WO2023216272A1

WO2023216272A1 - Key management method and apparatus, and device and storage medium

Info

Publication number: WO2023216272A1
Application number: PCT/CN2022/092885
Authority: WO
Inventors: 梁浩然; 陆伟
Original assignee: Beijing Xiaomi Mobile Software Co Ltd
Current assignee: Beijing Xiaomi Mobile Software Co Ltd
Priority date: 2022-05-13
Filing date: 2022-05-13
Publication date: 2023-11-16
Anticipated expiration: 2024-11-13
Also published as: CN117413554A

Abstract

The present application relates to the field of communications and discloses a key management method and apparatus, and a device and a storage medium. The method is applied to a roaming scenario, and the key management method performed by a proxy entity in a serving network comprises: receiving an application key obtaining request sent by an AF in the serving network; and feeding back an AKMA application key response to the AF in the serving network, the AKMA application key response comprising AKMA application key information of the AF in the serving network.

Description

Key management method, device, equipment and storage medium

Technical field

本申请涉及通信领域，特别涉及一种密钥管理方法、装置、设备及存储介质。The present application relates to the field of communications, and in particular to a key management method, device, equipment and storage medium.

Background technique

目前，基于3GPP凭证的应用认证与密钥管理(Authentication and Key Management for Applications based on 3GPP credentials，AKMA)已在邻近服务(Proximity based Service，ProSe)和第五代移动通信技术消息业务(Message within 5G，MSGin5G)等场景中，作为一种解决方式来保护终端与应用功能(Application Function，AF)之间通信。但相关技术中，漫游场景下如何进行AKMA尚没有可行方案。Currently, Authentication and Key Management for Applications based on 3GPP credentials (AKMA) has been used in Proximity based Service (ProSe) and the fifth generation mobile communication technology message service (Message within 5G). , MSGin5G) and other scenarios, as a solution to protect the communication between the terminal and the application function (Application Function, AF). However, in related technologies, there is no feasible solution for how to perform AKMA in roaming scenarios.

发明内容Contents of the invention

本申请实施例提供了一种密钥管理方法、装置、设备及存储介质，用于在漫游场景下，基于服务网络中的代理实体进行密钥请求。所述技术方案如下：Embodiments of the present application provide a key management method, device, equipment and storage medium for performing key requests based on a proxy entity in a service network in a roaming scenario. The technical solutions are as follows:

根据本申请的一个方面，提供了一种密钥管理方法，应用于漫游场景中，所述方法由服务网络中的代理实体执行，所述方法包括：According to one aspect of the present application, a key management method is provided, which is applied in a roaming scenario. The method is executed by a proxy entity in the service network. The method includes:

接收服务网络中的AF发送的AKMA应用密钥请求；Receive the AKMA application key request sent by the AF in the service network;

向服务网络中的AF反馈AKMA应用密钥响应，AKMA应用密钥响应包括服务网络中的AF的AKMA应用密钥信息。Feed back the AKMA application key response to the AF in the service network, and the AKMA application key response includes the AKMA application key information of the AF in the service network.

根据本申请的一个方面，提供了一种密钥管理方法，应用于漫游场景中，所述方法由归属网络中的AAnF执行，所述方法包括：According to one aspect of the present application, a key management method is provided, which is applied in a roaming scenario. The method is executed by the AAnF in the home network. The method includes:

接收服务网络中的代理实体发送的应用密钥获取请求；Receive the application key acquisition request sent by the proxy entity in the service network;

在归属网络中的AAnF中存储有终端的AKMA密钥的情况下，基于终端的AKMA密钥生成服务网络中的AF的AKMA应用密钥；When the AKMA key of the terminal is stored in the AAnF in the home network, the AKMA application key of the AF in the serving network is generated based on the AKMA key of the terminal;

向服务网络中的代理实体反馈应用密钥获取响应，应用密钥获取响应包括服务网络中的AF的AKMA应用密钥信息。The application key acquisition response is fed back to the proxy entity in the service network, and the application key acquisition response includes the AKMA application key information of the AF in the service network.

根据本申请的一个方面，提供了一种密钥管理方法，应用于漫游场景中，所述方法由服务网络中的应用功能执行，所述方法包括：According to one aspect of the present application, a key management method is provided, which is applied in a roaming scenario. The method is executed by an application function in the service network. The method includes:

接收终端发送的服务网络标识符和AKMA密钥标识符；Receive the service network identifier and AKMA key identifier sent by the terminal;

在终端的服务网络标识符与归属网络标识不一致的情况下，向服务网络中的代理实体发送AKMA应用密钥请求；When the service network identifier of the terminal is inconsistent with the home network identifier, send an AKMA application key request to the proxy entity in the service network;

接收服务网络中的代理实体反馈的AKMA应用密钥响应，AKMA应用密钥响应包括服务网络中的AF的AKMA应用密钥信息。Receive the AKMA application key response fed back by the proxy entity in the service network. The AKMA application key response includes the AKMA application key information of the AF in the service network.

根据本申请的一个方面，提供了一种密钥管理方法，应用于漫游场景中，所述方法由终端执行，所述方法包括：According to one aspect of the present application, a key management method is provided, which is applied in a roaming scenario. The method is executed by a terminal. The method includes:

向服务网络中的AF发送服务网络标识符和AKMA密钥标识符，服务网络标识符用于触发服务网络中的AF在终端的服务网络标识符与归属网络标识不一致的情况下，向服务网络中的代理实体发送AKMA应用密钥请求。Send the service network identifier and AKMA key identifier to the AF in the service network. The service network identifier is used to trigger the AF in the service network to send the service network identifier to the service network when the service network identifier of the terminal is inconsistent with the home network identifier. The proxy entity sends the AKMA application key request.

根据本申请的一个方面，提供了一种密钥管理装置，所述装置包括：According to one aspect of the present application, a key management device is provided, and the device includes:

接收模块，用于接收服务网络中的AF发送的AKMA应用密钥请求；The receiving module is used to receive the AKMA application key request sent by the AF in the service network;

发送模块，还用于向服务网络中的AF反馈AKMA应用密钥响应，AKMA应用密钥响应包括服务网络中的AF的AKMA应用密钥信息。The sending module is also used to feed back an AKMA application key response to the AF in the service network. The AKMA application key response includes the AKMA application key information of the AF in the service network.

接收模块，用于接收服务网络中的代理实体发送的应用密钥获取请求；The receiving module is used to receive the application key acquisition request sent by the proxy entity in the service network;

生成模块，用于在归属网络中的AAnF中存储有终端的AKMA密钥的情况下，基于终端的AKMA密钥生成服务网络中的AF的AKMA应用密钥；A generation module, configured to generate the AKMA application key of the AF in the service network based on the AKMA key of the terminal when the AKMA key of the terminal is stored in the AAnF in the home network;

发送模块，用于向服务网络中的代理实体反馈应用密钥获取响应，应用密钥获取响应包括服务网络中的AF的AKMA应用密钥信息。The sending module is configured to feed back an application key acquisition response to the proxy entity in the service network, where the application key acquisition response includes the AKMA application key information of the AF in the service network.

接收模块，用于接收终端发送的服务网络标识符和AKMA密钥标识符；The receiving module is used to receive the service network identifier and AKMA key identifier sent by the terminal;

发送模块，用于在终端的服务网络标识符与归属网络标识不一致的情况下，向服务网络中的代理实体发送AKMA应用密钥请求；A sending module, configured to send an AKMA application key request to the proxy entity in the serving network when the terminal's serving network identifier is inconsistent with the home network identifier;

接收模块，还用于接收服务网络中的代理实体反馈的AKMA应用密钥响应，AKMA应用密钥响应包括服务网络中的AF的AKMA应用密钥信息。The receiving module is also configured to receive an AKMA application key response fed back by the proxy entity in the service network. The AKMA application key response includes the AKMA application key information of the AF in the service network.

发送模块，用于向服务网络中的AF发送服务网络标识符和AKMA密钥标识符，服务网络标识符用于触发服务网络中的AF在终端的服务网络标识符与归属网络标识不一致的情况下，向服务网络中的代理实体发送AKMA应用密钥请求。The sending module is used to send the service network identifier and the AKMA key identifier to the AF in the service network. The service network identifier is used to trigger the AF in the service network when the service network identifier of the terminal is inconsistent with the home network identifier. , sends an AKMA application key request to the proxy entity in the service network.

根据本申请的一个方面，提供了一种代理实体，所述代理实体包括通信组件；According to one aspect of the present application, a proxy entity is provided, the proxy entity includes a communication component;

通信组件，用于接收服务网络中的AF发送的AKMA应用密钥请求；The communication component is used to receive the AKMA application key request sent by the AF in the service network;

根据本申请的一个方面，提供了一种AAnF，所述AAnF包括通信组件和处理器；According to one aspect of the present application, an AAnF is provided, the AAnF including a communication component and a processor;

通信组件，用于接收服务网络中的代理实体发送的应用密钥获取请求；The communication component is used to receive the application key acquisition request sent by the proxy entity in the service network;

处理器，用于在归属网络中的AAnF中存储有终端的AKMA密钥的情况下，基于终端的AKMA密钥生成服务网络中的AF的AKMA应用密钥；A processor configured to generate the AKMA application key of the AF in the service network based on the AKMA key of the terminal when the AKMA key of the terminal is stored in the AAnF in the home network;

通信组件，还用于向服务网络中的代理实体反馈应用密钥获取响应，应用密钥获取响应包括服务网络中的AF的AKMA应用密钥信息。The communication component is also used to feed back an application key acquisition response to the proxy entity in the service network. The application key acquisition response includes the AKMA application key information of the AF in the service network.

根据本申请的一个方面，提供了一种AF，所述AF包括通信组件；According to one aspect of the present application, an AF is provided, the AF including a communication component;

通信组件，用于接收终端发送的服务网络标识符和AKMA密钥标识符；Communication component, used to receive the service network identifier and AKMA key identifier sent by the terminal;

根据本申请的一个方面，提供了一种终端，所述终端包括收发器；According to one aspect of the present application, a terminal is provided, the terminal including a transceiver;

收发器，用于向服务网络中的AF发送服务网络标识符和AKMA密钥标识符，服务网络标识符用于触发服务网络中的AF在终端的服务网络标识符与归属网络标识不一致的情况下，向服务网络中的代理实体发送AKMA应用密钥请求。The transceiver is used to send the service network identifier and the AKMA key identifier to the AF in the service network. The service network identifier is used to trigger the AF in the service network when the service network identifier of the terminal is inconsistent with the home network identifier. , sends an AKMA application key request to the proxy entity in the service network.

根据本申请的一个方面，提供了一种计算机可读存储介质，存储介质中存储有计算机程序，所述计算机程序用于被处理器执行，以实现如上所述的密钥管理方法。According to one aspect of the present application, a computer-readable storage medium is provided, and a computer program is stored in the storage medium, and the computer program is used to be executed by a processor to implement the key management method as described above.

根据本申请的一个方面，提供了一种芯片，芯片包括可编程逻辑电路和/或程序指令，当芯片运行时，用于实现如上所述的密钥管理方法。According to one aspect of the present application, a chip is provided. The chip includes programmable logic circuits and/or program instructions, and is used to implement the key management method as described above when the chip is running.

根据本申请的一个方面，提供了一种计算机程序产品，计算机程序产品包括计算机指令，计算机指令存储在计算机可读存储介质中，处理器从计算机可读存储介质读取并执行计算机指令，以实现如上所述的密钥管理方法。According to one aspect of the present application, a computer program product is provided. The computer program product includes computer instructions. The computer instructions are stored in a computer-readable storage medium. The processor reads and executes the computer instructions from the computer-readable storage medium to implement Key management methods as described above.

本申请实施例提供的技术方案至少包括如下有益效果：The technical solutions provided by the embodiments of this application at least include the following beneficial effects:

提供了一种应用于漫游场景下的密钥管理方法，基于服务网络中的代理实体、服务网络中的应用功能和归属网络中的应用认证与密钥管理的锚点功能网元之间的交互，能够实现AKMA应用密钥请求和AKMA应用密钥响应，以使得终端能够获取到服务网络中的应用功能的AKMA应用密钥信息。Provides a key management method applied in roaming scenarios, based on the interaction between the proxy entity in the service network, the application function in the service network, and the anchor function network element of application authentication and key management in the home network , can implement AKMA application key request and AKMA application key response, so that the terminal can obtain AKMA application key information serving application functions in the network.

Description of the drawings

为了更清楚地说明本申请实施例中的技术方案，下面将对实施例描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本申请的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present application. For those of ordinary skill in the art, other drawings can also be obtained based on these drawings without exerting creative efforts.

图1是本申请一个示例性实施例提供的AKMA服务的网络架构示意图；Figure 1 is a schematic diagram of the network architecture of the AKMA service provided by an exemplary embodiment of the present application;

图2是本申请一个示例性实施例提供的生成AKMA密钥的流程图；Figure 2 is a flow chart for generating AKMA keys provided by an exemplary embodiment of the present application;

图3是本申请一个示例性实施例提供的密钥管理方法的流程图；Figure 3 is a flow chart of a key management method provided by an exemplary embodiment of the present application;

图4是本申请一个示例性实施例提供的密钥管理方法的流程图；Figure 4 is a flow chart of a key management method provided by an exemplary embodiment of the present application;

图5是本申请一个示例性实施例提供的密钥管理方法的流程图；Figure 5 is a flow chart of a key management method provided by an exemplary embodiment of the present application;

图6是本申请一个示例性实施例提供的密钥管理方法的流程图；Figure 6 is a flow chart of a key management method provided by an exemplary embodiment of the present application;

图7是本申请一个示例性实施例提供的密钥管理方法的流程图；Figure 7 is a flow chart of a key management method provided by an exemplary embodiment of the present application;

图8是本申请一个示例性实施例提供的密钥管理方法的流程图；Figure 8 is a flow chart of a key management method provided by an exemplary embodiment of the present application;

图9是本申请一个示例性实施例提供的密钥管理方法的流程图；Figure 9 is a flow chart of a key management method provided by an exemplary embodiment of the present application;

图10是本申请一个示例性实施例提供的密钥管理方法的流程图；Figure 10 is a flow chart of a key management method provided by an exemplary embodiment of the present application;

图11是本申请一个示例性实施例提供的密钥管理方法的流程图；Figure 11 is a flow chart of a key management method provided by an exemplary embodiment of the present application;

图12是本申请一个示例性实施例提供的密钥管理方法的流程图；Figure 12 is a flow chart of a key management method provided by an exemplary embodiment of the present application;

图13是本申请一个示例性实施例提供的密钥管理装置的示意图；Figure 13 is a schematic diagram of a key management device provided by an exemplary embodiment of the present application;

图14是本申请一个示例性实施例提供的密钥管理装置的示意图；Figure 14 is a schematic diagram of a key management device provided by an exemplary embodiment of the present application;

图15是本申请一个示例性实施例提供的密钥管理装置的示意图；Figure 15 is a schematic diagram of a key management device provided by an exemplary embodiment of the present application;

图16是本申请一个示例性实施例提供的密钥管理装置的示意图；Figure 16 is a schematic diagram of a key management device provided by an exemplary embodiment of the present application;

图17是本申请一个示例性实施例提供的通信设备的结构示意图；Figure 17 is a schematic structural diagram of a communication device provided by an exemplary embodiment of the present application;

图18是本申请一个示例性实施例提供的网元设备的结构示意图。Figure 18 is a schematic structural diagram of a network element device provided by an exemplary embodiment of the present application.

Detailed ways

为使本申请的目的、技术方案和优点更加清楚，下面将结合附图对本申请实施方式作进一步地详细描述。这里将详细地对示例性实施例进行说明，其示例表示在附图中。下面的描述涉及附图时，除非另有表示，不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本申请相一致的所有实施方式。相反，它们仅是与如所附权利要求书中所详述的、本申请的一些方面相一致的装置和方法的例子。In order to make the purpose, technical solutions and advantages of the present application clearer, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings. Exemplary embodiments will be described in detail herein, examples of which are illustrated in the accompanying drawings. When the following description refers to the drawings, the same numbers in different drawings refer to the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with this application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the appended claims.

