with the processor, or the memory is separately provided from the processor.

In the specific implementation process, the memory may be a non-transitory memory, such as a read-only memory (ROM), which may be integrated on the same chip as the processor, or may be separately set in different On the chip, the embodiment of the present application does not limit the type of the memory and the way of setting the memory and the processor.

It should be understood that the related data interaction process, for example, sending instruction information may be a process of outputting instruction information from a processor, and receiving capability information may be a process of receiving input capability information by a processor. Specifically, the processed output data can be output to the transmitter, and the input data received by the processor can come from the receiver. Among them, the transmitter and the receiver may be collectively referred to as a transceiver.

The processing device in the thirteenth aspect may be a chip, and the processor may be implemented by hardware or software. When implemented by hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented, the processor may be a general-purpose processor, which is implemented by reading software codes stored in a memory. The memory may be integrated in the processor, may be located outside the processor, and exist independently.

According to a fourteenth aspect, a computer program product is provided. The computer program product includes a computer program (also referred to as code or instructions), and when the computer program is executed, causes a computer to execute the foregoing first to first steps. The method in any of the nine possible implementations.

According to a fifteenth aspect, a computer-readable medium is provided, where the computer-readable medium stores a computer program (also referred to as code, or instructions), which when executed on a computer, causes the computer to execute the first to the first The method in any of the nine possible implementations.

In a sixteenth aspect, a communication system is provided, including the foregoing terminal device, a mobility access entity, an access and mobility management network element, a mobile switching center, and a wireless network subsystem network element.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram of a network architecture applicable to a handover method provided by an embodiment of the present application; FIG.

2 is a schematic flowchart of an SRVCC handover performed by a terminal device applicable to an embodiment of the present application;

3 is another schematic flowchart of an SRVCC handover performed by a terminal device applicable to an embodiment of the present application;

4 is a schematic flowchart of a handover method according to an embodiment of the present application;

5 is another schematic flowchart of a handover method according to an embodiment of the present application;

6 is a schematic flowchart of a handover method according to another embodiment of the present application;

7 is a schematic block diagram of a switching device according to an embodiment of the present application;

FIG. 8 is a schematic block diagram of a switching device according to an embodiment of the present application.

detailed description

The technical solutions in this application will be described below with reference to the drawings.

The technical solutions of the embodiments of the present application can be applied to various communication systems, for example: a global mobile communication (GSM) system, a code division multiple access (CDMA) system, and a broadband code division multiple access (wideband code division multiple access (WCDMA) system, general packet radio service (GPRS), long term evolution (LTE) system, LTE frequency division duplex (FDD) system, LTE Time Division Duplex (TDD), Universal Mobile Telecommunications System (UMTS), Global Interoperability for Microwave Access (WiMAX) communication system, 5th generation in the future, 5G) system or new radio (NR).

It should be understood that the embodiment of the present application does not specifically limit the specific structure of the execution subject of the method provided by the embodiment of the present application, as long as it can run a program that records the code of the method provided by the embodiment of the present application, in accordance with the embodiment of the present application. The provided methods only need to communicate. For example, the method provided by the embodiments of the present application may be a terminal or a network device, or a function module in the terminal or the network device that can call a program and execute the program.

In order to facilitate understanding of the embodiments of the present application, an application scenario applicable to the embodiments of the present application will be described in detail with reference to FIG. 1 first.

FIG. 1 is a schematic diagram of a network architecture applicable to the method provided by an embodiment of the present application. As shown, the network architecture may be, for example, a non-roaming architecture. The network architecture shown in FIG. 1 may specifically include the following network elements:

1. User equipment (UE): can be called terminal equipment, terminal, access terminal, user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, wireless communication device, User agent or user device. The UE can also be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), and a wireless communication function. Handheld devices, computing devices, or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminal devices in the future 5G network, or terminals in the future evolved public land mobile network (PLMN) Devices, etc., may also be end devices, logical entities, smart devices such as mobile phones, smart terminals and other terminal devices, or Internet of Things (IoT) devices. This embodiment of the present application is not limited to this.

In the embodiment of the present application, the UE stores a security key, and the UE uses the security key to protect the signaling plane and user plane data transmission with the network device, so that the signaling plane and user plane data transmission can be guaranteed. safety.

2. Access network (AN): Provides network access functions for authorized users in specific areas, and can use different quality transmission tunnels according to user levels and business needs. The access network may be an access network using different access technologies. There are two types of current wireless access technologies: 3rd Generation Partnership Project (3rd Generation Partnership Project) access technology and non-3rd Generation Partnership Project (non-3GPP) access technology. Among them, 3GPP access technologies, such as the radio access network technology used in the 3rd generation (3G) system, the radio access network technology used in the 4th generation (4G) system, or in FIG. 1 Next generation wireless access network (NG-RAN) technology (such as the wireless access technology used in 5G systems). The 3GPP access technology refers to an access technology conforming to the 3GPP standard specification. An access network using the 3GPP access technology is called a radio access network (RAN). Among them, the access network equipment in the 5G system is called a next generation base station (gNB). The non-3GPP access technology refers to an access technology that does not comply with the 3GPP standard specification, for example, an air interface technology represented by an access point (AP) in wifi.

An access network that implements an access network function based on a wireless communication technology may be referred to as a radio access network (radio access network, RAN). The radio access network can manage radio resources, provide access services for the terminal, and then complete the transfer of control signals and user data between the terminal and the core network.

The radio access network may be, for example, a base station (NodeB), an evolved base station (eNB or eNodeB), a base station (gNB) in a 5G mobile communication system, a base station in a future mobile communication system, or an AP in a WiFi system, It can also be a wireless controller in a cloud radio access network (CRAN) scenario, or the access network device can be a relay station, an access point, a car device, a wearable device, and a network in the future 5G network Equipment or network equipment in a future evolved PLMN network. The embodiment of the present application does not limit the specific technology and specific device form adopted by the wireless access network device.

3. Universal mobile telecommunications system (UMTS) terrestrial radio access network (UTRAN): such as 3G access network.

4. Global system for mobile communication (GSM) / improved data rate GSM service (enhanced data rate for GSM evolution, EDGE) terrestrial wireless access network (GSM / EDGE terrestrial radio access network, GERAN): such as 2G Access Network.

5. Evolved universal mobile communication system (evolved universal terrestrial radio access network, E-UTRAN): such as 4G access network.

6. Serving gateway (S-GW) entity: responsible for user plane processing, data packet reasoning and forwarding functions.

7. Public data network (PDN) gateway entity: A user plane data link anchor point between 3GPP and non-3GPP networks, which can be responsible for managing data routing between 3GPP and non-3GPP.

8. Mobile switching center server (MSC server): has call control and processing functions. In the embodiment of the present application, the MSC server refers to an enhanced MSC server (MSC server for SRVCC) that supports a single wireless voice call continuity (SRVCC).

9. Mobility management entity (MME): mainly responsible for mobility management, bearer management, user authentication, selection of S-GW and packet data network gateway (P-GW), etc. Features.

10. Access and mobility management function (AMF): mainly used for mobility management and access management, etc., can be used to implement other functions in the MME entity function in addition to session management, for example, legal Monitoring, or access authorization (or authentication) and other functions. In the embodiment of the present application, it can be used to implement functions of terminal access and mobility management.

11. User plane function (UPF): Equivalent to the P-GW entity in the LTE system, which is mainly responsible for session and bearer management, Internet Protocol (IP) address allocation, and other functions. In the embodiment of the present application, it can be used to implement the function of the user plane gateway.

12. IP Multimedia Subsystem (IMS): A general-purpose network architecture that provides multimedia services based on IP networks.

It should be understood that the AMF network element, UPF network element, S-GW entity, and P-GW entity shown in FIG. 1 can all be understood as network elements used to implement different functions in the core network, for example, they can be combined into a network as required slice. These core network elements may be independent devices or integrated in the same device to implement different functions, which is not limited in this application.

In the following, for convenience of explanation, the AMF network element will be referred to as an access and mobility management network element, and the UPF network element will be referred to as a user plane gateway. It should be understood that the above naming is only used to distinguish different functions, and does not mean that these network elements are independent physical devices. This application does not limit the specific form of the above network elements. For example, they can be integrated in the same physical device. It can also be a different physical device. In addition, the above naming is only for the convenience of distinguishing different functions, and should not constitute any limitation on this application. This application does not exclude the possibility of using other naming in 5G networks and other networks in the future. For example, in a 6G network, some or all of the above-mentioned network elements may use the terminology in 5G, or may use other names. The description is unified here, and will not be repeated here.

It should also be understood that the above-mentioned network architecture applied to the embodiment of the present application is merely an exemplary network architecture described from the perspective of a traditional point-to-point architecture and a service-oriented architecture, and the network architecture applicable to the embodiment of the present application is not limited to this. Any network architecture capable of implementing the functions of the foregoing network elements is applicable to the embodiments of the present application.

Voice over LTE (VoLTE) is a network protocol (IP) transmission technology. It does not require a 2G / 3G network, and is entirely carried by a 4G network for voice and data services. It brings the most intuitive experience to users. That is, the connection waiting time is shorter and the voice quality is higher. However, having LTE network coverage is not the same as having VoLTE coverage, because VoLTE also needs to be implemented by IMS. However, the deployment of IMS requires a certain period of time and the corresponding transformation or upgrade of the existing network equipment is performed. Therefore, VoLTE coverage is not ideal during this process. Therefore, if a user moves to an area covered by circuit switching (CS) while making a call using VoLTE, the call may be interrupted.