在本公开使用的术语是仅仅出于描述特定实施例的目的，而非旨在限制本公开。在本公开和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式，除非上下文清楚地表示其他含义。还应当理解，本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。The terminology used in this disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure and the appended claims, the singular forms "a," "the" and "the" are intended to include the plural forms as well, unless the context clearly dictates otherwise. It will also be understood that the term "and/or" as used herein refers to and includes any and all possible combinations of one or more of the associated listed items.

应当理解，尽管在本公开可能采用术语第一、第二、第三等来描述各种信息，但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如，在不脱离本公开范围的情况下，第一信息也可以被称为第二信息，类似地，第二信息也可以被称为第一信息。取决于语境，如在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或“响应于确定”。It should be understood that although the terms first, second, third, etc. may be used in this disclosure to describe various information, the information should not be limited to these terms. These terms are only used to distinguish information of the same type from each other. For example, without departing from the scope of the present disclosure, the first information may also be called second information, and similarly, the second information may also be called first information. Depending on the context, the word "if" as used herein may be interpreted as "when" or "when" or "in response to determining."

首先，对本申请实施例涉及的相关技术背景进行介绍：First, the relevant technical background involved in the embodiments of this application is introduced:

第五代移动通信(5th Generation Mobile Communication Technology，5G)系统：Fifth Generation Mobile Communication Technology (5G) system:

5G系统包括终端、接入网和核心网。其中，终端是具有无线收发功能的设备，该终端可以部署在陆地上、水面上和空中等。该终端可以应用于无人驾驶(Self Driving)、远程医疗(Remote Medical)、智能电网(Smart Grid)、运输安全(Transportation Safety)、智慧城市(Smart City)、智慧家庭(Smart Home)等中的至少一个场景中。The 5G system includes terminals, access networks and core networks. Among them, the terminal is a device with wireless transceiver function, which can be deployed on land, water, air, etc. The terminal can be used in self-driving, remote medical, smart grid, transportation safety, smart city, smart home, etc. At least in one scene.

其中，接入网用于实现接入有关的功能，可以为特定区域的授权用户提供入网功能。接入网在终端设备与核心网之间转发控制信号和用户数据。接入网可以包括接入网络设备，接入网络设备可以是为终端设备提供接入的设备，可以包括无线接入网(Radio Access Network，RAN)设备和AN设备。RAN设备主要是3GPP网络中的无线网络设备，AN设备可以是非3GPP定义的接入网络设备。在采用不同的无线接入技术的系统中，具备基站功能的设备的名称可能会有所不同，例如，在5G系统中，称为R AN或者下一代基站(Next Generation Node Basestation，gNB)；在长期演进(Long Term Evolution，LTE)系统中，称为演进的节点B(evolved NodeB，eNB或eNodeB)。Among them, the access network is used to implement access-related functions and can provide network access functions for authorized users in a specific area. The access network forwards control signals and user data between terminal equipment and the core network. The access network may include access network equipment, which may be equipment that provides access to terminal equipment, and may include Radio Access Network (RAN) equipment and AN equipment. RAN equipment is mainly wireless network equipment in the 3GPP network, and AN equipment can be non-3GPP-defined access network equipment. In systems using different wireless access technologies, the names of equipment with base station functions may be different. For example, in 5G systems, they are called RAN or Next Generation Node Basestation (gNB); in 5G systems, they are called RAN or Next Generation Node Basestation (gNB); In the Long Term Evolution (LTE) system, it is called evolved NodeB (eNB or eNodeB).

其中，核心网负责维护移动网络的签约数据，为终端提供会话管理、移动性管理、策略管理以及安全认证等功能。核心网可以包括如下网元：用户面功能(User Plane Function，UPF)、认证服务功能(Authentication Server Function，AUSF)、接入和移动性管理功能(Access and Mobility Management Function，AMF)、会话管理功能(Session Management Function，SMF)、网络开放功能(Network Exposure Function，NEF)、网络功能仓储功能(Network Function Repository Function，NRF)、策略控制功能(Policy Control Function，PCF)和统一数据管理(Unified Data Management，UDM)，可选的，还可以包括应用功能(Application Function，AF)和统一数据存储库(Unified Data Repository，UDR)。本申请实施例中，将UDM和UDR统称为数据管理网元。Among them, the core network is responsible for maintaining mobile network subscription data and providing terminals with functions such as session management, mobility management, policy management, and security authentication. The core network can include the following network elements: User Plane Function (UPF), Authentication Server Function (AUSF), Access and Mobility Management Function (AMF), and Session Management Function (Session Management Function, SMF), Network Exposure Function (NEF), Network Function Repository Function (NRF), Policy Control Function (Policy Control Function, PCF) and Unified Data Management (Unified Data Management , UDM), optionally, it can also include application function (Application Function, AF) and unified data repository (Unified Data Repository, UDR). In the embodiment of this application, UDM and UDR are collectively referred to as data management network elements.

AMF，主要负责移动网络中的移动性管理，例如用户位置更新、用户注册网络、用户切换等。SMF，主要负责移动网络中的会话管理，例如会话建立、修改、释放。UPF，负责终端设备中用户数据的转发和接收，可以从数据网络接收用户数据，通过接入网络设备传输给终端设备；还可以通过接入网络设备从终端设备接收用户数据，转发至数据网络。PCF，主要支持提供统一的策略框架来控制网络行为，提供策略规则给控制层网络功能，同时负责获取与策略决策相关的用户签约信息。AUSF，用于执行终端的安全认证。NEF，主要用于支持能力和事件的开放。NRF，用于为其它网元提供网络功能实体信息的存储功能和选择功能。UDM，用于存储用户数据，例如签约数据、鉴权/授权数据等。AF与3GPP核心网交互用于提供应用层服务，例如提供关于应用层数据路由，提供接入网络能力开放功能，与策略框架进行交互以提供策略控制，与5G网络的IP多媒体子系统(IP Multimedia Subsystem，IMS)交互等。AMF is mainly responsible for mobility management in mobile networks, such as user location update, user registration network, user switching, etc. SMF is mainly responsible for session management in mobile networks, such as session establishment, modification, and release. UPF is responsible for forwarding and receiving user data in terminal devices. It can receive user data from the data network and transmit it to the terminal device through the access network device. It can also receive user data from the terminal device through the access network device and forward it to the data network. PCF mainly supports providing a unified policy framework to control network behavior, provides policy rules to the control layer network functions, and is also responsible for obtaining user subscription information related to policy decisions. AUSF is used to perform security authentication of terminals. NEF is mainly used to support the opening of capabilities and events. NRF is used to provide storage and selection functions for network function entity information for other network elements. UDM is used to store user data, such as contract data, authentication/authorization data, etc. AF interacts with the 3GPP core network to provide application layer services, such as providing application layer data routing, providing access network capability opening functions, interacting with the policy framework to provide policy control, and interacting with the IP Multimedia subsystem (IP Multimedia) of the 5G network. Subsystem, IMS) interaction, etc.

其中，数据网络(Data Network，DN)用于为用户提供业务服务，可以是私有网络，例如局域网；也可以是不受运营商管控的外部网络，例如互联网(Internet)；还可以是运营商共同部署的专有网络，例如IMS的网络。终端设备可通过建立的协议数据单元(Protocol Data Unit，PDU)会话，来访问DN。Among them, the Data Network (DN) is used to provide business services to users. It can be a private network, such as a local area network; it can also be an external network that is not controlled by the operator, such as the Internet; it can also be a shared network by the operator. Deployed private network, such as IMS network. The terminal device can access the DN through the established Protocol Data Unit (PDU) session.

应当理解，在本申请的一些实施例中，“5G”也可以称为“5G新空口(New Radio，NR)”或“NR”，“终端”也可以称为“终端设备”或“用户设备(User Equipment，UE)”。本申请的一些实施例中描述的技术方案可以适用于5G系统，也可以适用于5G系统后续的演进系统，还可以适用于6G以及后续的演进系统。It should be understood that in some embodiments of this application, "5G" may also be called "5G New Radio (NR)" or "NR", and "terminal" may also be called "terminal equipment" or "user equipment". (User Equipment, UE)". The technical solutions described in some embodiments of this application may be applicable to 5G systems, and may also be applicable to subsequent evolution systems of the 5G system, and may also be applicable to 6G and subsequent evolution systems.

基于3GPP凭证的应用认证与密钥管理(Authentication and Key Management for Applications based on 3GPP credentials，AKMA)服务：Authentication and Key Management for Applications based on 3GPP credentials (AKMA) service:

支持AKMA服务的UE，在与支持AKMA服务的AF进行数据传输时，可以基于AKMA流程的安全保护以提高数据传输的安全性。例如，AF对应于某个视频应用服务器，支持AKMA服务的UE与该AF进行数据传输时，相比于传统UE和AF的无保护的传输方法，使用AKMA服务可提高数据传输的安全性。示例性的，可参见图1所示的AKAM服务的网络架构示意图。图1所示的网络架构包括UE、接入网(Radio Access Network，(R)AN)、AUSF、AMF、AF、NEF、AKMA的锚点功能网元(AKMA Anchor Function，AAnF)和UDM。When a UE that supports the AKMA service transmits data with an AF that supports the AKMA service, the security protection of the AKMA process can be used to improve the security of data transmission. For example, an AF corresponds to a video application server. When a UE that supports the AKMA service transmits data to the AF, compared with the unprotected transmission method of traditional UE and AF, using the AKMA service can improve the security of data transmission. For example, see the network architecture diagram of the AKAM service shown in Figure 1. The network architecture shown in Figure 1 includes UE, access network (Radio Access Network, (R)AN), AUSF, AMF, AF, NEF, AKMA anchor function network element (AKMA Anchor Function, AAnF) and UDM.

图1示出了本申请一个示例性实施例提供的AKMA服务的网络架构示意图，图2示出了本申请一个示例性实施例提供的生成AKMA密钥的流程图。Figure 1 shows a schematic network architecture diagram of the AKMA service provided by an exemplary embodiment of the present application, and Figure 2 shows a flow chart of generating an AKMA key provided by an exemplary embodiment of the present application.

参考图1，UE与AF进行通信存在三种方式，一种是UE通过(R)AN和AMF与AF进行通信，一种是UE通过AMF与AF进行通信，一种是UE通过Ua*接口直接与AF进行通信。其中，Ua*接口为UE与AF之间的通信接口。Referring to Figure 1, there are three ways for the UE to communicate with the AF. One is that the UE communicates with the AF through (R)AN and AMF, one is that the UE communicates with the AF through AMF, and the other is that the UE communicates directly with the Ua* interface. Communicate with AF. Among them, the Ua* interface is the communication interface between the UE and the AF.

参考图1，在AKMA服务中，AUSF可以生成AKMA服务的密钥(即AKMA密钥)，并向AAnF提供UE的AKMA服务的密钥。其中，AKMA服务的密钥可以是K _AKMA，也可以称为AKMA服务的根密钥。UE侧也会自己生成相同的AKMA服务的密钥，即生成相同的K _AKMA。 Referring to Figure 1, in the AKMA service, the AUSF can generate the key of the AKMA service (ie, the AKMA key) and provide the key of the UE's AKMA service to the AAnF. Among them, the key of the AKMA service may be K _AKMA , which may also be called the root key of the AKMA service. The UE side will also generate the same key for the AKMA service, that is, generate the same K _AKMA .

示例性的，生成AKMA服务的密钥的过程可参见图2所示。UE在向5G核心网注册的过程中，UE通过RAN向AMF发送注册请求，注册请求携带UE的身份信息，AMF根据UE的身份信息(例如隐藏的身份标识(Subscriber Concealed Identifier，SUCI))选择AUSF，向该AUSF发送消息触发主鉴权流程；该AUSF对UE进行鉴权，向AMF发送鉴权参数；AMF通过RAN向UE发送鉴权参数，UE根据鉴权参数对AUSF进行鉴权，通过RAN向AMF发送响应，AMF对比响应，符合则鉴权成功。图2中的主鉴权(Primary Authentication)，即为注册过程中，AUSF对UE进行鉴权，UE对AUSF进行鉴权的过程，主鉴权也可以描述为双向鉴权，具体可以参考3GPP TS33.501-g106.1章节相关描述。图2中，在主鉴权之后，AUSF可以使用主鉴权过程中生成的中间密钥，如K _AUSF，生成K _AKMA，以及为K _AKMA生成密钥标识信息。密钥标识信息可用于标识K _AKMA，例如可以是K _AKMA标识符(K _AKMA Identifier，A-KID)。UE可在主鉴权之后，发起AKMA服务之前，使用主鉴权过程中生成的中间密钥，如K _AUSF，生成K _AKMA和以及为K _AKMA生成密钥标识信息。可以理解的是，UE和AUSF分别在本地生成相同的K _AUSF、K _AKMA以及密钥标识信息。 As an example, the process of generating a key for the AKMA service can be seen in Figure 2. When the UE registers with the 5G core network, the UE sends a registration request to the AMF through the RAN. The registration request carries the UE's identity information. The AMF selects the AUSF based on the UE's identity information (such as the hidden identity identifier (Subscriber Concealed Identifier, SUCI)). , sending a message to the AUSF to trigger the main authentication process; the AUSF authenticates the UE and sends authentication parameters to the AMF; the AMF sends the authentication parameters to the UE through the RAN, and the UE authenticates the AUSF based on the authentication parameters and passes the RAN Send a response to AMF, and AMF compares the responses. If they match, the authentication is successful. Primary Authentication in Figure 2 is the process in which the AUSF authenticates the UE and the UE authenticates the AUSF during the registration process. Primary authentication can also be described as two-way authentication. For details, please refer to 3GPP TS33 .501-g106.1 chapter related description. In Figure 2, after primary authentication, AUSF can use the intermediate key generated during the primary authentication process, such as _KAUSF , to generate _KAKMA , and generate key identification information for _KAKMA . The key identification information can be used to identify _KAKMA , for example, it can be a _KAKMA identifier ( _KAKMA Identifier, A-KID). After the primary authentication and before initiating the AKMA service, the UE can use the intermediate key generated during the primary authentication process, such as _KAUSF , to generate _KAKMA and key identification information for _KAKMA . It can be understood that the UE and the AUSF locally generate the same _KAUSF , _KAKMA and key identification information respectively.

图1中，AAnF可以与AUSF进行交互，从AUSF获取AKMA服务的密钥，并根据AKMA服务的密钥和AF的标识，生成该AF与UE之间的通信密钥以及该通信密钥的有效时间。AAnF可将该通信密钥以及该通信密钥的有效时间发送至该AF，以便该AF可以使用该通信密钥与UE进行数据传输，从而提高该AF与UE之间的数据传输的安全性。其中，AF与UE之间的通信密钥可称之为AF对应的AKMA应用密钥(AKMA Application Key，K _AF)。 In Figure 1, AAnF can interact with AUSF, obtain the key of AKMA service from AUSF, and generate the communication key between the AF and UE and the validity of the communication key based on the key of AKMA service and the identification of AF. time. The AAnF can send the communication key and the validity time of the communication key to the AF, so that the AF can use the communication key to perform data transmission with the UE, thereby improving the security of data transmission between the AF and the UE. The communication key between the AF and the UE may be called the AKMA Application Key (K _AF ) corresponding to the AF.

对于不同AF与同一UE之间的K _AF可以不同，例如AF1与UE1之间的K _AF为K _AF1，AF2与UE1之间的K _AF为K _AF2。图1中，AF可以与3GPP核心网网元交互。例如，AF可以从PCF获得服务质量(Quality of Service，QoS)参数，或者AF向PCF提供QoS参数，进而可以影响应用程序的数据传输。再例如，AF可以与NEF交互。在AKMA服务的场景中，AF从AAnF获取该AF与UE之间的通信密钥以及该通信密钥的有效时间。AF可以位于5G核心网内部，也可以位于5G核心网外部。若AF位于5G核心网内部，那么AF可直接与PCF进行交互；若AF位于5G核心网外部，那么AF可通过NEF与PCF进行交互。 The K _AF between different AFs and the same UE may be different. For example, the K _AF between AF1 and UE1 is K _AF 1, and the K _AF between AF2 and UE1 is K _AF 2. In Figure 1, AF can interact with 3GPP core network elements. For example, AF can obtain Quality of Service (QoS) parameters from PCF, or AF can provide QoS parameters to PCF, which can then affect the data transmission of the application. As another example, AF can interact with NEF. In the scenario of AKMA service, the AF obtains the communication key between the AF and the UE and the validity time of the communication key from the AAnF. AF can be located inside the 5G core network or outside the 5G core network. If the AF is located inside the 5G core network, the AF can directly interact with the PCF; if the AF is located outside the 5G core network, the AF can interact with the PCF through NEF.

本申请实施例提供了一种密钥管理方法，用于生成位于服务网络中的AF与终端之间的通信密钥。其中，同一个终端与不同的AF之间的通信密钥可以相同或不同，本申请实施例仅针对位于服务网络中的某一个AF与终端之间的通信密钥。The embodiment of the present application provides a key management method for generating a communication key between an AF and a terminal located in a service network. The communication keys between the same terminal and different AFs may be the same or different. The embodiment of this application is only directed to the communication keys between a certain AF located in the service network and the terminal.

在本申请实施例提供的密钥管理方法中，存在至少一个终端、至少一个AF、至少一个AAnF、至少一个代理实体。示意性的，本申请实施例提供的密钥管理方法应用于漫游场景中，AAnF位于终端的归属网络中，终端、AF和代理实体位于服务网络中。In the key management method provided by the embodiment of the present application, there are at least one terminal, at least one AF, at least one AAnF, and at least one proxy entity. Illustratively, the key management method provided by the embodiment of the present application is applied in a roaming scenario, the AAnF is located in the home network of the terminal, and the terminal, AF and proxy entity are located in the service network.

其中，终端可使用UE表示，服务网络中的代理实体可使用AAnFProxy表示；归属网络与服务网络的覆盖范围不同，或相同，或有重合。Among them, the terminal can be represented by UE, and the proxy entity in the service network can be represented by AAnFProxy; the coverage ranges of the home network and the service network are different, the same, or overlap.

在一些实施例中，该AAnFProxy是服务网络中的单独的网络功能(Nextwork Function，NF)；或者，该AAnFProxy是服务网络中任一NF中的一部分；或者，该AAnFProxy是3GPP运营商域内的可信应用功能(Trusted AF)。In some embodiments, the AAnFProxy is a separate network function (Nextwork Function, NF) in the service network; or, the AAnFProxy is part of any NF in the service network; or, the AAnFProxy is available within the 3GPP operator domain. Letter application function (Trusted AF).

在一些实施例中，该终端类型包括但不限于手持设备、可穿戴设备、车载设备和物联网设备等，该终端可以是手机、平板电脑、电子书阅读器、膝上便携计算机、台式计算机、电视机、游戏机、增强现实(Augmented Reality，AR)终端、虚拟现实(Virtual Reality，VR)终端和混合现实(Mixed Reality，MR)终端、可穿戴设备、手柄和控制器等中的至少一种。In some embodiments, the terminal type includes but is not limited to handheld devices, wearable devices, vehicle-mounted devices, Internet of Things devices, etc. The terminal may be a mobile phone, a tablet computer, an e-book reader, a laptop computer, a desktop computer, At least one of televisions, game consoles, augmented reality (Augmented Reality, AR) terminals, virtual reality (VR) terminals, mixed reality (Mixed Reality, MR) terminals, wearable devices, handles and controllers, etc. .

图3示出了本申请一个示例性实施例提供的密钥管理方法的流程图，用于生成位于服务网络中的AF和终端之间的通信密钥，该方法包括如下步骤中的至少部分步骤：Figure 3 shows a flow chart of a key management method provided by an exemplary embodiment of the present application for generating a communication key between an AF and a terminal located in a service network. The method includes at least some of the following steps: :

步骤101：UE向服务网络中的AF发送应用会话建立请求。Step 101: The UE sends an application session establishment request to the AF in the serving network.

示意性的，在服务网络中的AF与UE进行通信之前，需要确定二者之间是否可以使用AKMA服务。在步骤101之前，通过UE与AUSF之间的主鉴权流程，以使得UE和AUSF分别在本地生成相同的K _AUSF、K _AKMA以及A-KID。 Illustratively, before the AF in the service network communicates with the UE, it needs to be determined whether the AKMA service can be used between the two. Before step 101, the main authentication process between the UE and the AUSF is passed, so that the UE and the AUSF locally generate the same K _AUSF , _KAKMA and A-KID respectively.

其中，主鉴权流程可参考前述内容，不再赘述。Among them, the main authentication process can refer to the above content and will not be described again.

可选地，服务网络中的AF与UE进行通信的先决条件是隐式特定应用于终端和AF的，或是由AF向终端显式指示的。Optionally, the prerequisites for the AF in the serving network to communicate with the UE are implicitly specific to the terminal and the AF, or are explicitly indicated by the AF to the terminal.

示意性的，应用会话建立请求用于触发应用会话的建立请求，应用会话建立请求可用Application Session Establishment Request表示。其中，应用会话建立请求中携带有AKMA密钥标识符和/或服务网络标识符，AKMA密钥标识符可用A-KID表示。Illustratively, the application session establishment request is used to trigger the application session establishment request, and the application session establishment request can be represented by Application Session Establishment Request. The application session establishment request carries the AKMA key identifier and/or the service network identifier, and the AKMA key identifier can be represented by A-KID.

其中，A-KID用于指示终端的AKMA密钥的标识符；服务网络标识符用于指示终端的服务网络，用于触发服务网络中的AF在终端的服务网络标识符与归属网络标识不一致的情况下，向服务网络中的代理实体发送密钥管理请求。Among them, A-KID is used to indicate the identifier of the AKMA key of the terminal; the service network identifier is used to indicate the service network of the terminal, and is used to trigger AF in the service network when the service network identifier of the terminal is inconsistent with the home network identifier. In this case, a key management request is sent to the proxy entity in the service network.

可选的，TS 33.535中限定了A-KID应采用IETF RFC 7542中条款2.2规定的归属网络标识(Network Access Identifier，NAI)格式，比如：用户名@安全域。该用户名部分应包含路由指示(Routing Indicator，RID)和AKMA临时终端标识(AKMA Temporary UE Identifier，A-TID)，该安全域部分应包含归属网络标识。Optional, TS 33.535 stipulates that A-KID should adopt the Network Access Identifier (NAI) format specified in clause 2.2 of IETF RFC 7542, such as: username@security domain. The username part should include the Routing Indicator (RID) and the AKMA Temporary UE Identifier (A-TID), and the security domain part should include the home network identifier.

在一些实施例中，应用会话建立请求中包括A-KID，A-KID中携带有终端的服务网络标识符；或者，应用会话建立请求中包括A-KID和终端的服务网络标识符；或者，应用会话建立请求中包括A-KID，终端在应用会话建立请求之前或之后发送终端的服务网络标识符，可选地，该服务网络标识符指示有对应的应用会话建立请求或A-KID。In some embodiments, the application session establishment request includes A-KID, and the A-KID carries the service network identifier of the terminal; or, the application session establishment request includes the A-KID and the service network identifier of the terminal; or, The application session establishment request includes the A-KID, and the terminal sends the terminal's service network identifier before or after the application session establishment request. Optionally, the service network identifier indicates a corresponding application session establishment request or A-KID.

步骤102：服务网络中的AF向服务网络中的代理实体发送AKMA应用密钥请求。Step 102: The AF in the service network sends an AKMA application key request to the proxy entity in the service network.

示意性的，AKMA应用密钥请求用于向服务网络中的代理实体请求服务网络中的AF的AKMA应用密钥信息，AKMA应用密钥请求包括A-KID和/或AF标识符(AF Identifier，AF_ID)。其中，代理实体可用AAnFProxy表示；A-KID有服务网络中的AF从终端处获取；AF_ID用于指示服务网络中的AF的标识符。Illustratively, the AKMA application key request is used to request the AKMA application key information of the AF in the service network from the proxy entity in the service network. The AKMA application key request includes the A-KID and/or AF identifier (AF Identifier, AF_ID). Among them, the proxy entity can be represented by AAnFProxy; A-KID is obtained from the terminal by the AF in the service network; AF_ID is used to indicate the identifier of the AF in the service network.

可选的，AF_ID包含AF的全限定域名(Fully Qualified Domain Name，FQDN)和Ua*安全协议标识符。其中，Ua*安全协议标识符用于指示AF将与UE一起使用的安全协议。Optionally, AF_ID contains AF's fully qualified domain name (Fully Qualified Domain Name, FQDN) and Ua* security protocol identifier. Among them, the Ua* security protocol identifier is used to indicate the security protocol that the AF will use with the UE.

可选的，服务网络中的代理实体是服务网络中单独的NF；或者，服务网络中的代理实体是服务网络中任一NF中的一部分；或者，服务网络中的代理实体是可信应用功能(Trusted AF)，比如3GPP运营商域内的可信应用功能。Optionally, the proxy entity in the service network is a separate NF in the service network; or, the proxy entity in the service network is part of any NF in the service network; or, the proxy entity in the service network is a trusted application function (Trusted AF), such as the trusted application function within the 3GPP operator domain.

在接收到的终端的服务网络标识符和终端的归属网络标识一致的情况下，终端对应的服务网络为终端的归属网络，AF可根据TS 33.535中条款6.3所描述地从AAnf获取K _AF。 When the received service network identifier of the terminal is consistent with the terminal's home network identifier, the service network corresponding to the terminal is the terminal's home network, and the AF can obtain K _AF from AAnf as described in clause 6.3 of TS 33.535.

在接收到的终端的服务网络标识符和终端的归属网络标识不一致的情况下，终端对应的服务网络不是终端的归属网络，此时的终端处于漫游场景下，AF向服务网络中的代理实体发送AKMA应用密钥请求，以请求K _AF。 When the received service network identifier of the terminal is inconsistent with the terminal's home network identifier, the service network corresponding to the terminal is not the terminal's home network, and the terminal is in a roaming scenario at this time, and the AF sends a message to the proxy entity in the service network. AKMA applies key request to request K _AF .

服务网络中的AF向服务网络中的代理实体发送的AKMA应用密钥请求，根据服务网络中的AF中的策略的不同而不同。The AKMA application key request sent by the AF in the service network to the proxy entity in the service network varies according to the policies in the AF in the service network.

可选的，服务网络中的AF向归属网络中的代理实体发送第一AKMA应用密钥请求。其中，第一AKMA应用密钥请求用于指示服务网络中的AF需要终端标识。Optionally, the AF in the serving network sends the first AKMA application key request to the proxy entity in the home network. The first AKMA application key request is used to indicate that the AF in the service network requires a terminal identity.

可选的，第一AKMA应用密钥请求可使用AKMA Application Key Request表示。Optionally, the first AKMA Application Key Request can be expressed using AKMA Application Key Request.

可选的，服务网络中的AF向归属网络中的代理实体发送第二AKMA应用密钥请求。其中，第二AKMA应用密钥请求用于指示服务网络中的AF不需要终端标识。Optionally, the AF in the serving network sends a second AKMA application key request to the proxy entity in the home network. The second AKMA application key request is used to indicate that the AF in the service network does not require a terminal identity.

可选的，第二AKMA应用密钥请求可使用AKMA Application Key AnonUser Request表示。Optionally, the second AKMA Application Key request can be expressed using AKMA Application Key AnonUser Request.

步骤103：服务网络中的代理实体向归属网络中的AAnF发送应用密钥获取请求。Step 103: The proxy entity in the serving network sends an application key acquisition request to the AAnF in the home network.

示意性的，应用密钥获取请求用于向归属网络中的AAnF请求服务网络中的AF的AKMA应用密钥信息，应用密钥获取请求包括A-KID和/或AF_ID。Illustratively, the application key acquisition request is used to request the AKMA application key information of the AF in the service network from the AAnF in the home network, and the application key acquisition request includes A-KID and/or AF_ID.

A-KID和/AF_ID的相关描述可参考前述内容，不再赘述。For relevant descriptions of A-KID and /AF_ID, please refer to the foregoing content and will not be described again.

在步骤102中，根据服务网络中的AF中的策略的不同，服务网络中的AF向服务网络中的代理实体发送的AKMA应用密钥请求不同，相应的，服务网络中的代理实体向归属网络中的AAnF发送的应用密钥获取请求也不同。In step 102, according to the different policies in the AF in the service network, the AF in the service network sends different AKMA application key requests to the proxy entity in the service network. Correspondingly, the proxy entity in the service network sends a request to the home network The application key acquisition request sent by AAnF is also different.

可选的，服务网络中的代理实体接收到第一AKMA应用密钥请求，第一AKMA应用密钥请求用于指示服务网络中的AF需要终端标识；随后，服务网络中的代理实体向归属网络中的AAnF发送第一应用密钥获取请求。Optionally, the proxy entity in the serving network receives the first AKMA application key request. The first AKMA application key request is used to indicate that the AF in the serving network requires a terminal identity; subsequently, the proxy entity in the serving network sends a request to the home network. The AAnF in sends the first application key acquisition request.

可选的，第一应用密钥获取请求可使用Naanf_AKMA_ApplicationKey_Get Request表示。Optionally, the first application key acquisition request can be represented by Naanf_AKMA_ApplicationKey_Get Request.

可选的，服务网络中的代理实体接收到第二AKMA应用密钥请求，第二AKMA应用密钥请求用于指示服务网络中的AF不需要终端标识；随后，服务网络中的代理实体向归属网络中的AAnF发送第二应用密钥获取请求。Optionally, the proxy entity in the service network receives the second AKMA application key request. The second AKMA application key request is used to indicate that the AF in the service network does not require a terminal identity; subsequently, the proxy entity in the service network sends a request to the home network. The AAnF in the network sends a second application key acquisition request.

可选的，第二应用密钥获取请求可使用 Naanf_AKMA_ApplicationKey_AnonUser_Get Request表示。Optionally, the second application key acquisition request can be represented by Naanf_AKMA_ApplicationKey_AnonUser_Get Request.

可选的，在执行步骤103之前，服务网络中的代理实体还需要确定归属网络中的AAnF，本申请实施例提供的密钥管理方法，还包括：Optionally, before executing step 103, the proxy entity in the serving network also needs to determine the AAnF in the home network. The key management method provided by the embodiment of the present application also includes:

服务网络中的代理实体通过服务网络和归属网络中的NRF发现归属网络中的AAnF。The proxy entity in the service network discovers the AAnF in the home network through the NRF in the service network and the home network.

其中，以归属网络中的NRF使用hNRF表示，服务网络中的NRF使用vNRF表示为例，服务网络中的代理实体发现归属网络中的AAnF的过程可实现为如下：服务网络中的代理实体通过服务网络标识符确定vNRF；vNRF根据服务网络中的代理实体传送的归属网络标识符，能够确定hNRF；hNRF根据预设策略判断归属网络中的AAnF有权为服务网络中的AAnFProxy及AF服务，随后授权归属网络中的代理实体访问归属网络中的AAnF。Among them, for example, the NRF in the home network is represented by hNRF, and the NRF in the service network is represented by vNRF. The process of the agent entity in the service network discovering the AAnF in the home network can be implemented as follows: The agent entity in the service network uses the service The network identifier determines vNRF; vNRF can determine hNRF based on the home network identifier transmitted by the proxy entity in the service network; hNRF determines based on the preset policy that AAnF in the home network has the right to serve AAnFProxy and AF in the service network, and then authorizes The proxy entity in the home network accesses the AAnF in the home network.