To this end, 3GPP proposed a VoLTE voice service continuity solution, namely SRVCC. SRVCC is mainly to solve the problem of how to ensure the continuity of voice calls when a single radio terminal moves between LTE network and 2G / 3G network, that is, to ensure that a single radio terminal is controlled by IMS-controlled Internet Protocol (VoIP) Smooth switching between voice and CS domain voice. Among them, VoIP refers to the technology of digitizing voice signals in the form of analog signals and transmitting them on IP networks in the form of data packets. Its advantage is that it can widely use the characteristics of the Internet and global IP interconnection to provide better services than traditional services. . CS refers to the circuit switching technology that allocates a fixed channel for both parties before a call, and occupies this "dedicated" channel during the entire call, and releases it after the call for distribution to other users. Compared with CS domain voice, VoIP voice greatly improves resource utilization due to shared transmission channels, but it may also cause processing overhead and delay.

In order to facilitate understanding of the embodiments of the present application, the main process of SRVCC is briefly described below with reference to FIG. 2 and FIG. 3.

FIG. 2 shows a schematic flowchart of SRVCC handover performed by a terminal. As shown in FIG. 2, steps 110 to 180 are included.

In step 110, the base station sends a handover request message to the mobility management entity. When the base station decides to initiate the SRVCC handover according to the measurement report reported by the terminal, the base station sends a handover request message to the mobility management entity. The handover request message carries an SRVCC handover (HO) indication (SRVCC HO indication). The SRVCC handover instruction is used to indicate that the process to be performed next is SRVCC handover.

In step 120, after receiving the handover request message from the base station, the mobility management entity uses the root key Kasme in the current terminal security context to derive the encryption key (cipher key, CK) required for CS domain voice and Integrity key (integrity key, IK), and map the key set identifier (key set identifier, E-UTRAN, eKSI) identifying the key Kasme to the key set identifier (key set identifier, KSI). Optionally, the values of the eKSI and the KSI are the same and the types are different.

In step 130, the mobility management entity sends a PS-to-CS HO request message to the mobile switching center server. This includes the CK || IK and KSI deduced in step 120.

In step 140, the mobile switching center server sends a PS-to-CS HO response message to the mobility management entity. It contains KSI.

In step 150, the mobility management entity sends a HO command message to the terminal. It contains KSI.

In step 160, the base station sends a handover command message to the terminal, which includes a KSI. The KSI is sent to the terminal to inform the terminal which key is used for protection of this message.

In step 170, after receiving the handover command message, the terminal uses Kasme to derive CK || IK and maps the eKSI to KSI.

In step 180, the terminal switches to UTRAN, such as the terminal switches to a 3G / 2G network.

After the terminal switches to the 3G / 2G network, the KSI obtained in step 170 can be used to identify and retrieve the key between the terminal and the network. The CK || IK obtained in step 170 can be used to protect the signaling between the terminal and the network. Plane and user plane data transmission.

It should be noted that the mapping of eKSI to KSI by the mobility management entity and the terminal is performed separately. The specific mapping operation is to keep the eKSI and KSI value part the same, and the type part can distinguish whether it is a native security context or mapped. Security context.

It can be known from FIG. 2 that during the SRVCC handover process, the mobility management entity can first derive the key information of the 3G / 2G network, and then send the deduced key information of the 3G / 2G network to the mobile switching center server.

In next-generation communication networks, the problem of uninterrupted calls also needs to be considered. Taking a 5G communication network as an example, a new air interface (VONR) is a technology that uses a 5G new air interface to carry voice. In the initial stage of 5G network deployment, VoNR coverage faces the same problem as VoLTE, that is, if users who use VoNR to make a call move to a CS-only coverage area, they also need to ensure that the call is not interrupted. Therefore, a new 5G SRVCC is defined in the standard to solve the handover between 5G and 3G.

FIG. 3 shows a schematic flowchart of 5G SRVCC handover performed by a terminal device. Because there is no direct interface between the access and mobility management network elements and the mobile switching center server, 5G SRVCC uses the mobility management entity relay method. The interaction between the mobility management entity and the mobile switching center server is similar to the process in FIG. 2 except that the interaction between the access and mobility management network element and the mobility management entity is increased. As shown in FIG. 3, steps 201 to 211 are included.

In step 201, the base station sends a handover request message to the access and mobility management network element. When the base station decides to initiate a 5G SRVCC handover according to the measurement report reported by the terminal, the base station sends a handover request message to the access and mobility management network element. The handover request message carries an SRVCC handover instruction. The SRVCC handover instruction is used to indicate that the process to be performed next is SRVCC handover.

In step 202, after receiving the handover request message from the base station, the access and mobility management network element uses the key Kamf to derive Kasme, and maps the key set identifier ngKSI that identifies Kamf to the eKSI labeled Kasme.

In step 203, the access and mobility management network element sends a forward relocation request message to the mobility management entity. It includes Kasme and eKSI derived in step 202.

In step 204, after receiving the forward relocation request message from the access and mobility management network element, the mobility management entity uses the root key Kasme to derive the encryption and integrity key CK required for CS domain voice || IK, and map the eKSI identifying Kasme to the KSI labeled CK || IK. Among them, the values of eKSI and KSI are partially the same, but the types are different.

In step 205, the mobility management entity sends a PS to CS handover request message to the mobile switching center server. It contains CK || IK and KSI deduced in step 204.

In step 206, the mobile switching center server sends a PS-to-CS HO response message to the mobility management entity. It contains KSI.

In step 207, the mobility management entity sends a forward relocation response message to the access and mobility management network element. It contains KSI.

In step 208, the access and mobility management network element sends a handover command message to the base station. It contains KSI.

In step 209, the base station sends a handover command message to the terminal, which includes a KSI. The KSI is sent to the terminal to inform the terminal which key is used for protection of this message.

In step 210, the terminal derives CK || IK after receiving the handover command message, and maps KSI by ngKSI.

After receiving the switch command, the terminal first uses Kaf to deduce Kasme, and then uses Kasme and input parameters to deduce CK || IK. The input parameters may be obtained by the access and mobility management network element and notified to the UE, or may be carried in a service request message sent by the UE, such as a PDU session identifier.

In step 211, the terminal switches to UTRAN, such as the terminal switches to a 3G / 2G network.

After the terminal switches to the 3G / 2G network, the KSI obtained in step 210 can be used to identify and retrieve the key between the terminal and the network. The CK || IK obtained in step 210 can be used to protect the signaling between the terminal and the network. Plane and user plane data transmission.

It should be noted that, similar to SRVCC of 4G to 3G, the value part of ngKSI and KSI is the same, and the type part can distinguish whether it is a native security context or a mapped security context.

It can be seen from FIG. 3 that the access and mobility management network elements in the 5G network can first derive the root key of the 4G network, and then send the root key of the 4G network to the mobility management entity in the 4G network. The mobility management entity then derives the key information (such as CK || IK) of the 3G network system based on the root key, and sends the deduced key information of the 3G network to the mobile switching center server.

Since the 3G network cannot handle the high-speed data transmission of the 5G network, if the terminal still resides on the 3G network after ending the 3G network's voice service, the user experience will be greatly affected. Therefore, if the terminal is in 4G or 5G network coverage at this time, the terminal should be returned to the 4G or 5G network.

A possible implementation manner is that the 3G network sends a radio resource control (RRC) release message to the terminal, which carries a 4G or 5G public land mobile network (public land mobile network) identity (identity, ID), used to notify the terminal to return the corresponding target network.

If there is 5G network coverage in the terminal at this time, the terminal will be instructed to return to the 5G network. At this time, the terminal and the access and mobility management network element can use the 5G security context to protect communication before the 5G SRVCC process occurs.

If the terminal is not covered by 5G network at this time, but only covered by 4G network, the terminal will be instructed to return to the 4G network. At this time, since the terminal and the mobility management entity do not have the corresponding 4G security context, a complete re-authentication process needs to be established, which will greatly increase the delay and the consumption of air interface resources, and will seriously affect the user experience of the terminal.

In view of this, this application provides a method to prevent the terminal from performing re-authentication when returning to the 4G network, to help the terminal quickly return to the 4G network, and to achieve the purpose of reducing delay and air interface resource consumption. It should be understood that the method provided in this application is not limited to the scenario shown in FIG. 3 described above. For example, when a terminal switches from a 5G network to a 2G / 3G network, the network device first derives the root key of the 4G network based on the root key of the 5G network, and then derives the security of the 2G / 3G network based on the root key of the 4G network. Key. Then, when the terminal needs to switch from the 2G / 3G network to the 4G network, the method provided in this application can also avoid the delay caused by re-authentication.

In order to facilitate understanding, before describing the embodiments of the present application, a few terms involved in the present application are briefly introduced first.

1. First key Kamf: The key obtained by the terminal and the access and mobility management network element during the terminal's registration with the 5G network. Kamf is related to a key set identifier (KSI in 5G, ngKSI) in a 5G network. During the registration process, the access and mobility management network element can randomly allocate an ngKSI and send the ngKSI to the terminal. ngKSI is used to identify the root key Kamf of the 5G network. For example, the access request and mobility management network element sends the above-mentioned ngKSI used to identify the root key of the 5G network in the authentication request message and / or the authentication success message sent to the terminal. Therefore, for the terminal and the access and mobility management network elements, each ngKSI can be used to uniquely indicate a Kamf. In this application, Kamf can be used to subsequently generate the root key Kasme.