步骤104：归属网络中的AAnF基于终端的AKMA密钥生成服务网络中的AF的AKMA应用密钥。Step 104: The AAnF in the home network generates the AKMA application key of the AF in the serving network based on the AKMA key of the terminal.

其中，AKMA应用密钥(AKMA Application Key，K _AF)用于指示UE和服务网络中的AF之间的通信密钥。 Among them, the AKMA Application Key (K _AF ) is used to indicate the communication key between the UE and the AF in the serving network.

示意性的，AKMA应用密钥基于终端的AKMA密钥生成。因此，执行步骤104需要满足如下条件：归属网络中的AAnF存储有终端的AKMA密钥。Illustratively, the AKMA application key is generated based on the AKMA key of the terminal. Therefore, the following conditions need to be met to perform step 104: the AAnF in the home network stores the AKMA key of the terminal.

其中，AKMA应用密钥的生成可通过如下方式实现：归属网络中的AAnF根据应用密钥获取请求得到A-KID和AF_ID；随后，归属网络中的AAnF可基于AKMA密钥和AF_ID生成AKMA应用密钥。Among them, the generation of AKMA application key can be achieved in the following way: AAnF in the home network obtains A-KID and AF_ID according to the application key acquisition request; then, AAnF in the home network can generate the AKMA application key based on the AKMA key and AF_ID. key.

可选的，归属网络中的AAnF可根据A-KID对应的终端的AKMA密钥的存在，来验证UE是否被授权使用AKMA服务。Optionally, the AAnF in the home network can verify whether the UE is authorized to use the AKMA service based on the existence of the AKMA key of the terminal corresponding to the A-KID.

可选的，在执行步骤104之前，归属网络中的AAnF还需要执行如下步骤：根据授权信息或策略，确定归属网络中的AAnF是否向服务网络中的AF及服务网络中的代理实体提供服务。Optionally, before performing step 104, the AAnF in the home network also needs to perform the following steps: determine whether the AAnF in the home network provides services to the AF in the service network and the proxy entity in the service network based on the authorization information or policy.

其中，在归属网络中的AAnF可以向服务网络中的AF及服务网络中的代理实体提供服务的情况下，执行步骤104；在归属网络中的AAnF不可以向服务网络中的AF及服务网络中的代理实体提供服务的情况下，归属网络中的AAnF可拒绝执行步骤104，并向服务网络中的代理实体反馈错误响应。Among them, if the AAnF in the home network can provide services to the AF in the service network and the proxy entity in the service network, step 104 is performed; the AAnF in the home network cannot provide services to the AF in the service network and the proxy entity in the service network. In the case where the proxy entity provides services, the AAnF in the home network may refuse to perform step 104 and feed back an error response to the proxy entity in the serving network.

可选的，授权信息或策略，由本地策略或归属网络中的NRF提供。Optional, authorization information or policy, provided by local policy or NRF in the home network.

步骤105：归属网络中的AAnF向服务网络中的代理实体发送应用密钥获取响应。Step 105: The AAnF in the home network sends an application key acquisition response to the proxy entity in the serving network.

示意性的，应用密钥获取响应包括服务网络中的AF的AKMA应用密钥信息，AKMA应用密钥信息至少包括AKMA应用密钥。Illustratively, the application key acquisition response includes the AKMA application key information of the AF in the service network, and the AKMA application key information at least includes the AKMA application key.

根据步骤103，服务网络中的代理实体向归属网络中的AAnF发送的应用密钥获取请求不同。相应的，归属网络中的AAnF向服务网络中的代理实体发送的应用密钥获取响应也不同。According to step 103, the application key acquisition request sent by the proxy entity in the serving network to the AAnF in the home network is different. Correspondingly, the application key acquisition response sent by the AAnF in the home network to the proxy entity in the serving network is also different.

可选的，在服务网络中的AF需要终端标识的情况下，归属网络中的AAnF接收到服务网络中的代理实体发送的第一应用密钥获取请求；在生成AKMA应用密钥后，归属网络中的AAnF向服务网络中的代理实体发送第一应用密钥获取响应。Optionally, when the AF in the serving network requires the terminal identification, the AAnF in the home network receives the first application key acquisition request sent by the proxy entity in the serving network; after generating the AKMA application key, the home network The AAnF in the server sends a first application key acquisition response to the proxy entity in the service network.

可选的，第一应用密钥获取响应可使用Naanf_AKMA_ApplicationKey_Get Response表示。Optionally, the first application key acquisition response can be represented by Naanf_AKMA_ApplicationKey_Get Response.

其中，第一应用密钥获取响应中携带的AF的AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥、AKMA应用密钥的过期时间、终端的签约永久标识符(Subscription Permanent Identifier，SUPI)；AKMA应用密钥的过期时间可使用K _AF expTime表示。 Wherein, the AKMA application key information of the AF carried in the first application key acquisition response includes at least one of the following information: AKMA application key, expiration time of the AKMA application key, terminal's subscription permanent identifier (Subscription Permanent Identifier, SUPI); the expiration time of the AKMA application key can be expressed by K _AF expTime.

可选的，在服务网络中的AF不需要终端标识的情况下，归属网络中的AAnF接收到服务网络中的代理实体发送的第二应用密钥获取请求；在生成AKMA应用密钥后，归属网络中的AAnF向服务网络中的代理实体发送第二应用密钥获取响应。Optionally, when the AF in the serving network does not require a terminal identification, the AAnF in the home network receives the second application key acquisition request sent by the proxy entity in the serving network; after generating the AKMA application key, the home network The AAnF in the network sends a second application key acquisition response to the proxy entity in the service network.

可选的，第二应用密钥获取响应可使用Naanf_AKMA_ApplicationKey_AnonUser_Get Response表示。Optionally, the second application key acquisition response can be represented by Naanf_AKMA_ApplicationKey_AnonUser_Get Response.

其中，第二应用密钥获取响应中携带的AF的AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥、AKMA应用密钥的过期时间。Wherein, the AKMA application key information of the AF carried in the second application key acquisition response includes at least one of the following information: the AKMA application key and the expiration time of the AKMA application key.

根据步骤105，服务网络中的代理实体在不同的情况下可获取到不同的AF的AKMA应用密钥信息，并将其反馈给服务网络中的AF。According to step 105, the proxy entity in the service network can obtain the AKMA application key information of different AFs under different circumstances and feed it back to the AF in the service network.

根据前述内容，步骤103、104和105给出了服务网络中的AF的AKMA应用密钥信息由归属网络中的AAnF生成的实现方式。According to the foregoing content, steps 103, 104 and 105 provide an implementation manner in which the AKMA application key information of the AF in the serving network is generated by the AAnF in the home network.

在一种可选的实现场景下，服务网络中的AF的AKMA应用密钥信息还可由服务网络中的代理实体生成。比如，服务网络中的代理实体根据应用密钥获取请求得到A-KID和AF_ID；随后，服务网络中的代理实体可基于AKMA密钥和AF_ID生成AKMA应用密钥。In an optional implementation scenario, the AKMA application key information of the AF in the service network can also be generated by the proxy entity in the service network. For example, the proxy entity in the service network obtains the A-KID and AF_ID according to the application key acquisition request; subsequently, the proxy entity in the service network can generate the AKMA application key based on the AKMA key and AF_ID.

应当理解的是，该实施例仅示出了服务网络中的AF的AKMA应用密钥信息由归属网络中的AAnF生成的实现方式，并不对本申请造成限定。It should be understood that this embodiment only shows the implementation manner in which the AKMA application key information of the AF in the serving network is generated by the AAnF in the home network, and does not limit this application.

步骤106：服务网络中的代理实体向服务网络中的AF发送AKMA应用密钥响应。Step 106: The proxy entity in the service network sends an AKMA application key response to the AF in the service network.

示意性的，AKMA应用密钥响应包括服务网络中的AF的AKMA应用密钥信息。Illustratively, the AKMA application key response includes the AKMA application key information of the AF in the service network.

其中，AF的AKMA应用密钥信息的相关描述可参考前述内容，不再赘述。For the relevant description of AF's AKMA application key information, please refer to the foregoing content and will not be described again.

根据步骤102，服务网络中的AF向服务网络中的代理实体发送的AKMA应用密钥请求不同。相应的，服务网络中的代理实体向服务网络中的AF发送的AKMA应用密钥响应也不同。According to step 102, the AKMA application key request sent by the AF in the service network to the proxy entity in the service network is different. Correspondingly, the AKMA application key response sent by the proxy entity in the service network to the AF in the service network is also different.

可选的，服务网络中的代理实体接收服务网络中的AF发送的第一AKMA应用密钥请求，第一AKMA应用密钥请求用于指示服务网络中的AF需要终端标识；随后，服务网络中的代理实体向服务网络中的AF发送第一AKMA应用密钥响应。Optionally, the proxy entity in the service network receives the first AKMA application key request sent by the AF in the service network. The first AKMA application key request is used to indicate that the AF in the service network requires a terminal identification; subsequently, the first AKMA application key request in the service network The proxy entity sends the first AKMA application key response to the AF in the service network.

可选的，第一AKMA应用密钥响应可使用AKMA Application Key Response表示。Optionally, the first AKMA Application Key Response can be expressed using AKMA Application Key Response.

其中，第一AKMA应用密钥响应中携带的AF的AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥、AKMA应用密钥的过期时间和SUPI。The AKMA application key information of the AF carried in the first AKMA application key response includes at least one of the following information: the AKMA application key, the expiration time of the AKMA application key, and the SUPI.

可选的，服务网络中的代理实体接收服务网络中的AF发送的第二AKMA应用密钥请求，第二AKMA应用密钥请求用于指示服务网络中的AF不需要终端标识；随后，服务网络中的代理实体向服务网络中的AF发送第二AKMA应用密钥响应。Optionally, the proxy entity in the service network receives the second AKMA application key request sent by the AF in the service network. The second AKMA application key request is used to indicate that the AF in the service network does not require a terminal identification; subsequently, the service network The proxy entity in the service network sends a second AKMA application key response to the AF in the service network.

可选的，第二AKMA应用密钥响应可使用AKMA Application Key AnonUser表示。Optionally, the second AKMA Application Key response can be represented by AKMA Application Key AnonUser.

其中，第二AKMA应用密钥响应中携带的AF的AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥、AKMA应用密钥的过期时间。The AKMA application key information of the AF carried in the second AKMA application key response includes at least one of the following information: the AKMA application key and the expiration time of the AKMA application key.

步骤107：服务网络中的AF向访问UE发送应用会话建立响应。Step 107: The AF in the serving network sends an application session establishment response to the visiting UE.

其中，应用会话建立响应与应用会话建立请求对应，用于反馈服务网络中的AF的AKMA应用密钥信息，可用Application Session Establishment Response表示。Among them, the application session establishment response corresponds to the application session establishment request and is used to feed back the AKMA application key information of AF in the service network, which can be represented by Application Session Establishment Response.

UE在接收到应用会话建立响应后，可根据AKMA应用密钥响应中携带的AF的AKMA应用密钥信息，确定AKMA应用密钥。After receiving the application session establishment response, the UE can determine the AKMA application key based on the AF's AKMA application key information carried in the AKMA application key response.

在一种实现场景下，归属网络中的AAnF中未携带终端的AKMA密钥。In one implementation scenario, the AAnF in the home network does not carry the AKMA key of the terminal.

可选的，归属网络中的AAnF向服务网络中的代理实体发送错误响应；服务网络中的代理实体向服务网络中的AF发送该错误响应；服务网络中的AF向UE反馈应用会话的拒绝信息，该拒绝信息中包括响应失败原因。基于此，服务网络中的AF通过包含响应失败原因来拒绝建立应用会话。Optionally, the AAnF in the home network sends an error response to the proxy entity in the serving network; the proxy entity in the serving network sends the error response to the AF in the serving network; the AF in the serving network feeds back application session rejection information to the UE , the rejection information includes the reason for the response failure. Based on this, the AF in the service network refuses to establish the application session by including the response failure reason.

可选的，在UE接收到服务网络中的AF反馈的应用会话的拒绝信息后，UE可重新发送应用会话建立请求，该应用会话建立请求中携带有新的A-KID和/或服务网络标识符。Optionally, after the UE receives the rejection information of the application session fed back by the AF in the service network, the UE can resend the application session establishment request, and the application session establishment request carries the new A-KID and/or service network identification. symbol.

应当理解的是，上述内容中给出的实施例中，UE一侧的步骤可单独成为应用于终端中的密钥管理方法的一个实施例，归属网络中的AAnF一侧的步骤可单独成为应用于归属网络中的AAnF中的密钥管理方法的一个实施例，服务网络中的AF一侧的步骤可单独成为应用于服务网络中的AF中的密钥管理方法的一个实施例，服务网络中的代理实体一侧的步骤可单独成为应用于服务网络中的代理实体中的密钥管理方法的一个实施例。其中，密钥管理方法的步骤的具体阐释可参考上述内容，不再赘述。It should be understood that in the embodiments given in the above content, the steps on the UE side can independently become an embodiment of the key management method applied in the terminal, and the steps on the AAnF side in the home network can independently become an application. As an embodiment of the key management method in the AAnF in the home network, the steps on the AF side in the serving network may separately become an embodiment of the key management method in the AF in the serving network, in the serving network The steps on the proxy entity side may alone become an embodiment of the key management method applied in the proxy entity in the service network. For detailed explanation of the steps of the key management method, please refer to the above content and will not be described again.

综上所述，本申请实施例提供了一种密钥管理方法，基于服务网络中的代理实体、服务网络中的AF和归属网络中的AAnF之间的交互，能够实现AKMA应用密钥请求和AKMA应用密钥响应，以使得终端能够获取到服务网络中的AF的AKMA应用密钥信息。To sum up, the embodiments of this application provide a key management method, which can realize AKMA application key request and The AKMA application key response enables the terminal to obtain the AKMA application key information of the AF in the service network.

图4示出了本申请一个示例性实施例提供的密钥管理方法的流程图，该方法应用于漫游场景下，该方法由服务网络中的代理实体执行，代理实体可用AAnFProxy表示。示意性的，本申请实施例提供的密钥管理方法包括如下步骤：Figure 4 shows a flow chart of a key management method provided by an exemplary embodiment of the present application. The method is applied in a roaming scenario. The method is executed by a proxy entity in the service network. The proxy entity can be represented by AAnFProxy. Illustratively, the key management method provided by the embodiment of this application includes the following steps:

步骤202：接收服务网络中的AF发送的AKMA应用密钥请求。Step 202: Receive the AKMA application key request sent by the AF in the service network.

示意性的，AKMA应用密钥请求用于向服务网络中的代理实体请求服务网络中的AF的AKMA应用密钥信息。可选的，AKMA应用密钥请求包括AKMA密钥标识符和/或AF标识符。Illustratively, the AKMA application key request is used to request the AKMA application key information of the AF in the service network from the proxy entity in the service network. Optionally, the AKMA application key request includes the AKMA key identifier and/or AF identifier.

其中，代理实体可用AAnFProxy表示；AKMA密钥标识符可用A-KID表示，用于指示终端的AKMA密钥的标识符；AF标识符可用AF_ID表示，用于指示服务网络中的AF的标识符。Among them, the proxy entity can be represented by AAnFProxy; the AKMA key identifier can be represented by A-KID, which is used to indicate the identifier of the AKMA key of the terminal; the AF identifier can be represented by AF_ID, which is used to indicate the identifier of the AF in the service network.

本申请实施例提供的密钥管理方法中，终端处于漫游场景下，终端对应的服务网络为服务网络，服务网络与终端的归属网络不一致，此时需要服务网络中的AF向服务网络中的代理实体发送AKMA应用密钥请求，以请求K _AF。 In the key management method provided by the embodiment of this application, the terminal is in a roaming scenario, the service network corresponding to the terminal is the service network, and the service network is inconsistent with the home network of the terminal. In this case, the AF in the service network needs to report to the agent in the service network The entity sends an AKMA application key request to request K _AF .

根据前述内容，服务网络中的AF向服务网络中的代理实体发送的AKMA应用密钥请求，根据服务网络中的AF中的策略的不同而不同。According to the foregoing content, the AKMA application key request sent by the AF in the service network to the proxy entity in the service network varies according to the policies in the AF in the service network.

可选的，服务网络中的AF向归属网络中的代理实体发送第二AKMA应用密钥请求。其中，第二AKMA应用密钥请求用于指示服务网络中的AF不需要终端标识。Optionally, the AF in the serving network sends a second AKMA application key request to the proxy entity in the home network. Wherein, the second AKMA application key request is used to indicate that the AF in the service network does not require terminal identification.

步骤204：向服务网络中的AF反馈AKMA应用密钥响应。Step 204: Feed back the AKMA application key response to the AF in the service network.

示意性的，AKMA应用密钥响应包括服务网络中的AF的AKMA应用密钥信息，AKMA应用密钥响应与AKMA应用密钥请求对应。Illustratively, the AKMA application key response includes the AKMA application key information of the AF in the service network, and the AKMA application key response corresponds to the AKMA application key request.

根据步骤202，服务网络中的AF向服务网络中的代理实体发送的AKMA应用密钥请求不同。相应的，服务网络中的代理实体向服务网络中的AF发送的AKMA应用密钥响应也不同。According to step 202, the AF in the service network sends different AKMA application key requests to the proxy entity in the service network. Correspondingly, the AKMA application key response sent by the proxy entity in the service network to the AF in the service network is also different.

可选的，服务网络中的代理实体接收服务网络中的AF发送的第一AKMA应用密钥请求，第一AKMA应用密钥请求用于指示服务网络中的AF需要终端标识；随后，服务网络中的代理实体向服务网络中的AF发送第一AKMA应用密钥响应。Optionally, the proxy entity in the service network receives the first AKMA application key request sent by the AF in the service network. The first AKMA application key request is used to indicate that the AF in the service network requires a terminal identity; subsequently, the first AKMA application key request in the service network The proxy entity sends the first AKMA application key response to the AF in the service network.

可选的，第一AKMA应用密钥响应中携带的AF的AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥、AKMA应用密钥的过期时间和SUPI。Optionally, the AKMA application key information of the AF carried in the first AKMA application key response includes at least one of the following information: the AKMA application key, the expiration time of the AKMA application key, and the SUPI.

可选的，第二AKMA应用密钥响应中携带的AF的AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥、AKMA应用密钥的过期时间。Optionally, the AKMA application key information of the AF carried in the second AKMA application key response includes at least one of the following information: the AKMA application key and the expiration time of the AKMA application key.

其中，服务网络中的AF的AKMA应用密钥信息由多种生成方式。Among them, the AKMA application key information of AF in the service network is generated in various ways.

可选的，服务网络中的AF的AKMA应用密钥信息由服务网络中的代理实体生成；或者，服务网络中的AF的AKMA应用密钥信息由归属网络中的AAnF生成。Optionally, the AKMA application key information of the AF in the serving network is generated by the proxy entity in the serving network; or the AKMA application key information of the AF in the serving network is generated by the AAnF in the home network.

在服务网络中的AF的AKMA应用密钥信息由归属网络中的AAnF生成的情况下，本申请实施例提供的密钥管理方法还包括如下两个步骤：In the case where the AKMA application key information of the AF in the serving network is generated by the AAnF in the home network, the key management method provided by the embodiment of this application also includes the following two steps:

步骤1：向归属网络中的AAnF发送应用密钥获取请求。Step 1: Send an application key acquisition request to the AAnF in the home network.

应用密钥获取请求用于向归属网络中的AAnF请求服务网络中的AF的AKMA应用密钥信息。可选的，应用密钥获取请求包括A-KID和/或AF_ID。The application key acquisition request is used to request AKMA application key information of the AF in the service network from the AAnF in the home network. Optionally, the application key acquisition request includes A-KID and/or AF_ID.

与AKMA应用密钥请求类似，服务网络中的代理实体向归属网络中的AAnF发送的应用密钥获取请求也根据服务网络中的AF中的策略的不同而改变。Similar to the AKMA application key request, the application key acquisition request sent by the proxy entity in the service network to the AAnF in the home network also changes according to the different policies in the AF in the service network.

可选的，第二应用密钥获取请求可使用Naanf_AKMA_ApplicationKey_AnonUser_Get Request表示。Optionally, the second application key acquisition request can be represented by Naanf_AKMA_ApplicationKey_AnonUser_Get Request.

步骤2：接收归属网络中的AAnF反馈的应用密钥获取响应。Step 2: Receive the application key acquisition response fed back by the AAnF in the home network.

示意性的，应用密钥获取响应包括服务网络中的AF的AKMA应用密钥信息。Illustratively, the application key acquisition response includes the AKMA application key information of the AF in the service network.

其中，应用密钥获取响应与应用密钥获取请求对应，用于归属网络中的AAnF向服务网络中的代理实体反馈AF的AKMA应用密钥信息。The application key acquisition response corresponds to the application key acquisition request, and is used by the AAnF in the home network to feed back the AF's AKMA application key information to the proxy entity in the serving network.

根据步骤1，服务网络中的代理实体向归属网络中的AAnF发送的应用密钥获取请求不同。相应的，归属网络中的AAnF向服务网络中的代理实体发送的应用密钥获取响应也不同。According to step 1, the application key acquisition request sent by the proxy entity in the serving network to the AAnF in the home network is different. Correspondingly, the application key acquisition response sent by the AAnF in the home network to the proxy entity in the serving network is also different.

可选的，第一应用密钥获取响应可使用Naanf_AKMA_ApplicationKey_Get Response表示。可选的，第一应用密钥获取响应中携带的AF的AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥、AKMA应用密钥的过期时间和SUPI。Optionally, the first application key acquisition response can be represented by Naanf_AKMA_ApplicationKey_Get Response. Optionally, the AKMA application key information of the AF carried in the first application key acquisition response includes at least one of the following information: the AKMA application key, the expiration time of the AKMA application key, and the SUPI.

可选的，第二应用密钥获取响应可使用Naanf_AKMA_ApplicationKey_AnonUser_Get Response表示。可选的，第二应用密钥获取响应中携带的AF的AKMA应用密钥信息包括如下信息中的至少一种： AKMA应用密钥、AKMA应用密钥的过期时间。Optionally, the second application key acquisition response can be represented by Naanf_AKMA_ApplicationKey_AnonUser_Get Response. Optionally, the AKMA application key information of the AF carried in the second application key acquisition response includes at least one of the following information: the AKMA application key and the expiration time of the AKMA application key.

应当理解的是，步骤1和步骤2的时序位置应当位于步骤202和步骤204之间，在接收到归属网络中的AAnF反馈的应用密钥获取响应后，服务网络中的代理实体将应用密钥回去响应中携带的服务网络中的AF的AKMA应用密钥信息反馈给服务网络中的AF。It should be understood that the timing position of steps 1 and 2 should be between step 202 and step 204. After receiving the application key acquisition response fed back by the AAnF in the home network, the proxy entity in the serving network will apply the key The AKMA application key information of the AF in the service network carried in the return response is fed back to the AF in the service network.

综上所述，本申请实施例提供了一种密钥管理方法，基于服务网络中的代理实体、服务网络中的AF和归属网络中的AAnF之间的交互，能够实现AKMA应用密钥请求和AKMA应用密钥响应，以使得服务网络中的AF能够获取到AF的AKMA应用密钥信息。To sum up, the embodiments of this application provide a key management method, which can realize AKMA application key request and The AKMA application key responds so that the AF in the service network can obtain the AKMA application key information of the AF.

其中，根据服务网络中的AF中的策略的不同，服务网络中的AF向服务网络中的代理实体发送的AKMA应用密钥请求也不同，从而使得服务网络中的AF得到的AKMA应用密钥响应内携带的AKMA应用密钥信息也不同。Among them, according to the different policies in the AF in the service network, the AKMA application key request sent by the AF in the service network to the proxy entity in the service network is also different, so that the AF in the service network gets the AKMA application key response. The AKMA application key information carried inside is also different.

比如，在服务网络中的AF需要终端标识的情况下，AKMA应用密钥响应内携带的AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥、AKMA应用密钥的过期时间和SUPI；又如，在服务网络中的AF不需要终端标识的情况下，AKMA应用密钥响应内携带的AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥、AKMA应用密钥的过期时间。For example, when the AF in the service network requires terminal identification, the AKMA application key information carried in the AKMA application key response includes at least one of the following information: the AKMA application key, the expiration time of the AKMA application key, and SUPI; for another example, when the AF in the service network does not require terminal identification, the AKMA application key information carried in the AKMA application key response includes at least one of the following information: AKMA application key, AKMA application key expiration time.

可选的，本申请实施例提供的密钥管理方法中，服务网络中的AF的AKMA应用密钥信息可由服务网络中的代理实体或者归属网络中的AAnF生成。Optionally, in the key management method provided by the embodiment of this application, the AKMA application key information of the AF in the serving network can be generated by the proxy entity in the serving network or the AAnF in the home network.

可选的，本申请实施例提供的密钥管理方法，还给出了归属网络中的AAnF生成AKMA应用密钥信息的具体方式。Optionally, the key management method provided by the embodiment of this application also provides a specific method for the AAnF in the home network to generate AKMA application key information.

图5示出了本申请一个示例性实施例提供的密钥管理方法的流程图，该方法应用于漫游场景下，该方法由归属网络中的AAnF执行，该方法包括如下步骤：Figure 5 shows a flow chart of a key management method provided by an exemplary embodiment of the present application. The method is applied in a roaming scenario. The method is executed by the AAnF in the home network. The method includes the following steps:

步骤302：接收服务网络中的代理实体发送的应用密钥获取请求。Step 302: Receive the application key acquisition request sent by the proxy entity in the service network.

根据前述内容，服务网络中的代理实体向归属网络中的AAnF发送的应用密钥获取请求根据服务网络中的AF中的策略的不同而改变。According to the foregoing content, the application key acquisition request sent by the proxy entity in the service network to the AAnF in the home network changes according to the different policies in the AF in the service network.

步骤304：在归属网络中的AAnF中存储有终端的AKMA密钥的情况下，基于终端的AKMA密钥生成服务网络中的AF的AKMA应用密钥(Derive AF key from K _AKMA)。 Step 304: If the AKMA key of the terminal is stored in the AAnF in the home network, generate the AKMA application key of the AF in the service network (Derive AF key from K _AKMA ) based on the AKMA key of the terminal.

其中，AKMA应用密钥用于指示UE和服务网络中的AF之间的通信密钥，可使用K _AF表示。 Among them, the AKMA application key is used to indicate the communication key between the UE and the AF in the serving network, and can be represented by K _AF .

可选的，AKMA应用密钥的生成可通过如下方式实现：归属网络中的AAnF根据应用密钥获取请求得到A-KID和AF_ID；随后，归属网络中的AAnF可基于AKMA密钥和AF_ID生成AKMA应用密钥。Optionally, the AKMA application key can be generated in the following manner: AAnF in the home network obtains A-KID and AF_ID based on the application key acquisition request; subsequently, AAnF in the home network can generate AKMA based on the AKMA key and AF_ID. Application key.

在执行步骤304之前，归属网络中的AAnF还需要确定是否可向服务网络中的AF提供服务。可选的，本申请实施例提供的密钥管理方法，还包括：Before performing step 304, the AAnF in the home network also needs to determine whether it can provide services to the AF in the serving network. Optionally, the key management method provided by the embodiment of this application also includes:

根据授权信息或策略，确定归属网络中的AAnF是否向服务网络中的AF及服务网络中的代理实体提供服务。According to the authorization information or policy, it is determined whether the AAnF in the home network provides services to the AF in the service network and the proxy entity in the service network.

其中，在归属网络中的AAnF可以向服务网络中的AF及服务网络中的代理实体提供服务的情况下，执行步骤304；在归属网络中的AAnF不可以向服务网络中的AF及服务网络中的代理实体提供服务的情况下，归属网络中的AAnF可拒绝执行步骤304，并向服务网络中的代理实体反馈错误响应。Among them, if the AAnF in the home network can provide services to the AF in the service network and the proxy entity in the service network, step 304 is performed; the AAnF in the home network cannot provide services to the AF in the service network and the proxy entity in the service network. In the case where the proxy entity provides services, the AAnF in the home network may refuse to perform step 304 and feed back an error response to the proxy entity in the serving network.

步骤306：向服务网络中的代理实体反馈应用密钥获取响应。Step 306: Feed back the application key acquisition response to the proxy entity in the service network.

其中，应用密钥获取响应与应用密钥获取请求对应，用于归属网络中的AAnF向服务网络中的代理实体反馈AF的AKMA应用密钥信息；AF的AKMA应用密钥信息的相关描述可参考前述内容，不再赘述。Among them, the application key acquisition response corresponds to the application key acquisition request, and is used by the AAnF in the home network to feed back the AKMA application key information of the AF to the proxy entity in the serving network; for the relevant description of the AKMA application key information of the AF, please refer to The foregoing content will not be repeated again.

根据步骤304，服务网络中的代理实体向归属网络中的AAnF发送的应用密钥获取请求不同。相应的，归属网络中的AAnF向服务网络中的代理实体发送的应用密钥获取响应也不同。According to step 304, the application key acquisition request sent by the proxy entity in the serving network to the AAnF in the home network is different. Correspondingly, the application key acquisition response sent by the AAnF in the home network to the proxy entity in the serving network is also different.

可选的，在服务网络中的AF需要终端标识的情况下，归属网络中的AAnF接收到服务网络中的代理实体发送的第一AKMA应用密钥请求；在生成AKMA 应用密钥后，归属网络中的AAnF向服务网络中的代理实体发送第一应用密钥获取响应。Optionally, when the AF in the serving network requires terminal identification, the AAnF in the home network receives the first AKMA application key request sent by the proxy entity in the serving network; after generating the AKMA application key, the home network The AAnF in the server sends a first application key acquisition response to the proxy entity in the service network.

可选的，第一应用密钥获取响应中携带的AF的AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥、AKMA应用密钥的过期时间和SUPI。Optionally, the AKMA application key information of the AF carried in the first application key acquisition response includes at least one of the following information: the AKMA application key, the expiration time of the AKMA application key, and the SUPI.

可选的，在服务网络中的AF不需要终端标识的情况下，归属网络中的AAnF接收到服务网络中的代理实体发送的第二AKMA应用密钥请求；在生成AKMA应用密钥后，归属网络中的AAnF向服务网络中的代理实体发送第二应用密钥获取响应。Optionally, when the AF in the serving network does not require a terminal identification, the AAnF in the home network receives the second AKMA application key request sent by the proxy entity in the serving network; after generating the AKMA application key, the home network The AAnF in the network sends a second application key acquisition response to the proxy entity in the service network.

可选的，第二应用密钥获取响应中携带的AF的AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥、AKMA应用密钥的过期时间。Optionally, the AKMA application key information of the AF carried in the second application key acquisition response includes at least one of the following information: the AKMA application key and the expiration time of the AKMA application key.