2. Second key Kasme: The key obtained by the terminal and the mobility management entity during the terminal's registration with the 4G network. Kasme is related to the key set identifier (KSI, E-UTRAN, eKSI) in 4G. During the registration process, the mobility management entity may randomly allocate an eKSI and send the eKSI to the terminal. eKSI is used to identify the root key Kasme of the 4G network. For example, the authentication request message sent by the mobility management entity to the terminal carries the above-mentioned eKSI used to identify the root key of the 4G network. Therefore, for the terminal and the mobility management entity, each eKSI can be used to uniquely indicate a Kasme. Kasme can be used to subsequently generate non-access stratum (NAS) keys and access stratum (AS) keys.

3. eKSI, ngKSI, KSI: key set identifier. The key set identifier can be used to identify and retrieve the key between the terminal and the network. eKSI is used to identify Kasme, ngKSI is used to identify Kamf, and KSI can be used to identify the encryption key CK + integrity key IK. CK and IK can be used as key information for 3G networks.

It should be understood that the names of the keys, root keys, and key set identifiers listed above are named for easy differentiation only, and should not constitute any limitation on this application, and this application does not exclude the use of other names instead of the above-mentioned intermediate secrets. Key or root key to achieve the same or similar functionality.

4. Derivation key: also known as key deduction, which means that the key is obtained according to the input parameters. Take the derivation of the root key of the 4G network based on the root key of the 5G network as an example.

The input parameters for deriving the root key of the 4G network according to the root key of the 5G network may include one or more of the following parameters: Function Code (FC), uplink / downlink non-access layer count value, preset value Random numbers. The root key of the 5G network can be Kamf. The root key of a 4G network can be Kasme.

Among them, FC can be understood as the code of the deduction function used in deriving the key information, which is used to indicate what function is used to deduct the key information. For example, the FC can deduct the 4G root key for the root key of the 5G network Function code used. The NAS count (count) consists of a sequence number and an overflow counter. The non-access stratum count can be an uplink non-access stratum count or a downlink non-access stratum count. The downlink non-access layer count value may be a downlink non-access layer count value used by the root key of the 5G network to derive the root key of the 4G network. Kasme can be key information generated after the terminal and the network have completed authentication.

It should be understood that the parameters listed above are merely examples, and should not be construed as limiting this application in any way. At the same time, this application does not exclude the possibility of using other information as parameters for generating the root key.

Specific key derivation, such as the root key of the 5G network to the root key of the 4G network or the root key of the 4G network to the 3G security key, may refer to the method in the existing standard, which is not limited in the embodiments of the present application.

5. Encryption: The sender encrypts the plaintext according to the encryption algorithm and encryption key to generate ciphertext. If a symmetric encryption method is used, the encryption key and the decryption key are the same. The receiving end can decrypt the ciphertext according to the same encryption algorithm and encryption key. In other words, the sender and receiver can encrypt and decrypt based on the same key.

6. Integrity protection: The sender performs integrity protection on the plaintext or ciphertext according to the integrity protection algorithm and the integrity protection key. The receiving end can perform integrity verification on the integrity-protected data according to the same integrity protection algorithm and integrity protection key.

7. Security capabilities: including but not limited to: security algorithms, security parameters, keys, etc. In the embodiment of the present application, the security capability may include, for example, the security capability of the UE and the security capability of a network-side device (such as an MME or an AMF or a UPF).

8. Security algorithm: The algorithm used to protect data security. For example, it can include: encryption / decryption algorithms, integrity protection algorithms, and so on.

9. Security context: information that can be used to implement data encryption and decryption and / or integrity protection. The security context may include, for example, an encryption / decryption key, an integrity protection key, a fresh parameter (such as a non-access stratum (NAS) count), ngKSI, a security algorithm, and the like.

The switching method provided in the embodiments of the present application will be described in detail below with reference to the accompanying drawings.

It should be noted that in the following description of the embodiments with reference to the accompanying drawings, the drawings are only for ease of understanding and should not be construed as limiting the present application in any way. In addition, the gNB shown in FIGS. 4 to 6 may correspond to a base station node, the AMF may correspond to an access and mobility management network element, the MME may correspond to a mobility management entity, the MSC server may correspond to a mobile switching center server, and the RNS It may correspond to a radio network subsystem (RNS) network element. Each network element name is defined only to distinguish different functions, and should not constitute any limitation in this application. This application does not exclude the possibility of defining other network elements to achieve the same or similar functions.

The following embodiments are merely examples. The first network is a 3G network, the second network is a 4G network, and the third network is a 5G network.

FIG. 4 is a schematic flowchart of a handover method 400 according to an embodiment of the present application, which is shown from the perspective of device interaction. As shown, the method 400 shown in FIG. 4 may include steps 401 to 426. Each step in the method 400 is described in detail below with reference to FIG. 4.

In step 401, the base station sends a handover request message to the access and mobility management network element.

The base station may decide to initiate a request for SRVCC handover according to the measurement report reported by the UE, or the base station may decide to initiate a request for SRVCC handover according to factors such as the current load. The base station sends a handover request message to the access and mobility management network element. The handover request message carries an SRVCC handover instruction. The SRVCC handover instruction is used to indicate that the process to be performed next is SRVCC handover.

In step 402, the access and mobility management network element derives Kasme and maps ngKSI to eKSI.

When the UE does not support the CS domain from SRVCC to the 3G network on the new air interface of the 5G network, the UE performs voice services on the 5G network and needs to switch the voice services of the 5G network to the 3G network. For example, the signaling transfer during voice service switching can be performed by the mobile management entity, thereby switching the voice service from the 5G network to the 3G network, and ensuring the continuity of the voice service.

The access and mobility management network element can derive Kasme based on the key derivation parameters and Kamf in the current security context. The key derivation parameter may include a non-access layer count value as described above, and the non-access layer count value may be an uplink non-access layer count value or a downlink non-access layer count value.

The access and mobility management network element may use Kamf and non-access stratum count values to derive Kasme, and map the ngKSI that identifies Kamf to the eKSI that is labeled Kasme.

In step 403, the access and mobility management network element sends a forward relocation request message to the mobility management entity.

The fronthaul relocation request message includes an SRVCC handover indication message and Kasme. Mobility management entities can derive keys for 3G networks based on Kasme deduction. The fronthaul relocation request message may further include the key set identifier eKSI in step 402, and the eKSI is used to identify the root key Kasme of the 4G network.

Optionally, the fronthaul and fronthaul relocation request message may further include a security capability of the UE. The security capability of the UE may include a name of a security algorithm supported by the UE, or may further include a type or an identifier of each security algorithm arranged in a descending order of priority. Alternatively, the access and mobility management network element knows the security capabilities of the UE in advance and does not need to be carried in the fronthaul relocation request message.

In step 404, CK || IK is obtained.

After receiving the relocation request message from the access and mobility management network element, the mobility management entity knows that it needs to initiate the SRVCC process for the UE to switch from the 5G network to the 3G network according to the SRVCC handover instruction message in it, and uses the received SRVCC process. Kasme gets CK || IK. For example, the mobility management entity uses Kasme and input parameters to derive CK || IK. The input parameters may be obtained by the access and mobility management network element and notified to the UE, or may be carried in a service request message sent by the UE, such as a PDU session identifier.

Optionally, the mobility management entity may directly use the first half of Kasme as CK and the latter half as IK. At this time, the eKSI received by the mobility management entity may also be directly used as the KSI identifier CK || IK, because eKSI and KSI The values are the same, and the types are also mapped to the security context.

In step 405, the mobility management entity sends a PS to CS handover request message to the mobile switching center server.

The PS to CS handover request message includes a CK || IK and a KSI identifying CK || IK. The role of the PS to CS handover request message is to perform a packet switching to circuit switching request.

In step 406, the mobile switching center server sends a relocation request message / handover request message to the wireless network subsystem network element.

The relocation request message / handover request message is used to make a handover request to the base station controller in the network element of the wireless network subsystem. The wireless network subsystem network element refers to a wireless network subsystem including a base station controller and a base station.

In step 407, the network element of the wireless network subsystem sends a relocation response message / handover response message to the mobile switching center server.

This message is a response to the relocation request message / handover request message in step 406.

In step 408, the mobile switching center server sends a PS to CS handover response message to the mobility management entity.

The PS to CS handover response message is used to respond to the PS to CS handover request message in step 405.

In step 409, the mobility management entity sends a forward relocation response message to the access and mobility management network element.

In step 410, the access and mobility management network element sends a handover command message to the base station.

In step 411, the base station sends a handover command message to the UE.

In step 412, the UE derives CK || IK.

After receiving the handover command message, the UE uses Kamf to derive Kasme, and then uses Kasme to derive CK || IK.

In step 413, the UE sends a handover completion message to the wireless network subsystem network element.

In step 414, the wireless network subsystem network element sends a handover completion message to the mobile switching center server.

In step 415, the mobile switching center server sends a PS to CS handover completion message to the mobility management entity.

Through the above steps 401 to 415, the UE can switch from a 5G network to a 3G network.

The above briefly describes the SRVCC process for the UE to switch from the 5G network to the 3G network. The SRVCC process is similar to the prior art, and this application is not limited.

After the UE voice service ends, if the area where the UE is located has NR coverage (that is, 5G network), the UE will switch from the 3G network to the 5G network. If the 5G security context stored in the UE is available and the 5G security context is a native security context (that is, the context is generated through a complete authentication and key agreement (AKA) process), then Use the above 5G security context to protect communication between the UE and the 5G network, for example, use the 5G security context to perform integrity protection on the registration request message. If the 5G security context is a mapped security context (that is, the context is derived from the 4G security context, such as using the 4G network root key Kasme to derive the 5G network root key Kamf, and then generate a NAS key, AS key, etc.), or the 5G security context is unavailable (for example, there is no 5G security context in the UE), the UE will send a registration request message without integrity protection, which will trigger the access and mobility management network The unit performs a re-authentication process on the UE (that is, the access and mobility management entity requests a unified data management (UDM) network element for an authentication vector, and sends an authentication challenge to the UE according to the authentication vector. After the UE passes the authentication challenge, it shares a root key with the network) to establish a 5G native security context.

It should be noted that, in the embodiments of the present application, the 5G native security context or the native 5G security context is used to indicate that the 5G security context is native, and its specific name does not limit the scope of protection of the present application. As mentioned earlier, a native security context means that the security context is a security context generated through a complete AKA process.

After the UE voice service ends, if there is no NR coverage in the area where the UE is located, but there is E-UTRAN (that is, 4G network) coverage, then the UE will switch from the 3G network to the 4G network. If the 5G security context is stored on the UE at this time, and the 5G security context is a native security context, the UE will delete the UMTS security context (that is, 3G security) after receiving the RRC release message sent by the wireless network subsystem (such as RNS). Context) or set the UMTS security context to inactive, and set the 5G security context from the non-currently used security context to the currently used security context (that is, activate the 5G security context), so that the UE can use the 5G security The context deduces the 4G security context. Subsequent UEs may send a tracking area update (TAU) request (TAU request) message to the mobility management entity, and the TAU request message is integrity protected by the 5G security context. If the above 5G security context is a mapped security context, or the 5G security context is not available, the UE will send a tracking update message without integrity protection to the mobility management entity, thereby triggering the mobility management entity to perform a re-authentication process on the UE To establish a new evolved packet system (EPS) security context (ie, 4G security context).

The main process of the UE switching from the 3G network to the 4G network will be described in detail with reference to steps 416 to 426 in FIG. 4.

In step 416, the mobile switching center server sends an RRC release to the wireless network subsystem network element, and the message carries the PLMN ID used last time, that is, the PLMN ID of the 4G network.

In step 417, the wireless network subsystem network element sends an RRC release message to the UE.

When the UE is in a 4G network and there is no 5G network, the network element of the wireless network subsystem may send an RRC release message to the UE to instruct the UE to switch to the 4G network. The RRC release message includes a network identifier indicating the target network returned by the UE. For example, the network identifier may include, but is not limited to, an operator identifier (e.g., PLMN ID, access network ID, serving network ID, cell ID, base station ID, etc.) gNB ID), LAN network ID, slice ID, bearer ID, quality of service (QoS) ID, flow ID, network slice selection assistance information (NSSAI).

In step 418, the UE sets the security context of the 5G network to the currently used security context. Among them, the security context of 5G networks is the native security context.

The security context on the UE is divided into a current security context (current security context) and a non-current security context (non-current security context) according to the status. After the UE receives the RRC release message and instructs it to switch from the 3G network to the 5G network, the UE will trigger the 3G to 4G handover process according to the currently used security context (that is, the 3G security context), that is, the root key CK of the 3G network || IK deduces the root key Kasme of the 4G network, so that the mobility management entity in the 4G network derives the NAS key and AS key based on the Kasme to obtain the 4G security context. However, due to the poor security of the 3G network, there is a risk of leakage of the 4G security context obtained through the above method. That is, if an attacker breaks the 3G network to obtain the root key CK || IK, it is fully capable of deducing the 4G security context. . In addition, when the UE switches to the 4G network and needs to switch from the 4G network to the 5G network (for example, when the UE is in a location with 5G network coverage), the UE will use the 4G security context that may have the risk of leakage to derive the 5G security context. . Therefore, the embodiments of the present application provide a method that can avoid the risk of 4G security context leakage and improve the user experience.

After receiving the RRC release message, the UE determines whether to return to the 4G network according to the target network identifier contained in the RRC release message, and the UE checks whether the 5G native security context is currently saved.

If the 5G native security context is saved and the 5G native security context is available, the UE deletes the 3G security context or sets the 3G security context to inactive, and sets the 5G native security context to the currently used security context, and moves to the The sex management entity sends a TAU request message for integrity protection by the 5G native security context.

If the UE does not save the 5G native security context (including the 5G security context is mapped), or the 5G native security context is not available, delete the 3G security context in the currently used state or set the 3G security context to inactive, and The mobility management entity sends a TAU request message without integrity protection, in order to subsequently trigger the mobility management entity to perform a re-authentication process on the UE, and finally establish a 4G (native) security context.

In step 419, the UE sends a TAU request message to the mobility management entity.

The UE checks that the 5G native security context is currently saved and that the 5G native security context is available. The UE sends a TAU request message to the mobility management entity, and the TAU request message is integrity protected by the 5G native security context. By using the 5G native security context instead of the 4G mapping security context derived from the 3G security context to protect the TAU request message, it is possible to prevent Kasme from leaking, thereby ensuring the security of the 5G network when the UE switches to the 5G network and improving the security of network communication .

The TAU request message includes an evolved packet system GUTI (evolved packet system GUTI, EPS GUTI) mapped from a 5G globally unique temporary UE identity (5G GUTI), an eKSI mapped from ngKSI, And the NAS MAC generated by the 5G native security context protection TAU request message for integrity protection.

In step 420, the mobility management entity obtains the address of the access and mobility management network element according to the mapped EPS GUTI after receiving the TAU request message.

In step 421, the mobility management entity sends a context request message to the access and mobility management network element.

The context request message includes a mapped EPS GUTI and a TAU request message using 5G native security context protection. The TAU request message is sent by the UE to the mobility management entity in step 419.

In step 422, the access and mobility management network element uses the security context of the 5G network to map the security context of the 4G network.

The access and mobility management network element finds the corresponding 5G native security context according to the eKSI in the TAU request message, and verifies the TAU request message. If the authentication is passed, the access and mobility management network element can use the 5G native security context to map out the 4G security context and send it to the mobility management entity through a context response message. If the verification fails or the corresponding 5G native security context is not found, the access and mobility management network element will treat the TAU request message as unsecured, so it will not send any security context to the mobility management entity. Regardless of whether the authentication is passed, the access and mobility management network element will carry the UE's permanent identity (such as International Mobile Subscriber Identity (IMSI) or Subscriber Permanent Identifier (SUPI) in the context response message. .

In step 423, the access and mobility management network element sends a context response message to the mobility management entity.

The context response message includes the UE permanent identity in step 422 and the generated 4G mapping security context (if the verification is passed). If the mobility management entity does not receive the 4G mapping security context, it will request the authentication vector from the Home Subscriber Server (HSS) according to the received permanent identity of the UE to perform the re-authentication process to generate 4G ( (Native) security context.

In step 424, the mobility management entity determines a 4G algorithm according to the received 4G mapping security context.

The 4G algorithm includes the encryption algorithm and integrity protection algorithm that the UE will use when returning to the 4G network. The mobility management entity can select a suitable encryption algorithm and integrity protection algorithm according to its own security capabilities, local priority list, and UE security capabilities. Although the 4G mapping security context received by the mobility management entity may include the 4G encryption algorithm and 4G integrity protection algorithm corresponding to the 5G encryption algorithm and 5G integrity protection algorithm previously used by the access and mobility management network elements and the UE, If the above algorithm is inconsistent with the configuration of the mobility management entity, or the mobility management entity does not support it, the mobility management entity will reselect the algorithm.

In step 425, if the mobility management entity reselects the algorithm, the NAS security mode command (SMC) process is triggered to activate NAS security, so that the UE and the mobility management entity share Kasme and related NAS keys.

In step 426, the mobility management entity sends a TAU accept message to the UE. Before this, if the UE sends a TAU request message, it can first derive the 4G mapping security context according to the 5G native security context, that is, use Kamf Derive Kasme, and use the 4G encryption algorithm and 4G integrity protection algorithm corresponding to the 5G encryption algorithm and 5G integrity protection algorithm in the 5G native security context to derive the NAS key. If the UE subsequently receives the NAS from the mobility management entity, SMC message, according to the instructions of the NAS SMC message, deduce a new NAS key and delete the previously generated NAS key, otherwise the UE will use the previously generated NAS key to verify the TAU acceptance message.

Based on the above scheme, when the UE switches from the 5G network to the 3G network, and then returns from the 3G network to the 4G network, the UE adjusts the state of the security context it saves. That is, the UE deletes the 3G security context that is currently in use, sets the 5G native security context to the currently used security context, and uses the 5G native security context instead of the 4G mapping security context derived from the 3G security context to protect the TAU. Request message. In this way, leaked 4G security contexts can be avoided, the security of 5G networks can be guaranteed, and the user experience can be improved.

FIG. 5 is a schematic flowchart of a handover method 500 according to another embodiment of the present application, which is shown from the perspective of device interaction. As shown, the method 500 shown in FIG. 5 may include steps 501 to 519. Each step in the method 500 is described in detail below with reference to FIG. 5.