综上所述，本申请实施例提供了一种密钥管理方法，基于服务网络中的代理实体、服务网络中的AF和归属网络中的AAnF之间的交互，能够实现AKMA应用密钥请求和AKMA应用密钥响应，以使得服务网络中的代理实体能够获取到服务网络中的AF的AKMA应用密钥信息。To sum up, the embodiments of this application provide a key management method, which can realize AKMA application key request and The AKMA application key response enables the proxy entity in the service network to obtain the AKMA application key information of the AF in the service network.

其中，根据服务网络中的AF中的策略的不同，归属网络中的AAnF向服务网络中的代理实体反馈的应用密钥获取响应中携带的AF的AKMA应用密钥信息也不同。Among them, according to the different policies in the AF in the serving network, the AKMA application key information of the AF carried in the application key acquisition response fed back by the AAnF in the home network to the proxy entity in the serving network is also different.

图6示出了本申请一个示例性实施例提供的密钥管理方法的流程图，该方法应用于漫游场景下，该方法由服务网络中的AAnF执行，该方法包括如下步骤：Figure 6 shows a flow chart of a key management method provided by an exemplary embodiment of the present application. The method is applied in a roaming scenario. The method is executed by the AAnF in the service network. The method includes the following steps:

步骤402：接收终端发送的服务网络标识符和AKMA密钥标识符。Step 402: Receive the service network identifier and AKMA key identifier sent by the terminal.

示意性的，服务网络标识符用于指示终端的服务网络，用于触发服务网络中的AF在终端的服务网络标识符与归属网络标识不一致的情况下，向服务网络中的代理实体发送密钥管理请求。其中，服务网络标识符可能携带在应用会话建立请求中的A-KID字段或单独字段。Illustratively, the service network identifier is used to indicate the service network of the terminal, and is used to trigger the AF in the service network to send the key to the proxy entity in the service network when the service network identifier of the terminal is inconsistent with the home network identifier. Manage requests. Among them, the service network identifier may carry the A-KID field or a separate field in the application session establishment request.

在一种可选的实现场景下，终端发生移动，从归属网络的覆盖区域移动到服务网络的覆盖区域内。此时，终端向服务网络中的AF发送服务网络标识符，该服务网络标识符与服务网络对应，由此可判断终端处于漫游场景下。In an optional implementation scenario, the terminal moves from the coverage area of the home network to the coverage area of the serving network. At this time, the terminal sends a service network identifier to the AF in the service network, and the service network identifier corresponds to the service network. From this, it can be determined that the terminal is in a roaming scenario.

服务网络标识符可由终端单独发送给服务网络中的AF，也可以在终端向服务网络中的AF发送的应用会话建立请求中携带。The service network identifier may be sent separately by the terminal to the AF in the service network, or may be carried in the application session establishment request sent by the terminal to the AF in the service network.

可选的，步骤402可实现为：接收终端发送的应用会话建立请求，应用会话建立请求中携带有服务网络标识符和AKMA密钥标识符。Optionally, step 402 may be implemented as: receiving an application session establishment request sent by the terminal, where the application session establishment request carries the service network identifier and the AKMA key identifier.

其中，服务网络标识符可由应用会话建立请求中的AKMA密钥标识符携带，也可由专用字段携带。比如，应用会话建立请求包括AKMA密钥标识符，AKMA密钥标识符携带有服务网络标识符；又如，应用会话建立请求包括AKMA密钥标识符和服务网络标识符。The service network identifier may be carried by the AKMA key identifier in the application session establishment request, or may be carried by a dedicated field. For example, the application session establishment request includes the AKMA key identifier, and the AKMA key identifier carries the service network identifier; for another example, the application session establishment request includes the AKMA key identifier and the service network identifier.

其中，应用会话建立请求用于触发应用会话的建立请求，应用会话建立请求可用Application Session Establishment Request表示。Among them, the application session establishment request is used to trigger the application session establishment request, and the application session establishment request can be represented by Application Session Establishment Request.

步骤404：在终端的服务网络标识符与归属网络标识不一致的情况下，向服务网络中的代理实体发送AKMA应用密钥请求。Step 404: When the service network identifier of the terminal is inconsistent with the home network identifier, send an AKMA application key request to the proxy entity in the service network.

步骤406：接收服务网络中的代理实体反馈的AKMA应用密钥响应。Step 406: Receive the AKMA application key response fed back by the proxy entity in the service network.

其中，AKMA应用密钥响应与AKMA应用密钥请求对应；AF的AKMA应用密钥信息的相关描述可参考前述内容，不再赘述。Among them, the AKMA application key response corresponds to the AKMA application key request; for the relevant description of the AF's AKMA application key information, please refer to the foregoing content and will not be described again.

根据步骤404，服务网络中的AF向服务网络中的代理实体发送的AKMA应用密钥请求不同。相应的，服务网络中的代理实体向服务网络中的AF发送的 AKMA应用密钥响应也不同。According to step 404, the AKMA application key request sent by the AF in the service network to the proxy entity in the service network is different. Correspondingly, the AKMA application key response sent by the proxy entity in the service network to the AF in the service network is also different.

可选的，服务网络中的AF的AKMA应用密钥信息可由服务网络中的代理实体或者归属网络中的AAnF生成。其中，服务网络中的AF的AKMA应用密钥信息的生成过程可参考前述内容，不再赘述。Optionally, the AKMA application key information of the AF in the serving network can be generated by the proxy entity in the serving network or the AAnF in the home network. For the generation process of the AKMA application key information of the AF in the service network, please refer to the foregoing content and will not be described again.

图7示出了本申请一个示例性实施例提供的密钥管理方法的流程图，该方法应用于漫游场景下，该方法由终端执行，该方法包括如下步骤：Figure 7 shows a flow chart of a key management method provided by an exemplary embodiment of the present application. The method is applied in a roaming scenario. The method is executed by a terminal. The method includes the following steps:

步骤502：向服务网络中的AF发送服务网络标识符和AKMA密钥标识符。Step 502: Send the service network identifier and the AKMA key identifier to the AF in the service network.

示意性的，服务网络标识符用于触发服务网络中的AF在终端的服务网络标识符与归属网络标识不一致的情况下，向服务网络中的代理实体发送AKMA应用密钥请求。其中，服务网络标识符可能携带在应用会话建立请求中的A-KID 字段或单独字段。Illustratively, the serving network identifier is used to trigger the AF in the serving network to send an AKMA application key request to the proxy entity in the serving network when the serving network identifier of the terminal is inconsistent with the home network identifier. Among them, the service network identifier may be carried in the A-KID field or a separate field in the application session establishment request.

可选的，步骤502可实现为如下：向服务网络中的AF发送应用会话建立请求，应用会话建立请求携带有服务网络标识符和AKMA密钥标识符。Optionally, step 502 may be implemented as follows: sending an application session establishment request to the AF in the service network, where the application session establishment request carries the service network identifier and the AKMA key identifier.

综上所述，本申请实施例提供了一种密钥管理方法，通过终端向服务网络中的AF发送服务网络标识符，以使得服务网络中的AF能够判断终端是否处于漫游场景下；并在服务网络标识符与归属网络标识不一致的情况下，触发服务网络中的AF向服务网络中的代理实体发送AKMA应用密钥请求，以便于服务网络中的AF能够获取到AF的AKMA应用密钥信息。To sum up, the embodiments of the present application provide a key management method, in which the terminal sends the service network identifier to the AF in the service network, so that the AF in the service network can determine whether the terminal is in a roaming scenario; and in When the service network identifier is inconsistent with the home network identifier, the AF in the service network is triggered to send an AKMA application key request to the proxy entity in the service network, so that the AF in the service network can obtain the AF's AKMA application key information. .

可选的，服务网络标识符可携带在终端向服务网络中的AF发送的应用会话建立请求中。Optionally, the service network identifier may be carried in the application session establishment request sent by the terminal to the AF in the service network.

根据前述内容，服务网络中的AF的AKMA应用密钥信息可由服务网络中的代理实体或者归属网络中的AAnF生成。According to the foregoing content, the AKMA application key information of the AF in the serving network can be generated by the proxy entity in the serving network or the AAnF in the home network.

以下将根据AKMA应用密钥信息的不同生成方式展开描述。其中，图8是服务网络中的代理实体生成服务网络中的AF的AKMA应用密钥信息的实施例，图9是归属网络中的AAnF生成服务网络中的AF的AKMA应用密钥信息的实施例。The description below will be based on the different generation methods of AKMA application key information. Among them, Figure 8 is an embodiment in which the proxy entity in the service network generates the AKMA application key information of the AF in the service network. Figure 9 is an example in which the AAnF in the home network generates the AKMA application key information of the AF in the service network. .

参考图4-7，图8示出了本申请一个示例性实施例提供的密钥管理方法的流程图，应用于漫游场景下，该方法包括如下步骤：Referring to Figures 4-7, Figure 8 shows a flow chart of a key management method provided by an exemplary embodiment of the present application. When applied in a roaming scenario, the method includes the following steps:

步骤601：UE向服务网络中的AF发送服务网络标识符和AKMA密钥标识符。Step 601: The UE sends the serving network identifier and the AKMA key identifier to the AF in the serving network.

示意性的，服务网络标识符用于指示终端的服务网络，服务网络标识符可能携带在应用会话建立请求中的A-KID字段或单独字段。Illustratively, the service network identifier is used to indicate the service network of the terminal. The service network identifier may carry the A-KID field or a separate field in the application session establishment request.

步骤602：在UE的服务网络标识符与归属网络标识不一致的情况下，服务网络中的AF向服务网络中的AAnFProxy发送AKMA应用密钥请求。Step 602: When the serving network identifier of the UE is inconsistent with the home network identifier, the AF in the serving network sends an AKMA application key request to AAnFProxy in the serving network.

示意性的，AKMA应用密钥请求用于向服务网络中的AAnFProxy请求服务网络中的AF的AKMA应用密钥信息。可选的，AKMA应用密钥请求包括AKMA密钥标识符和/或AF标识符。Illustratively, the AKMA application key request is used to request the AKMA application key information of the AF in the service network from AAnFProxy in the service network. Optionally, the AKMA application key request includes the AKMA key identifier and/or AF identifier.

本申请实施例提供的密钥管理方法中，终端处于漫游场景下，终端对应的服务网络为服务网络，服务网络与终端的归属网络不一致，此时需要服务网络中的AF向服务网络中的AAnFProxy发送AKMA应用密钥请求，以请求K _AF。 In the key management method provided by the embodiment of this application, the terminal is in a roaming scenario, the service network corresponding to the terminal is the service network, and the service network is inconsistent with the home network of the terminal. At this time, the AF in the service network needs to report to AAnFProxy in the service network. Send an AKMA application key request to request K _AF .

根据前述内容，服务网络中的AF向服务网络中的AAnFProxy发送的AKMA应用密钥请求，根据服务网络中的AF中的策略的不同而不同。According to the foregoing content, the AKMA application key request sent by AF in the service network to AAnFProxy in the service network differs according to the policies in the AF in the service network.

可选的，服务网络中的AF向归属网络中的AAnFProxy发送第一AKMA应用密钥请求。其中，第一AKMA应用密钥请求用于指示服务网络中的AF需要终端标识。Optionally, the AF in the serving network sends the first AKMA application key request to AAnFProxy in the home network. The first AKMA application key request is used to indicate that the AF in the service network requires a terminal identity.

可选的，服务网络中的AF向归属网络中的AAnFProxy发送第二AKMA应用密钥请求。其中，第二AKMA应用密钥请求用于指示服务网络中的AF不需要终端标识。Optionally, the AF in the serving network sends a second AKMA application key request to AAnFProxy in the home network. The second AKMA application key request is used to indicate that the AF in the service network does not require a terminal identity.

步骤603：服务网络中的AAnFProxy生成服务网络中的AF的AKMA应用密钥。Step 603: AAnFProxy in the service network generates the AKMA application key of AF in the service network.

可选的，AKMA应用密钥的生成可通过如下方式实现：服务网络中的AAnFProxy根据应用密钥获取请求得到A-KID和AF_ID；随后，服务网络中的AAnFProxy可基于AKMA密钥和AF_ID生成AKMA应用密钥。Optionally, the AKMA application key can be generated in the following way: AAnFProxy in the service network obtains A-KID and AF_ID based on the application key acquisition request; subsequently, AAnFProxy in the service network can generate AKMA based on the AKMA key and AF_ID. Application key.

步骤604：服务网络中的AAnFProxy向服务网络中的AF发送AKMA应用密钥响应。Step 604: AAnFProxy in the service network sends an AKMA application key response to AF in the service network.

根据步骤602，服务网络中的AF向服务网络中的AAnFProxy发送的AKMA应用密钥请求不同。相应的，服务网络中的AAnFProxy向服务网络中的AF发送的AKMA应用密钥响应也不同。According to step 602, the AKMA application key request sent by AF in the service network to AAnFProxy in the service network is different. Correspondingly, the AKMA application key response sent by AAnFProxy in the service network to AF in the service network is also different.

可选的，服务网络中的AAnFProxy接收服务网络中的AF发送的第一AKMA应用密钥请求，第一AKMA应用密钥请求用于指示服务网络中的AF需要终端标识；随后，服务网络中的AAnFProxy向服务网络中的AF发送第一AKMA应用密钥响应。Optionally, AAnFProxy in the service network receives the first AKMA application key request sent by the AF in the service network. The first AKMA application key request is used to indicate that the AF in the service network requires a terminal identification; subsequently, the AF in the service network AAnFProxy sends the first AKMA application key response to the AF in the service network.

可选的，服务网络中的AAnFProxy接收服务网络中的AF发送的第二AKMA应用密钥请求，第二AKMA应用密钥请求用于指示服务网络中的AF不需要终端标识；随后，服务网络中的AAnFProxy向服务网络中的AF发送第二AKMA应用密钥响应。Optionally, AAnFProxy in the service network receives the second AKMA application key request sent by the AF in the service network. The second AKMA application key request is used to indicate that the AF in the service network does not require a terminal identification; subsequently, the service network The AAnFProxy sends a second AKMA application key response to the AF in the serving network.

应当理解的是，上述内容中给出的实施例中，UE一侧的步骤可单独成为应用于终端中的密钥管理方法的一个实施例，服务网络中的AF一侧的步骤可单独成为应用于服务网络中的AF中的密钥管理方法的一个实施例，服务网络中的AAnFProxy一侧的步骤可单独成为应用于服务网络中的AAnFProxy中的密钥管理方法的一个实施例。其中，密钥管理方法的步骤的具体阐释可参考上述内容，不再赘述。It should be understood that in the embodiments given in the above content, the steps on the UE side can independently become an embodiment of the key management method applied in the terminal, and the steps on the AF side in the service network can independently become an application. As an embodiment of the key management method in the AF in the service network, the steps on the AAnFProxy side in the service network can individually become an embodiment of the key management method in AAnFProxy in the service network. For detailed explanation of the steps of the key management method, please refer to the above content and will not be described again.

综上所述，本申请实施例提供了一种密钥管理方法，给出了服务网络中的AF的AKMA应用密钥信息由服务网络中的AAnFProxy生成的实现方式。其中，基于服务网络中的AAnFProxy和服务网络中的AF之间的交互，能够实现AKMA应用密钥请求和AKMA应用密钥响应，以使得服务网络中的AF能够获取到的AF的AKMA应用密钥信息。To sum up, the embodiments of this application provide a key management method and provide an implementation method in which the AKMA application key information of AF in the service network is generated by AAnFProxy in the service network. Among them, based on the interaction between AAnFProxy in the service network and AF in the service network, AKMA application key request and AKMA application key response can be implemented, so that AF in the service network can obtain the AKMA application key of AF information.

参考图4-7，图9示出了本申请一个示例性实施例提供的密钥管理方法的流程图，应用于漫游场景下，该方法包括如下步骤：Referring to Figures 4-7, Figure 9 shows a flow chart of a key management method provided by an exemplary embodiment of the present application. When applied in a roaming scenario, the method includes the following steps:

步骤701：UE向服务网络中的AF发送服务网络标识符和AKMA密钥标识符。Step 701: The UE sends the serving network identifier and the AKMA key identifier to the AF in the serving network.