In step 501, the base station sends a handover request message to the access and mobility management network element.

The base station may decide to initiate a request for SRVCC handover according to the measurement report reported by the UE, or the base station may also decide to initiate a request for SRVCC handover according to factors such as the current load. The base station sends a handover request message to the access and mobility management network element. The handover request message carries an SRVCC handover instruction. The SRVCC handover instruction is used to indicate that the process to be performed next is SRVCC handover.

In step 502, the access and mobility management network element derives Kasme and maps ngKSI to eKSI.

The same as step 402 of the embodiment shown in Figure 4, the relevant content, please refer to the relevant description of step 402.

In step 503, the access and mobility management network element sends a fronthaul relocation request message to the mobility management entity.

Similar to step 403 in the embodiment shown in FIG. 4, for related content, refer to the related description of step 403.

In step 504, the mobility management entity saves Kasme, selects a 4G algorithm, and derives a NAS key.

After receiving the relocation request message from the access and mobility management network element, the mobility management entity knows that the SRVCC process needs to be initiated according to the SRVCC handover instruction message therein, so the mobility management entity saves the Kasme. In the embodiment of the present application, the Kasme saved by the mobility management entity can be used when a subsequent UE needs to return to the 4G network from the 3G network, and the NAS key is inferred based on the Kasme to avoid the UE from switching from the 3G network to the 4G network. The authentication process needs to be re-established. This will increase latency and air interface signaling overhead and seriously affect user experience.

Optionally, the mobility management entity may select an encryption algorithm and an integrity protection algorithm to be used later if the UE returns to the 4G network based on a preset policy. The preset policy may include at least one of the following factors: its own security capability, local priority list, UE security capability, and so on. Specifically, the preset policy may include the security capabilities of the terminal device, that is, the mobility management entity selects the encryption algorithm and the integrity that the UE will use when returning to the 4G network based on the security capabilities of the terminal device (such as the security algorithm supported by the terminal device). Sexual protection algorithm. The preset policy can also include the security capabilities of the mobility management entity itself, that is, the mobility management entity selects the encryption that the UE will use when returning to the 4G network based on its own security capabilities (such as the security algorithms supported by the mobility management entity itself). Algorithms and integrity protection algorithms. Alternatively, the preset policy may also include a priority list of security capabilities. For example, the mobility management entity determines the security algorithms supported by the terminal device and itself, and then may select the algorithm with the highest security emphasis or the highest priority as the UE to return to the 4G network. The encryption algorithm and integrity protection algorithm that will be used at the time.

The preset policy may be predefined, such as a protocol definition, or may be determined through negotiation between the UE and the user plane gateway, which is not limited in this application. The above encryption algorithms and integrity protection algorithms can be collectively referred to as security algorithms. For brevity, in the following embodiments, the encryption algorithm and integrity protection algorithm used when the UE selected by the mobility management entity returns to the 4G network is referred to as the 4G algorithm.

Optionally, the mobility management entity can use Kasme and 4G algorithms to derive a NAS key, and the NAS key can be used when the UE switches to the 4G network. 4G algorithms include 4G encryption algorithms and 4G integrity protection algorithms. NAS keys include NAS encryption keys and NAS integrity protection keys. The mobility management entity derives NAS encryption keys based on Kasme and 4G encryption algorithms; and derives NAS integrity protection keys based on Kasme and 4G integrity protection algorithms.

It should be noted that, in the embodiment of the present application, after the mobility management entity receives the relocation request message from the access and mobility management network element, it knows that the SRVCC process needs to be initiated according to the SRVCC handover instruction message, and based on the SRVCC The handover instruction message, the mobility management entity will save Kasme and the selected 4G algorithm.

It should also be noted that the embodiment of this application does not limit the time when the mobility management entity pushes the NAS key. Specifically, in step 504, the mobility management entity may not derive the NAS key, but may instead derive the NAS key when it is determined that the UE needs to return to the 4G network.

In step 505, CK || IK is obtained.

After the mobility management entity receives the relocation request message from the access and mobility management network element, it knows that it needs to initiate the SRVCC process for the UE to switch from the 5G network to the 3G network according to the SRVCC handover instruction message in it. Kasme gets CK || IK. For example, the mobility management entity uses Kasme and input parameters to derive CK || IK. The input parameters may be obtained by the access and mobility management network element and notified to the UE, or may be carried in a service request message sent by the UE, such as a PDU session identifier.

Optionally, the mobility management entity may directly use the first half of Kasme as CK and the latter half as IK. At this time, the eKSI received by the mobility management entity may also be directly used as the KSI identifier CK || IK, because eKSI and KSI The values are the same, and the types are also mapped to the security context.

In step 506, the mobility management entity sends a PS to CS handover request message to the mobile switching center server.

The PS to CS handover request message includes a CK || IK and a KSI identifying CK || IK. The role of the PS to CS handover request message is to perform a packet switching to circuit switching request.

The PS to CS handover request message may further include a 4G algorithm selected by the mobility management entity for the UE, or may be an identifier of the 4G algorithm.

In step 507, the mobile switching center server sends a relocation request message / handover request message to the wireless network subsystem network element.

The relocation request message / handover request message is used to make a handover request to the base station controller in the wireless network subsystem, and the message may include a source container to a target base container. The wireless network subsystem network element refers to a wireless network subsystem including a base station controller and a base station.

In step 508, the wireless network subsystem network element sends a relocation response message / handover response message to the mobile switching center server.

This message is a response to the relocation request message / handover request message in step 507.

In step 509, the mobile switching center server sends a PS to CS handover response message to the mobility management entity.

The PS to CS handover response message is used to respond to the PS to CS handover request message in step 506.

In step 510, the mobility management entity sends a fronthaul relocation response message to the access and mobility management network element.

Optionally, the relocation response message may further include an identifier indicating the 4G algorithm or the 4G algorithm selected by the mobility management entity in step 504. By sending the 4G algorithm to the access and mobility management network element, and then to the UE, the UE can derive the NAS key based on the Kasme and 4G algorithm, avoiding the need to re-establish the authentication when the UE needs to switch from 3G to 4G Rights process, which will increase the delay and air interface signaling overhead and seriously affect the user experience.

Optionally, the relocation response message may also carry an indication information, which is used to indicate the 4G algorithm, so as to indicate that the 4G algorithm does not need to be processed in the 3G network.

In step 511, the access and mobility management network element sends a handover command message to the base station.

Optionally, the handover command message includes a 4G algorithm or an identifier of the 4G algorithm. Optionally, the switching command message may further include the indication information in step 510.

In step 512, the base station sends a handover command message to the UE.

Optionally, the handover command message includes a 4G algorithm or an identifier of the 4G algorithm. Optionally, the switching command message may further include the indication information in step 510.

In step 513, the UE derives CK || IK and saves the 4G algorithm.

After receiving the handover command message, the UE uses Kamf to deduce Kasme, and then uses Kasme to deduce CK || IK, and then can switch from 5G network to 3G network.

Optionally, the UE may save the received 4G algorithm or the identifier of the 4G algorithm, so that the NAS key can be derived when the subsequent return to the 4G network is needed.

Optionally, the UE can also save Kasme, so that it can be used directly when it needs to return to the 4G network in the future, and the NAS key can be derived based on the Kasme and 4G algorithm. Alternatively, the UE can also use Kamf to derive the same Kasme when it is subsequently determined that it needs to return to the 4G network, and then derive the NAS key according to the Kasme and 4G algorithms.

In step 514, the UE sends a handover completion message to the wireless network subsystem network element.

In step 515, the wireless network subsystem network element sends a handover completion message to the mobile switching center server.

In step 516, the mobile switching center server sends a PS to CS handover completion message to the mobility management entity.

Through the above steps 501 to 516, the UE can switch from a 5G network to a 3G network. In addition, the mobility management entity can also share the Kasme generated during the process of switching from the 5G network to the 3G network with the UE, so that when the UE needs to return to the 4G network, the NAS key can be derived based on the Kasme and 4G algorithm, thereby avoiding In order to re-establish the authentication process and improve user experience.

The following describes the main process of the UE returning from the 3G network to the 4G network with reference to steps 517 to 519 in FIG. 5.

In step 517, the mobile switching center server sends an RRC release message to the wireless network subsystem network element.

In step 518, the wireless network subsystem network element sends an RRC release message to the UE.

When the UE is in a 4G network and there is no 5G network, the network element of the wireless network subsystem may send an RRC release message to the UE to instruct the UE to switch to the 4G network. The RRC release message includes a network identifier indicating the target network returned by the UE. For example, the network identifier may include, but is not limited to, an operator identifier (e.g., PLMN ID, access network ID, serving network ID, cell ID, base station ID, etc.) gNB ID), LAN network ID, slice ID, bearer ID, quality of service (QoS) ID, flow ID, network slice selection assistance information (NSSAI).

In step 519, the UE uses the 4G algorithm to derive the NAS key, and determines to return to the 4G network.

After receiving the RRC release message, the UE determines to return to the 4G network. The UE can use the 3G network RRC release message to derive the root key of the 4G network using the root key of the 5G network, and then the NAS key of the 4G network. If the UE previously stored Kasme, it uses Kasme and the 4G algorithm received previously to derive the NAS key. If the UE does not store Kasme, it uses Kamf to deduce Kasme first, and then uses Kasme and the 4G algorithm received previously to deduce the NAS key.

Based on the above scheme, in the process of the UE switching from the 5G network to the 3G network, the access and mobility management network element will first derive the root key Kasme of the 4G network based on the root key Kamf of the 5G network. When the UE returns from the 3G network to the 4G network, the root key Kasme of the 4G network obtained when the UE switches from the 5G network to the 3G network can be used. In addition, the mobility management entity will select a security algorithm for the UE when returning to the 4G network when the UE switches from the 5G network to the 3G network. Through the security algorithm pre-selected by the mobility management entity and the root key Kasme of the 4G network obtained during the UE's handover from the 5G network to the 3G network, the UE can derive the security key of the 4G network and thereby avoid the UE When returning to the 4G network, the re-authentication process is performed, thereby reducing the delay and improving the user experience.

FIG. 6 is another schematic flowchart of a handover method 600 according to another embodiment of the present application, which is shown from the perspective of device interaction. As shown, the method 600 shown in FIG. 6 may include steps 601 to 620. Each step in the method 600 is described in detail below with reference to FIG. 6.

In step 601, the base station sends a handover request message to the access and mobility management network element.

It should be understood that the specific process of step 601 is similar to step 401 in method 400 and step 501 in method 500 above. Since step 401 has been described in detail in the method 400 above, for brevity, it will not be repeated here.

In step 602, the access and mobility management network element derives Kasme and maps ngKSI to eKSI.

It should be understood that the specific process of step 602 is similar to step 402 in method 400 and step 502 in method 500 above. Since step 402 has been described in detail in the method 400 above, for brevity, it will not be repeated here.

In step 603, the access and mobility management network element sends a fronthaul relocation request message to the mobility management entity.

It should be understood that the specific process of step 603 is similar to step 403 in method 400 and step 503 in method 500 above. Since step 403 has been described in detail in the method 400 above, for brevity, it will not be repeated here.

Optionally, in step 604, the mobility management entity saves Kasme, selects a 4G algorithm, and derives a NAS key.

After receiving the forward relocation request message from the access and mobility management network element, the mobility management entity knows that the SRVCC process needs to be initiated according to the SRVCC handover instruction message, so the mobility management entity can save the Kasme. In the embodiment of the present application, the Kasme saved by the mobility management entity can be used when a subsequent UE needs to return to the 4G network from the 3G network, and the NAS key is inferred based on the Kasme to avoid the UE from switching from the 3G network to the 4G network. The authentication process needs to be re-established. This will increase latency and air interface signaling overhead and seriously affect user experience.

Optionally, the mobility management entity may select an encryption algorithm and an integrity protection algorithm to be used later when the UE returns to the 4G network. For example, the mobility management entity may select an appropriate encryption algorithm and integrity protection algorithm according to its own security capabilities, local priority list, and UE security capabilities. For brevity, in the following embodiments, the encryption algorithm and integrity protection algorithm used when the UE selected by the mobility management entity returns to the 4G network is referred to as the 4G algorithm.

Optionally, the mobility management entity can use Kasme and 4G algorithms to derive a NAS key, and the NAS key can be used when the UE switches to 4G.

It should be noted that, in the embodiment of the present application, when the mobility management entity selects the 4G algorithm and when the NAS key is derived, the embodiment of the present application is not limited. Specifically, during the handover process from 5G to 3G, the mobility management entity may not perform step 604.

In step 605, CK || IK is obtained.

The mobility management entity knows that the SRVCC process needs to be initiated according to the SRVCC handover instruction message, and then uses the received Kasme to obtain CK || IK.

Optionally, the mobility management entity may directly use the first half of Kasme as CK and the latter half as IK. At this time, the eKSI received by the mobility management entity may also be directly used as the KSI identifier CK || IK, because eKSI and KSI The values are the same, and the types all map to the security context.

In step 606, the mobility management entity sends a PS to CS handover request message to the mobile switching center server.

The PS to CS handover request message includes a CK || IK and a KSI identifying CK || IK. The role of the PS to CS handover request message is to perform a packet switching to circuit switching request.

In step 607, the mobile switching center server sends a relocation request message / handover request message to the wireless network subsystem network element.

The relocation request message / handover request message is used to make a handover request to the base station controller in the network element of the wireless network subsystem, and the message may include a transparent container from the source base station to the destination base station. The wireless network subsystem network element refers to a wireless network subsystem including a base station controller and a base station.

In step 608, the network element of the wireless network subsystem sends a relocation response message / handover response message to the mobile switching center server.

This message is a response to the relocation request message / handover request message in step 607.

In step 609, the mobile switching center server sends a PS to CS handover response message to the mobility management entity.

The PS to CS handover response message is used to respond to the PS to CS handover request message in step 606.

In step 610, the mobility management entity sends a fronthaul relocation response message to the access and mobility management network element.

In step 611, the access and mobility management network element sends a handover command message to the base station.

In step 612, the base station sends a handover command message to the UE.

In step 613, the UE derives CK || IK.

After receiving the handover command message, the UE uses Kamf to deduce Kasme, and then uses Kasme to deduce CK || IK, and then can switch from 5G network to 3G network.

In step 614, the UE sends a handover completion message to the wireless network subsystem network element.

In step 615, the wireless network subsystem network element sends a handover completion message to the mobile switching center server.

In step 616, the mobile switching center server sends a PS to CS handover completion message to the mobility management entity.

Through the above steps 601 to 616, the UE can switch from a 5G network to a 3G network.

The following describes the main process of the UE returning from the 3G network to the 4G network with reference to steps 617 to 620 in FIG. 6.

In step 617, the mobile switching center server sends an RRC release message to the wireless network subsystem network element.

Optionally, if the mobility management entity has performed step 604, the RRC release message includes the 4G algorithm or the algorithm identifier of the 4G algorithm selected by the mobility management entity for the UE.

In step 618, the returned target network is determined.

Optionally, the wireless network subsystem network element may decide whether to carry the 4G algorithm or the algorithm identifier of the 4G algorithm in the RRC release message according to whether the target network to be returned by the UE is a 4G network. For example, the wireless network subsystem network element can obtain the current network coverage status according to the measurement report reported by the UE. Therefore, when the wireless network subsystem network element can learn that there is currently 4G network coverage and there is no 5G network coverage, the UE is determined. Switch from 3G network to 4G network. Furthermore, the RRC release message sent by the network element of the wireless network subsystem to the UE carries a 4G algorithm.

The wireless network subsystem network element determines that there is currently coverage of the 5G network, determines that the target network to be returned by the UE is a 5G network, and directly sends an RRC release message to the UE.

The network element of the wireless network subsystem determines that there is currently no coverage of the 5G network. If there is coverage of the 4G network, it determines that the target network that the UE is about to return is a 4G network. Or the algorithm identifier of the 4G algorithm.

In a possible implementation manner, if the mobility management entity has performed step 604 and the above step 617, the RRC release message includes the 4G algorithm or the algorithm identifier of the 4G algorithm preselected by the mobility management entity for the UE, then the wireless network The RRC release message sent by the system network element to the UE carries the 4G algorithm or the algorithm identifier of the 4G algorithm preselected by the mobility management entity for the UE.

In a possible implementation manner, if the mobility management entity does not perform step 604, the network element of the wireless network subsystem notifies the mobile switching center server to request a 4G algorithm. The mobile switching center server requests the mobility management entity to select a 4G algorithm for the UE. The mobility management entity receives the instruction, selects the 4G algorithm for the UE, and sends the selected 4G algorithm or the algorithm identifier of the 4G algorithm to the wireless network subsystem network element, so that the wireless network subsystem network element sends an RRC release message to the UE. It carries the 4G algorithm.

Optionally, the network element of the wireless network subsystem may not judge the returned target network.

If the mobility management entity has performed step 604, in the above step 617, the RRC release message includes the 4G algorithm or the algorithm identifier of the 4G algorithm preselected by the mobility management entity for the UE, and the network element of the wireless network subsystem may return without judging. The target network directly sends the 4G algorithm or the algorithm identifier of the 4G algorithm to the UE through an RRC release message. At this time, if the RRC release message instructs the UE to return to the 5G network, the UE will ignore the above 4G algorithm because it already has a 5G security context, otherwise the UE will use the above 4G algorithm to derive the NAS key.

In step 619, the network element of the wireless network subsystem sends an RRC release message to the UE.

The wireless network subsystem network element sends an RRC release message to the UE to instruct the UE to switch to the 4G network. The RRC release message includes a network identifier indicating the target network returned by the UE. The network identifier has been described in step 510 in the above method 500, which is brevity and will not be described again here. According to the network identifier, the UE determines that the network to be returned is a 4G network.

In step 620, the UE derives a NAS key.

When the UE receives the RRC release message, it can use the 4G algorithm carried in the RRC release message to derive the NAS key. Before the NAS key is derived, if the UE does not have Kasme, the UE needs to use Kamf to derive Kasme first. If the UE saved Kasme when inferring CK || IK, it can directly use NAS to infer the NAS key. A method that requires the UE to save Kasme in advance may be that when the UE switches from a 5G network to a 3G network, the mobility management entity sends instruction information to the UE to instruct the UE to save Kasme.