步骤702：在UE的服务网络标识符与归属网络标识不一致的情况下，服务网络中的AF向服务网络中的AAnFProxy发送AKMA应用密钥请求。Step 702: When the serving network identifier of the UE is inconsistent with the home network identifier, the AF in the serving network sends an AKMA application key request to AAnFProxy in the serving network.

步骤703：服务网络中的AAnFProxy向归属网络中的AAnF发送应用密钥获取请求。Step 703: AAnFProxy in the service network sends an application key acquisition request to AAnF in the home network.

根据前述内容，服务网络中的AAnFProxy向归属网络中的AAnF发送的应用密钥获取请求根据服务网络中的AF中的策略的不同而改变。According to the foregoing content, the application key acquisition request sent by AAnFProxy in the service network to AAnF in the home network changes according to the different policies in the AF in the service network.

可选的，服务网络中的AAnFProxy接收到第一AKMA应用密钥请求，第一AKMA应用密钥请求用于指示服务网络中的AF需要终端标识；随后，服务网络中的AAnFProxy向归属网络中的AAnF发送第一应用密钥获取请求。Optionally, AAnFProxy in the service network receives the first AKMA application key request. The first AKMA application key request is used to indicate that the AF in the service network requires a terminal identification; subsequently, AAnFProxy in the service network sends a request to the AF in the home network. AAnF sends a first application key acquisition request.

可选的，服务网络中的AAnFProxy接收到第二AKMA应用密钥请求，第二AKMA应用密钥请求用于指示服务网络中的AF不需要终端标识；随后，服务网络中的AAnFProxy向归属网络中的AAnF发送第二应用密钥获取请求。Optionally, AAnFProxy in the service network receives the second AKMA application key request. The second AKMA application key request is used to indicate that the AF in the service network does not require a terminal identification; subsequently, AAnFProxy in the service network sends a request to the home network. The AAnF sends a second application key acquisition request.

可选的，在执行步骤703之前，服务网络中的代理实体还需要确定归属网络中的AAnF，本申请实施例提供的密钥管理方法，还包括：Optionally, before executing step 703, the proxy entity in the serving network also needs to determine the AAnF in the home network. The key management method provided by the embodiment of the present application also includes:

其中，以归属网络中的NRF使用hNRF表示，服务网络中的NRF使用vNRF表示为例，服务网络中的代理实体发现归属网络中的AAnF的过程可实现为如下：Among them, taking the NRF in the home network as hNRF and the NRF in the service network as vNRF as an example, the process of the agent entity in the service network discovering the AAnF in the home network can be implemented as follows:

服务网络中的代理实体通过服务网络标识符确定vNRF；vNRF根据服务网络中的代理实体传送的归属网络标识符，能够确定hNRF；hNRF根据预设策略判断归属网络中的AAnF有权为服务网络中的AAnFProxy及AF服务，随后授权归属网络中的代理实体访问归属网络中的AAnF。The proxy entity in the service network determines the vNRF through the service network identifier; the vNRF can determine the hNRF based on the home network identifier transmitted by the proxy entity in the service network; the hNRF determines based on the preset policy that the AAnF in the home network has the right to be the service network AAnFProxy and AF services, and then authorize the proxy entity in the home network to access the AAnF in the home network.

其中，服务网络标识符可由终端向服务网络中的AF提供，由服务网络中的AF传送给服务网络中的代理实体。The service network identifier may be provided by the terminal to the AF in the service network, and transmitted by the AF in the service network to the proxy entity in the service network.

步骤704：在归属网络中的AAnF中存储有终端的AKMA密钥的情况下，归属网络中的AAnF基于终端的AKMA密钥生成服务网络中的AF的AKMA应用密钥。Step 704: If the AKMA key of the terminal is stored in the AAnF in the home network, the AAnF in the home network generates the AKMA application key of the AF in the serving network based on the AKMA key of the terminal.

步骤705：归属网络中的AAnF向服务网络中的AAnFProxy发送应用密钥获取响应。Step 705: AAnF in the home network sends an application key acquisition response to AAnFProxy in the service network.

其中，应用密钥获取响应与应用密钥获取请求对应，用于归属网络中的AAnF向服务网络中的AAnFProxy反馈AF的AKMA应用密钥信息；AF的AKMA应用密钥信息的相关描述可参考前述内容，不再赘述。Among them, the application key acquisition response corresponds to the application key acquisition request, and is used by AAnF in the home network to feed back AF's AKMA application key information to AAnFProxy in the serving network; the relevant description of AF's AKMA application key information can refer to the above The content will not be described again.

根据步骤703，服务网络中的AAnFProxy向归属网络中的AAnF发送的应用密钥获取请求不同。相应的，归属网络中的AAnF向服务网络中的AAnFProxy发送的应用密钥获取响应也不同。According to step 703, the application key acquisition request sent by AAnFProxy in the service network to AAnF in the home network is different. Correspondingly, the application key acquisition response sent by AAnF in the home network to AAnFProxy in the service network is also different.

可选的，在服务网络中的AF需要终端标识的情况下，归属网络中的AAnF接收到服务网络中的AAnFProxy发送的第一应用密钥获取请求；在生成AKMA应用密钥后，归属网络中的AAnF向服务网络中的AAnFProxy发送第一应用密钥获取响应。Optionally, when the AF in the service network requires the terminal identification, the AAnF in the home network receives the first application key acquisition request sent by AAnFProxy in the service network; after generating the AKMA application key, the AAnF in the home network The AAnF sends the first application key acquisition response to AAnFProxy in the service network.

可选的，在服务网络中的AF不需要终端标识的情况下，归属网络中的AAnF接收到服务网络中的AAnFProxy发送的第二应用密钥获取请求；在生成AKMA应用密钥后，归属网络中的AAnF向服务网络中的AAnFProxy发送第二应用密钥获取响应。Optionally, when the AF in the service network does not require a terminal identification, the AAnF in the home network receives the second application key acquisition request sent by AAnFProxy in the service network; after generating the AKMA application key, the home network AAnF in the service network sends a second application key acquisition response to AAnFProxy in the service network.

步骤706：服务网络中的AAnFProxy向服务网络中的AF发送AKMA应用密钥响应。Step 706: AAnFProxy in the service network sends an AKMA application key response to AF in the service network.

根据步骤702，服务网络中的AF向服务网络中的AAnFProxy发送的AKMA应用密钥请求不同。相应的，服务网络中的AAnFProxy向服务网络中的AF发送的AKMA应用密钥响应也不同。According to step 702, the AKMA application key request sent by the AF in the service network to AAnFProxy in the service network is different. Correspondingly, the AKMA application key response sent by AAnFProxy in the service network to AF in the service network is also different.

可选的，服务网络中的AAnFProxy接收服务网络中的AF发送的第一AKMA 应用密钥请求，第一AKMA应用密钥请求用于指示服务网络中的AF需要终端标识；随后，服务网络中的AAnFProxy向服务网络中的AF发送第一AKMA应用密钥响应。Optionally, AAnFProxy in the service network receives the first AKMA application key request sent by the AF in the service network. The first AKMA application key request is used to indicate that the AF in the service network requires a terminal identification; subsequently, the AF in the service network AAnFProxy sends the first AKMA application key response to the AF in the service network.

应当理解的是，上述内容中给出的实施例中，UE一侧的步骤可单独成为应用于终端中的密钥管理方法的一个实施例，归属网络中的AAnF一侧的步骤可单独成为应用于归属网络中的AAnF中的密钥管理方法的一个实施例，服务网络中的AF一侧的步骤可单独成为应用于服务网络中的AF中的密钥管理方法的一个实施例，服务网络中的AAnFProxy一侧的步骤可单独成为应用于服务网络中的AAnFProxy中的密钥管理方法的一个实施例。其中，密钥管理方法的步骤的具体阐释可参考上述内容，不再赘述。It should be understood that in the embodiments given in the above content, the steps on the UE side can independently become an embodiment of the key management method applied in the terminal, and the steps on the AAnF side in the home network can independently become an application. As an embodiment of the key management method in the AAnF in the home network, the steps on the AF side in the serving network may separately become an embodiment of the key management method in the AF in the serving network, in the serving network The steps on the AAnFProxy side may alone become an embodiment of the key management method in AAnFProxy applied to the service network. For detailed explanation of the steps of the key management method, please refer to the above content and will not be described again.

综上所述，本申请实施例提供了一种密钥管理方法，给出了服务网络中的AF的AKMA应用密钥信息由归属网络中的AAnF生成的实现方式。其中，基于服务网络中的AAnFProxy、服务网络中的AF和归属网络中的AAnF之间的交互，能够实现AKMA应用密钥请求和AKMA应用密钥响应，以使得服务网络中的AF能够获取到的AF的AKMA应用密钥信息。To sum up, the embodiments of this application provide a key management method and provide an implementation method in which the AKMA application key information of the AF in the serving network is generated by the AAnF in the home network. Among them, based on the interaction between AAnFProxy in the service network, AF in the service network and AAnF in the home network, AKMA application key request and AKMA application key response can be realized, so that AF in the service network can obtain AF's AKMA application key information.

根据前述内容，根据服务网络中的AF中的策略的不同，AKMA应用密钥请求、应用密钥获取请求、AKMA应用密钥响应和应用密钥获取响应存在差异，由此导致服务网络中的AF的AKMA应用密钥信息也存在差异。According to the foregoing content, depending on the policies in AF in the service network, there are differences in the AKMA application key request, application key acquisition request, AKMA application key response, and application key acquisition response, resulting in AF in the service network There are also differences in the AKMA application key information.

可选的，AKMA应用密钥信息包括如下中的至少一种：服务网络中的AF的AKMA应用密钥；AKMA应用密钥的过期时间；终端的SUPI。其中，该种情况是在服务网络中的AF需要终端标识的情况下实现的。Optionally, the AKMA application key information includes at least one of the following: the AKMA application key of the AF in the service network; the expiration time of the AKMA application key; and the SUPI of the terminal. This situation is realized when the AF in the service network requires the terminal identification.

可选的，AKMA应用密钥信息包括如下中的至少一种：服务网络中的AF的AKMA应用密钥；AKMA应用密钥的过期时间。其中，该种情况是在服务网络中的AF不需要终端标识的情况下实现的。Optionally, the AKMA application key information includes at least one of the following: the AKMA application key of the AF in the service network; and the expiration time of the AKMA application key. This situation is realized when the AF in the service network does not require terminal identification.

上述两种实现方式中，基于服务网络中的AF的策略的不同，来确定服务网络中的AF是否需要终端标识，从而确定需要请求的AF的AKMA应用密钥信息。以下将根据服务网络中的AF是否需要终端标识进行举例：In the above two implementation methods, based on the different policies of the AF in the service network, it is determined whether the AF in the service network requires a terminal identification, thereby determining the AKMA application key information of the AF that needs to be requested. The following will give an example based on whether the AF in the service network requires a terminal identification:

一、服务网络中的AF需要终端标识的情况。1. The AF in the service network requires terminal identification.

参考图9，图10示出了本申请一个示例性实施例提供的密钥管理方法的流程图。其中，步骤701、702、703、705、706分别可实现为步骤7011、7021、7031、7051、7061，该方法还包括步骤707和步骤708。上述步骤如下：Referring to Figure 9, Figure 10 shows a flow chart of a key management method provided by an exemplary embodiment of the present application. Among them, steps 701, 702, 703, 705, and 706 can be implemented as steps 7011, 7021, 7031, 7051, and 7061 respectively. The method also includes step 707 and step 708. The above steps are as follows:

步骤7011：UE向服务网络中的AF发送应用会话建立请求。Step 7011: The UE sends an application session establishment request to the AF in the serving network.

示意性的，应用会话建立请求用于触发应用会话的建立请求，应用会话建立请求可用Application Session Establishment Request表示；应用会话建立请求携带有服务网络标识符。Illustratively, the application session establishment request is used to trigger the establishment request of the application session. The application session establishment request can be represented by Application Session Establishment Request; the application session establishment request carries the service network identifier.

其中，服务网络标识符可由应用会话建立请求中的AKMA密钥标识符携带，也可由专用字段携带。可选的，应用会话建立请求包括AKMA密钥标识符，AKMA密钥标识符携带有服务网络标识符；或者，应用会话建立请求包括AKMA密钥标识符和服务网络标识符。其中，AKMA密钥标识符是用于指示终端的AKMA密钥的标识符。The service network identifier may be carried by the AKMA key identifier in the application session establishment request, or may be carried by a dedicated field. Optionally, the application session establishment request includes the AKMA key identifier, and the AKMA key identifier carries the service network identifier; or, the application session establishment request includes the AKMA key identifier and the service network identifier. Wherein, the AKMA key identifier is an identifier used to indicate the AKMA key of the terminal.

步骤7021：在UE的服务网络标识符与归属网络标识不一致的情况下，服务网络中的AF向服务网络中的AAnFProxy发送第一AKMA应用密钥请求。Step 7021: When the serving network identifier of the UE is inconsistent with the home network identifier, the AF in the serving network sends the first AKMA application key request to AAnFProxy in the serving network.

示意性的，第一AKMA应用密钥请求用于指示服务网络中的AF需要终端标识。Illustratively, the first AKMA application key request is used to indicate that the AF in the serving network requires a terminal identity.

其中，AKMA应用密钥请求用于向服务网络中的AAnFProxy请求服务网络中的AF的AKMA应用密钥信息。可选的，第一AKMA应用密钥请求可使用AKMA Application Key Request表示。The AKMA application key request is used to request the AKMA application key information of the AF in the service network from AAnFProxy in the service network. Optionally, the first AKMA Application Key Request can be expressed using AKMA Application Key Request.

可选的，第一AKMA应用密钥请求包括AKMA密钥标识符和/或AF标识符。其中，AKMA密钥标识符是用于指示终端的AKMA密钥的标识符，可用A-KID表示；AF标识符是用于指示服务网络中的AF的标识符，可用AF_ID表示。Optionally, the first AKMA application key request includes an AKMA key identifier and/or an AF identifier. The AKMA key identifier is an identifier used to indicate the AKMA key of the terminal, which can be represented by A-KID; the AF identifier is an identifier used to indicate the AF in the service network, which can be represented by AF_ID.

可选的，服务网络中的AAnFProxy是服务网络中单独的NF；或者，服务网络中的AAnFProxy是服务网络中任一NF中的一部分；或者，服务网络中的AAnFProxy是可信应用功能(Trusted AF)，比如3GPP运营商域内的可信应用功能。Optionally, AAnFProxy in the service network is a separate NF in the service network; or, AAnFProxy in the service network is part of any NF in the service network; or, AAnFProxy in the service network is a Trusted Application Function (Trusted AF) ), such as trusted application functions within the 3GPP operator domain.

步骤7031：服务网络中的AAnFProxy向归属网络中的AAnF发送第一应用密钥获取请求。Step 7031: AAnFProxy in the serving network sends a first application key acquisition request to AAnF in the home network.

示意性的，第一应用密钥获取请求用于在服务网络中的AF需要终端标识的情况下，向归属网络中的AAnF请求服务网络中的AF的AKMA应用密钥信息。Illustratively, the first application key acquisition request is used to request the AKMA application key information of the AF in the serving network from the AAnF in the home network when the AF in the serving network requires a terminal identification.

其中，AF的AKMA应用密钥信息包括如下中的至少一种：服务网络中的AF的AKMA应用密钥；AKMA应用密钥的过期时间；终端的SUPI。The AKMA application key information of the AF includes at least one of the following: the AKMA application key of the AF in the service network; the expiration time of the AKMA application key; and the SUPI of the terminal.