Based on the above scheme, in the process of the UE switching from the 5G network to the 3G network, the access and mobility management network element will first derive the root key Kasme of the 4G network based on the root key Kamf of the 5G network. When the UE returns from the 3G network to the 4G network, the root key Kasme of the 4G network obtained when the UE switches from the 5G network to the 3G network can be used. In addition, when it is determined that the target network to be returned by the UE is a 4G network, the security management algorithm of the 4G network is requested from the mobility management entity, and the security algorithm of the 4G network is sent to the UE, so that the UE can make the Kasme, the root key of the 4G network, deduces the security key of the 4G network, which can prevent the UE from performing the re-authentication process when returning to the 4G network, thereby reducing the delay and saving the air interface resources in the 5G SRVCC phase, improving the user experience .

In the foregoing, the handover method provided by the embodiment of the present application has been described in detail with reference to FIGS. 4 to 6. Hereinafter, the switching device provided by the embodiment of the present application will be described in detail with reference to FIGS. 7 to 8.

FIG. 7 is a schematic block diagram of a switching device 700 according to an embodiment of the present application. As shown in the figure, the communication device 700 may include: a transceiver module 710 and a processing module 720.

In a possible design, the switching device 700 may be the UE in the foregoing method embodiment, or may be a chip used to implement the functions of the UE in the foregoing method embodiment.

In a possible manner, the transceiver module 710 is configured to receive first information, where the first information includes instruction information instructing the terminal device to switch from the first network to the second network, and the first information further includes the A network identification of the second network; a processing module 720, configured to set the security context of the third network to the currently used security context when the security context of the native third network exists in the terminal device The processing module 720 is further configured to derive the security context of the second network according to the security context of the third network.

Optionally, after the transceiver module 710 receives the first information, the processing module 720 is further configured to: delete the security context of the first network.

Optionally, the transceiver module 710 is further configured to send tracking area update request information protected by the security context of the third network to a mobility management entity.

Optionally, the tracking area update request information includes a fifth-generation 5G globally unique temporary terminal device identifier mapping of a fourth-generation 4G globally unique temporary terminal device identifier and a key set identifier.

Optionally, the first information is radio resource control RRC release information.

Optionally, the processing module 720 is further configured to: when the security context of the native third network does not exist in the terminal device, delete the security context of the first network; and the transceiver module 710 is further configured to: Sending the tracking area update request information without integrity protection to the mobility management entity, so that the mobility management entity performs a re-authentication process.

Optionally, the first network is a third-generation 3G / second-generation 2G network, the second network is a fourth-generation 4G network, and the third network is a fifth-generation 5G network.

Specifically, the switching device 700 may correspond to the UE in the methods 400 to 600 according to the embodiment of the present application, and the switching device 700 may include a UE for performing the method 400 in FIG. 4 to the method 600 in FIG. 6. Method module. In addition, each module in the switching device 700 and the other operations and / or functions described above are used to implement corresponding processes of the method 400 in FIG. 4, the method 500 in FIG. 5, and the method 600 in FIG. 6, respectively. It should be understood that the specific process of each module performing the above corresponding steps has been described in detail in the foregoing method embodiment, and for the sake of brevity, it will not be repeated here.

In another possible design, the switching device 700 may be the mobility management entity in the foregoing method embodiment, or may be a chip used to implement the functions of the mobility management entity in the foregoing method embodiment.

Specifically, the switching device 700 may correspond to the mobility management entity in the methods 400 to 600 according to the embodiment of the present application. The switching device 700 may include a method for performing the method 400 in FIG. 4 to the method 600 in FIG. 6. A module of methods performed by a mobility management entity. In addition, each unit in the switching device 700 and the other operations and / or functions described above are respectively used to implement the corresponding processes of the method 400 in FIG. 4, the method 500 in FIG. 5, and the method 600 in FIG. 6. It should be understood that the specific process of each module performing the above corresponding steps has been described in detail in the foregoing method embodiment, and for the sake of brevity, it will not be repeated here.

In another possible design, the switching device 700 may be an access and mobility management network element in the foregoing method embodiment, or may be used to implement the access and mobility management network element in the foregoing method embodiment. Functional chip.

Specifically, the switching device 700 may correspond to the access and mobility management network elements in the methods 400 to 600 according to the embodiment of the present application. The switching device 700 may include a method for performing the methods 400 to 6 in FIG. 4. Module of the method performed by the access and mobility management network element in method 600. In addition, each module in the switching device 700 and the other operations and / or functions described above are used to implement corresponding processes of the method 400 in FIG. 4, the method 500 in FIG. 5, and the method 600 in FIG. 6, respectively. It should be understood that the specific process of each module performing the above corresponding steps has been described in detail in the foregoing method embodiment, and for the sake of brevity, it will not be repeated here.

In another possible design, the switching device 700 may be the mobile switching center in the foregoing method embodiment, or may be a chip used to implement the functions of the mobile switching center in the foregoing method embodiment.

Specifically, the switching device 700 may correspond to the mobile switching center in the methods 400 to 600 according to the embodiment of the present application. The switching device 700 may include a method for performing the method 400 in FIG. 4 to the method 600 in FIG. 6. A module of a method performed by a mobile switching center. In addition, each module in the switching device 700 and the other operations and / or functions described above are used to implement corresponding processes of the method 400 in FIG. 4, the method 500 in FIG. 5, and the method 600 in FIG. 6, respectively. It should be understood that the specific process of each module performing the above corresponding steps has been described in detail in the foregoing method embodiment, and for the sake of brevity, it will not be repeated here.

In another possible design, the switching device 700 may be the wireless network subsystem network element in the foregoing method embodiment, or may be used to implement the functions of the wireless network subsystem network element in the foregoing method embodiment. chip.

Specifically, the switching device 700 may correspond to the wireless network subsystem network element in the methods 400 to 600 according to the embodiment of the present application, and the switching device 700 may include a method for executing the method 400 in FIG. 4 to the method in FIG. 6. 600. A module of a method performed by a wireless network subsystem network element in 600. In addition, each module in the switching device 700 and the other operations and / or functions described above are respectively used to implement the corresponding processes of the method 400 in FIG. 4, the method 500 in FIG. 5, and the method 600 in FIG. It should be understood that the specific process of each module performing the above corresponding steps has been described in detail in the foregoing method embodiment, and for the sake of brevity, it will not be repeated here.

It should be understood that the specific process of each module performing the above corresponding steps has been described in detail in the foregoing method embodiment, and for the sake of brevity, it will not be repeated here.

It should be understood that the transceiver module in the switching device 700 may correspond to the transceiver 810 in the switching device 700 shown in FIG. 8, and the processing module 720 in the switching device 700 may correspond to the switching device 800 shown in FIG. 8. The transceiver 820.

FIG. 8 is a schematic block diagram of a switching device 800 according to an embodiment of the present application. As shown, the switching device 800 includes: a processor 810 and a transceiver 820. The processor 810 is coupled to the memory and is configured to execute instructions stored in the memory to control the transceiver 820 to send signals and / or receive signals. Optionally, the switching device 800 further includes a memory 830 for storing instructions.

It should be understood that the processor 810 and the memory 830 may be combined into a processing device, and the processor 810 is configured to execute program codes stored in the memory 830 to implement the foregoing functions. In specific implementation, the memory 830 may also be integrated in the processor 810, or be independent of the processor 810.

It should also be understood that the transceiver 820 may include a receiver (or receiver) and a transmitter (or transmitter). The transceiver may further include antennas, and the number of antennas may be one or more.

In a possible design, the switching device 800 may be the UE in the foregoing method embodiment, or may be a chip used to implement the functions of the UE in the foregoing method embodiment.

Specifically, the switching device 800 may correspond to the UE in the methods 400 to 600 according to the embodiment of the present application, and the switching device 800 may include a UE for performing the method 400 in FIG. 4 to the method 600 in FIG. 6. Method module. In addition, each module in the switching device 800 and the other operations and / or functions described above are respectively for implementing the corresponding processes of the method 400 in FIG. 4, the method 500 in FIG. 5, and the method 600 in FIG. 6. It should be understood that the specific process of each module performing the above corresponding steps has been described in detail in the foregoing method embodiment, and for the sake of brevity, it will not be repeated here.

In another possible design, the switching device 800 may be the mobility management entity in the foregoing method embodiment, or may be a chip used to implement the functions of the mobility management entity in the foregoing method embodiment.

Specifically, the switching device 800 may correspond to the mobility management entity in the methods 400 to 600 according to the embodiment of the present application. The switching device 800 may include a method for performing the method 400 in FIG. 4 to the method 600 in FIG. 6. A module of methods performed by a mobility management entity. In addition, each unit in the switching device 800 and the other operations and / or functions described above are respectively used to implement corresponding processes of the method 400 in FIG. 4, the method 500 in FIG. 5, and the method 600 in FIG. 6. It should be understood that the specific process of each module performing the above corresponding steps has been described in detail in the foregoing method embodiment, and for the sake of brevity, it will not be repeated here.

In another possible design, the switching device 800 may be the access and mobility management network element in the foregoing method embodiment, or may be used to implement the access and mobility management network element in the method embodiment above. Functional chip.

Specifically, the switching device 800 may correspond to the access and mobility management network elements in the methods 400 to 600 according to the embodiments of the present application. The switching device 800 may include a method for performing the methods 400 to 6 in FIG. 4. Module of the method performed by the access and mobility management network element in method 600. In addition, each module in the switching device 800 and the other operations and / or functions described above are respectively for implementing the corresponding processes of the method 400 in FIG. 4, the method 500 in FIG. 5, and the method 600 in FIG. 6. It should be understood that the specific process of each module performing the above corresponding steps has been described in detail in the above method embodiment, and for the sake of brevity, it will not be repeated here.

In another possible design, the switching device 800 may be the mobile switching center in the foregoing method embodiment, or may be a chip used to implement the functions of the mobile switching center in the foregoing method embodiment.

Specifically, the switching device 800 may correspond to the mobile switching center in the methods 400 to 600 according to the embodiment of the present application, and the switching device 800 may include a method for performing the method 400 in FIG. 4 to the method 600 in FIG. 6. A module of a method performed by a mobile switching center. In addition, each module in the switching device 800 and the other operations and / or functions described above are respectively for implementing the corresponding processes of the method 400 in FIG. 4, the method 500 in FIG. 5, and the method 600 in FIG. 6. It should be understood that the specific process of each module performing the above corresponding steps has been described in detail in the foregoing method embodiment, and for the sake of brevity, it will not be repeated here.

In another possible design, the switching device 800 may be the wireless network subsystem network element in the foregoing method embodiment, or may be used to implement the functions of the wireless network subsystem network element in the method embodiment above. chip.

Specifically, the switching device 800 may correspond to the wireless network subsystem network element in the methods 400 to 600 according to the embodiment of the present application, and the switching device 800 may include a method for performing the method 400 in FIG. 4 to the method in FIG. 6. 600. A module of a method performed by a wireless network subsystem network element in 600. In addition, each module in the switching device 800 and the other operations and / or functions described above are respectively for implementing the corresponding processes of the method 400 in FIG. 4, the method 500 in FIG. 5, and the method 600 in FIG. 6. It should be understood that the specific process of each module performing the above corresponding steps has been described in detail in the foregoing method embodiment, and for the sake of brevity, it will not be repeated here.

It should be understood that the specific process of each module performing the above corresponding steps has been described in detail in the foregoing method embodiment, and for the sake of brevity, it will not be repeated here.

According to the method provided in the embodiment of the present application, the present application also provides a computer program product, the computer program product includes: computer program code, when the computer program code is run on a computer, the computer executes the operations shown in FIG. 4 to FIG. 6 The switching method of any one of the embodiments is shown.

According to the method provided in the embodiment of the present application, the present application further provides a computer-readable medium, where the computer-readable medium stores program code, and when the program code runs on the computer, the computer executes the operations shown in FIG. 4 to FIG. 6. The switching method of any one of the embodiments is shown.

According to the method provided in the embodiment of the present application, the present application further provides a system including the foregoing UE, a mobility management entity, an access and mobility management network element, a mobile switching center, and a wireless network subsystem network element.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on a computer, the processes or functions according to the embodiments of the present application are generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be from a website site, computer, server, or data center Transmission by wire (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) to another website site, computer, server, or data center. The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, a data center, and the like that includes one or more available medium integration. The usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a high-density digital video disc (DVD)), or a semiconductor medium (for example, a solid state disk (solid state disk, SSD)) and so on.

Each network element in each of the foregoing device embodiments may completely correspond to each network element in the method embodiment, and the corresponding module or unit performs the corresponding steps, for example, the transceiver unit (transceiver) performs the steps of receiving or sending in the method embodiment. The steps other than sending and receiving can be performed by a processing unit (processor). For the function of the specific unit, refer to the corresponding method embodiment. Among them, there may be one or more processors.

In the present application, "at least one" means one or more, and "multiple" means two or more. "And / or" describes the association relationship of related objects, and indicates that there can be three kinds of relationships. For example, A and / or B can indicate: A exists alone, A and B exist simultaneously, and B exists alone, where A, B can be singular or plural. The character "/" generally indicates that the related objects are an "or" relationship. "At least one or more of the following" or similar expressions refers to any combination of these items, including any combination of single or plural items. For example, at least one or more of a, b, or c may represent: a, or b, or c, or a and b, or a and c, or b and c, or a, b, and c, where a, b, or c may be single or multiple.

It should be understood that “an embodiment” or “an embodiment” mentioned throughout the specification means that a particular feature, structure, or characteristic related to the embodiment is included in at least one embodiment of the present application. Thus, the appearances of "in one embodiment" or "in an embodiment" appearing throughout the specification are not necessarily referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in the various embodiments of the present application, the size of the sequence numbers of the above processes does not mean the order of execution. The execution order of each process should be determined by its function and internal logic, and should not deal with the embodiments of the present invention. The implementation process constitutes any limitation.

The terms "module", "system", and the like used in this specification are used to indicate computer-related entities, hardware, firmware, a combination of hardware and software, software, or software in execution. For example, a component may be, but is not limited to, a process running on a processor, a processor, an object, an executable, a thread of execution, a program, and / or a computer. By way of illustration, both an application running on a computing device and a computing device can be components. One or more components can reside within a process and / or thread of execution, and a component can be localized on one computer and / or distributed between 2 or more computers. In addition, these components can execute from various computer readable media having various data structures stored thereon. A component may, for example, be based on a signal having one or more data packets (e.g., data from two components that interact with another component between a local system, a distributed system, and / or a network, such as the Internet that interacts with other systems through signals) Communicate via local and / or remote processes.

Those of ordinary skill in the art may realize that the units and algorithm steps of each example described in connection with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Professional technicians can use different methods to implement the described functions for each specific application, but such implementation should not be considered to be beyond the scope of this application.

Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working processes of the systems, devices, and units described above can refer to the corresponding processes in the foregoing method embodiments, and are not repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other ways. For example, the device embodiments described above are only schematic. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, the indirect coupling or communication connection of the device or unit, and may be electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objective of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each of the units may exist separately physically, or two or more units may be integrated into one unit.

If the functions are implemented in the form of software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application is essentially a part that contributes to the existing technology or a part of the technical solution can be embodied in the form of a software product. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method described in the embodiments of the present application. The aforementioned storage media include: U disks, mobile hard disks, read-only memories (ROMs), random access memories (RAMs), magnetic disks or compact discs and other media that can store program codes .

The above is only a specific implementation of this application, but the scope of protection of this application is not limited to this. Any person skilled in the art can easily think of changes or replacements within the technical scope disclosed in this application. It should be covered by the protection scope of this application. Therefore, the protection scope of this application shall be subject to the protection scope of the claims.

Claims (15)

A switching method, characterized in that the method is applied to a scenario in which a terminal device returns to the second network after switching from the third network to the first network, and the method includes: Receiving, by the terminal device, first information, the first information including instruction information instructing the terminal device to switch from the first network to the second network; When the terminal device has a native security context of the third network, the terminal device sets the security context of the third network to the currently used security context; The terminal device sends to the mobility management entity in the second network the TAU request information using the tracking area protected by the security context of the third network. The method according to claim 1, wherein after receiving the first information, the terminal device further comprises: Deleting, by the terminal device, the security context of the first network. The method according to claim 2, wherein the tracking area update request information comprises a fourth-generation 4G globally unique temporary terminal equipment identifier and a key set identifier of a fifth-generation 5G globally unique temporary terminal equipment identifier mapping. The method according to any one of claims 1 to 3, wherein the first information is radio resource control RRC release information. The method according to any one of claims 1 to 4, further comprising: When there is no native security context of the third network in the terminal device, the terminal device deletes the security context of the first network; The terminal device sends the tracking area update request information without integrity protection to the mobility management entity, so that the mobility management entity performs a re-authentication process. The method according to any one of claims 1 to 5, wherein the first network is a third-generation 3G / second-generation 2G network, the second network is a fourth-generation 4G network, and the The third network is the fifth generation 5G network. A terminal device, which is applied to a scenario in which a second network is returned after switching from a third network to a first network, is characterized in that it includes: A transceiver module, configured to receive first information, where the first information includes instruction information instructing the terminal device to switch from the first network to the second network; A processing module, configured to set a security context of the third network to a currently used security context when a security context of the third network is native in the terminal device; The transceiver module is further configured to send the TAU request information using the tracking area protected by the security context of the third network to a mobility management entity in the second network. The terminal device according to claim 7, wherein after the transceiver module receives the first information, the processing module is further configured to delete the security context of the first network. The terminal device according to claim 7 or 8, wherein the tracking area update request information includes a fifth-generation 5G globally unique temporary terminal device identifier mapping of a fourth-generation 4G globally unique temporary terminal device identifier and a key set Identifier. The terminal device according to any one of claims 7 to 9, wherein the first information is radio resource control RRC release information. The terminal device according to any one of claims 7 to 10, wherein the processing module is further configured to: Deleting the security context of the first network when there is no native security context of the third network in the terminal device; The transceiver module is further configured to send tracking area update request information without integrity protection to the mobility management entity, so that the mobility management entity performs a re-authentication process. The terminal device according to any one of claims 7 to 11, wherein the first network is a third-generation 3G / second-generation 2G network, and the second network is a fourth-generation 4G network. The third network is a fifth-generation 5G network. A terminal device includes a processor and a memory, the memory is used to store instructions, and the processor is used to read the instructions stored in the memory, so that the terminal device implements any one of the preceding claims 1 to 6 The method described. A computer-readable medium, comprising a computer program, which, when the computer program runs on a computer, causes the computer to perform the method according to any one of claims 1 to 6. A computer program product, wherein the computer program product includes computer program code, and is characterized in that when the computer program code runs on a computer, the computer implements any one of claims 1 to 6 above. The method described.

Images