根据步骤7021，服务网络中的AAnFProxy能够确定服务网络中的AF需要终端标识；随后，服务网络中的AAnFProxy向归属网络中的AAnF发送第一应用密钥获取请求。According to step 7021, AAnFProxy in the service network can determine that the AF in the service network requires a terminal identification; subsequently, AAnFProxy in the service network sends a first application key acquisition request to AAnF in the home network.

可选的，第一应用密钥获取请求包括A-KID和/或AF_ID。Optionally, the first application key acquisition request includes A-KID and/or AF_ID.

步骤707：根据授权信息或策略，归属网络中的AAnF确定AAnF是否向服务网络中的AF及服务网络中的代理实体提供服务。Step 707: According to the authorization information or policy, the AAnF in the home network determines whether the AAnF provides services to the AF in the service network and the proxy entity in the service network.

其中，授权信息或策略与AF标识符相关联，AF标识符是用于指示服务网络中的AF的标识符。Wherein, the authorization information or policy is associated with an AF identifier, which is an identifier used to indicate the AF in the service network.

在生成服务网络中的AF的AKMA应用密钥之前，需要执行步骤707，以确定归属网络中的AAnF是否可以向服务网络中的AF及服务网络中的代理实体提供服务。在归属网络中的AAnF可以向服务网络中的AF及服务网络中的代理实体提供服务的情况下，执行步骤704；在归属网络中的AAnF不可以向服务网络中的AF及服务网络中的代理实体提供服务的情况下，归属网络中的AAnF可拒绝执行步骤704，并向服务网络中的AAnFProxy反馈错误响应。Before generating the AKMA application key of the AF in the serving network, step 707 needs to be performed to determine whether the AAnF in the home network can provide services to the AF in the serving network and the proxy entity in the serving network. When the AAnF in the home network can provide services to the AF in the service network and the proxy entity in the service network, step 704 is performed; the AAnF in the home network cannot provide services to the AF in the service network and the proxy in the service network. If the entity provides services, AAnF in the home network may refuse to perform step 704 and feed back an error response to AAnFProxy in the serving network.

步骤7051：归属网络中的AAnF向服务网络中的AAnFProxy发送第一应用密钥获取响应。Step 7051: AAnF in the home network sends a first application key acquisition response to AAnFProxy in the service network.

其中，第一应用密钥获取响应与第一应用密钥获取请求对应，用于在服务网络中的AF需要终端标识的情况下，归属网络中的AAnF向服务网络中的AAnFProxy反馈AF的AKMA应用密钥信息；AF的AKMA应用密钥信息的相关描述可参考前述内容，不再赘述。Wherein, the first application key acquisition response corresponds to the first application key acquisition request, and is used for the AAnF in the home network to feed back the AF's AKMA application to the AAnFProxy in the service network when the AF in the service network requires the terminal identification. Key information; For the relevant description of AF's AKMA application key information, please refer to the above content and will not be described again.

根据步骤7031，在服务网络中的AF需要终端标识的情况下，归属网络中的AAnF接收到服务网络中的AAnFProxy发送的第一应用密钥获取请求；根据步骤707和步骤704，在生成AKMA应用密钥后，归属网络中的AAnF向服务网络中的AAnFProxy发送第一应用密钥获取响应。可选的，第一应用密钥获取响应可使用Naanf_AKMA_ApplicationKey_Get Response表示。According to step 7031, when the AF in the serving network requires a terminal identification, the AAnF in the home network receives the first application key acquisition request sent by AAnFProxy in the serving network; according to steps 707 and 704, after generating the AKMA application After obtaining the key, AAnF in the home network sends a first application key acquisition response to AAnFProxy in the service network. Optionally, the first application key acquisition response can be represented by Naanf_AKMA_ApplicationKey_Get Response.

其中，第一应用密钥获取响应中携带的AF的AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥、AKMA应用密钥的过期时间和SUPI。The AKMA application key information of the AF carried in the first application key acquisition response includes at least one of the following information: the AKMA application key, the expiration time of the AKMA application key, and the SUPI.

步骤7061：服务网络中的AAnFProxy向服务网络中的AF发送第一AKMA应用密钥响应。Step 7061: AAnFProxy in the service network sends the first AKMA application key response to the AF in the service network.

其中，第一AKMA应用密钥响应与第一AKMA应用密钥请求对应；AF的AKMA应用密钥信息的相关描述可参考前述内容，不再赘述。Wherein, the first AKMA application key response corresponds to the first AKMA application key request; for the relevant description of the AKMA application key information of the AF, please refer to the foregoing content and will not be described again.

根据步骤7021，服务网络中的AAnFProxy接收服务网络中的AF发送的第一AKMA应用密钥请求，第一AKMA应用密钥请求用于指示服务网络中的AF需要终端标识；随后，服务网络中的AAnFProxy向服务网络中的AF发送第一AKMA应用密钥响应。可选的，第一AKMA应用密钥响应可使用AKMA Application Key Response表示。According to step 7021, AAnFProxy in the service network receives the first AKMA application key request sent by the AF in the service network. The first AKMA application key request is used to indicate that the AF in the service network requires a terminal identification; subsequently, the AF in the service network AAnFProxy sends the first AKMA application key response to the AF in the service network. Optionally, the first AKMA Application Key Response can be expressed using AKMA Application Key Response.

步骤708：服务网络中的AF向UE发送应用会话建立响应。Step 708: The AF in the serving network sends an application session establishment response to the UE.

示意性的，应用会话建立响应与应用会话建立请求对应，用于反馈服务网络中的AF的AKMA应用密钥信息，可用Application Session Establishment Response表示。Illustratively, the application session establishment response corresponds to the application session establishment request, and is used to feed back the AKMA application key information of AF in the service network, which can be represented by Application Session Establishment Response.

UE在接收到应用会话建立响应后，可根据AKMA应用密钥响应中携带的AF的AKMA应用密钥信息。其中，第一AKMA应用密钥响应中携带的AF的AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥、AKMA应用密钥的过期时间和SUPI。After receiving the application session establishment response, the UE can use the AKMA application key information of the AF carried in the AKMA application key response. The AKMA application key information of the AF carried in the first AKMA application key response includes at least one of the following information: the AKMA application key, the expiration time of the AKMA application key, and the SUPI.

在一种可选的实现场景下，归属网络中的AAnF中未携带终端的AKMA密钥。In an optional implementation scenario, the AAnF in the home network does not carry the terminal's AKMA key.

可选的，归属网络中的AAnF向服务网络中的AAnFProxy发送错误响应；服务网络中的AAnFProxy向服务网络中的AF发送该错误响应；服务网络中的AF向UE反馈应用会话的拒绝信息，该拒绝信息中包括响应失败原因。基于此，服务网络中的AF通过包含响应失败原因来拒绝建立应用会话。Optionally, AAnF in the home network sends an error response to AAnFProxy in the serving network; AAnFProxy in the serving network sends the error response to AF in the serving network; AF in the serving network feeds back application session rejection information to the UE. The rejection message includes the reason for the response failure. Based on this, the AF in the service network refuses to establish the application session by including the response failure reason.

综上所述，本申请实施例提供了一种密钥管理方法，在服务网络中的AF需要终端标识的情况下，基于服务网络中的AAnFProxy、服务网络中的AF和归属网络中的AAnF之间的交互，通过第一AKMA应用密钥请求和第一AKMA应用密钥响应，能够使得终端获取到对应的AKMA应用密钥信息。其中，该AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥、AKMA应用密钥的过期时间和SUPI。To sum up, the embodiments of this application provide a key management method. When the AF in the service network requires a terminal identification, it is based on the AAnFProxy in the service network, the AF in the service network and the AAnF in the home network. Through the interaction between the first AKMA application key request and the first AKMA application key response, the terminal can obtain the corresponding AKMA application key information. The AKMA application key information includes at least one of the following information: the AKMA application key, the expiration time of the AKMA application key, and SUPI.

二、服务网络中的AF不需要终端标识的情况。2. The AF in the service network does not require terminal identification.

参考图9，图11示出了本申请一个示例性实施例提供的密钥管理方法的流程图。其中，步骤701、702、703、705、706分别可实现为步骤7011、7022、7032、7052、7062，该方法还包括步骤707和步骤708。步骤7011、步骤707和步骤708的相关描述可参考前述内容，不再赘述，剩余步骤如下：Referring to Figure 9, Figure 11 shows a flow chart of a key management method provided by an exemplary embodiment of the present application. Among them, steps 701, 702, 703, 705, and 706 can be implemented as steps 7011, 7022, 7032, 7052, and 7062 respectively. The method also includes step 707 and step 708. For relevant descriptions of step 7011, step 707 and step 708, please refer to the foregoing content and will not be repeated. The remaining steps are as follows:

步骤7022：在UE的服务网络标识符与归属网络标识不一致的情况下，服务网络中的AF向服务网络中的AAnFProxy发送第二AKMA应用密钥请求。Step 7022: When the serving network identifier of the UE is inconsistent with the home network identifier, the AF in the serving network sends a second AKMA application key request to AAnFProxy in the serving network.

示意性的，第二AKMA应用密钥请求用于指示服务网络中的AF不需要终端标识。Illustratively, the second AKMA application key request is used to indicate that the AF in the serving network does not require a terminal identification.

其中，AKMA应用密钥请求用于向服务网络中的AAnFProxy请求服务网络中的AF的AKMA应用密钥信息。可选的，第二AKMA应用密钥请求可使用AKMA Application Key AnonUser Request表示。The AKMA application key request is used to request the AKMA application key information of the AF in the service network from AAnFProxy in the service network. Optionally, the second AKMA Application Key request can be expressed using AKMA Application Key AnonUser Request.

可选的，第二AKMA应用密钥请求包括A-KID和/或AF_ID。Optionally, the second AKMA application key request includes A-KID and/or AF_ID.

可选的，服务网络中的AAnFProxy是服务网络中单独的NF；或者，服务网络中的AAnFProxy是服务网络中任一NF中的一部分；或者，服务网络中的AAnFProxy是3GPP运营商域内的可信应用功能。Optionally, AAnFProxy in the service network is a separate NF in the service network; or, AAnFProxy in the service network is part of any NF in the service network; or, AAnFProxy in the service network is a trusted NF within the 3GPP operator domain. Application functions.

步骤7032：服务网络中的AAnFProxy向归属网络中的AAnF发送第二应用密钥获取请求。Step 7032: AAnFProxy in the service network sends a second application key acquisition request to AAnF in the home network.

示意性的，第二应用密钥获取请求用于在服务网络中的AF不需要终端标识的情况下，向归属网络中的AAnF请求服务网络中的AF的AKMA应用密钥信息。其中，第二应用密钥获取请求可用Naanf_AKMA_ApplicationKey_AnonUser_Get Request表示。Illustratively, the second application key acquisition request is used to request the AKMA application key information of the AF in the serving network from the AAnF in the home network when the AF in the serving network does not need a terminal identification. Among them, the second application key acquisition request can be represented by Naanf_AKMA_ApplicationKey_AnonUser_Get Request.

其中，AF的AKMA应用密钥信息包括如下中的至少一种：服务网络中的AF的AKMA应用密钥；AKMA应用密钥的过期时间。The AKMA application key information of the AF includes at least one of the following: the AKMA application key of the AF in the service network; and the expiration time of the AKMA application key.

根据步骤7022，服务网络中的AAnFProxy能够确定服务网络中的AF不需要终端标识；服务网络中的AAnFProxy向归属网络中的AAnF发送第二应用密钥获取请求。According to step 7022, AAnFProxy in the service network can determine that the AF in the service network does not require a terminal identification; AAnFProxy in the service network sends a second application key acquisition request to AAnF in the home network.

可选的，第二应用密钥获取请求包括A-KID和/或AF_ID。Optionally, the second application key acquisition request includes A-KID and/or AF_ID.

步骤7052：归属网络中的AAnF向服务网络中的AAnFProxy发送第二应用密钥获取响应。Step 7052: AAnF in the home network sends a second application key acquisition response to AAnFProxy in the service network.

其中，第二应用密钥获取响应与第二应用密钥获取请求对应，用于在服务网络中的AF不需要终端标识的情况下，归属网络中的AAnF向服务网络中的AAnFProxy反馈AF的AKMA应用密钥信息；AF的AKMA应用密钥信息的相关描述可参考前述内容，不再赘述。The second application key acquisition response corresponds to the second application key acquisition request, and is used for the AAnF in the home network to feed back the AKMA of the AF to the AAnFProxy in the service network when the AF in the service network does not need a terminal identification. Application key information; for the description of AF's AKMA application key information, please refer to the foregoing content and will not be described again.

根据步骤7032，在服务网络中的AF不需要终端标识的情况下，归属网络中的AAnF接收到服务网络中的AAnFProxy发送的第二应用密钥获取请求；根据步骤707和步骤704，在生成AKMA应用密钥后，归属网络中的AAnF向服务网络中的AAnFProxy发送第二应用密钥获取响应。可选的，第二应用密钥获取响应可使用Naanf_AKMA_ApplicationKey_AnonUser_Get Response表示。According to step 7032, when the AF in the serving network does not require a terminal identification, the AAnF in the home network receives the second application key acquisition request sent by AAnFProxy in the serving network; according to steps 707 and 704, after generating the AKMA After applying the key, AAnF in the home network sends a second application key acquisition response to AAnFProxy in the service network. Optionally, the second application key acquisition response can be represented by Naanf_AKMA_ApplicationKey_AnonUser_Get Response.

步骤7062：服务网络中的AAnFProxy向服务网络中的AF发送第二AKMA应用密钥响应。Step 7062: AAnFProxy in the service network sends a second AKMA application key response to AF in the service network.

其中，第二AKMA应用密钥响应与第二AKMA应用密钥请求对应；AF的AKMA应用密钥信息的相关描述可参考前述内容，不再赘述。The second AKMA application key response corresponds to the second AKMA application key request; the relevant description of the AKMA application key information of the AF may refer to the foregoing content and will not be described again.

根据步骤7022，服务网络中的AAnFProxy接收服务网络中的AF发送的第二AKMA应用密钥请求，第二AKMA应用密钥请求用于指示服务网络中的AF不需要终端标识；随后，服务网络中的AAnFProxy向服务网络中的AF发送第二AKMA应用密钥响应。可选的，第二AKMA应用密钥响应可使用AKMA Application Key AnonUser Response表示。According to step 7022, AAnFProxy in the service network receives the second AKMA application key request sent by the AF in the service network. The second AKMA application key request is used to indicate that the AF in the service network does not require a terminal identification; subsequently, the AF in the service network The AAnFProxy sends a second AKMA application key response to the AF in the serving network. Optionally, the second AKMA Application Key response can be represented by AKMA Application Key AnonUser Response.

综上所述，本申请实施例提供了一种密钥管理方法，在服务网络中的AF不需要终端标识的情况下，基于服务网络中的AAnFProxy、服务网络中的AF和归属网络中的AAnF之间的交互，通过第二AKMA应用密钥请求和第二AKMA应用密钥响应，能够使得终端获取到对应的AKMA应用密钥信息。其中，该 AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥、AKMA应用密钥的过期时间。To sum up, the embodiments of this application provide a key management method based on AAnFProxy in the service network, AF in the service network and AAnF in the home network when the AF in the service network does not require a terminal identification. Through the interaction between the second AKMA application key request and the second AKMA application key response, the terminal can obtain the corresponding AKMA application key information. The AKMA application key information includes at least one of the following information: the AKMA application key and the expiration time of the AKMA application key.

应当理解的是，图10和图11是基于图9示出的密钥管理方法的两种不同的实现方式，对于图8示出的密钥管理方法，同样有与之类似的实现方式，不再赘述。It should be understood that Figures 10 and 11 are two different implementations based on the key management method shown in Figure 9. For the key management method shown in Figure 8, there are also similar implementations. Again.

比如，步骤601也可实现为步骤7011，图8示出的密钥管理方法还可以包括步骤708，以使得UE通过应用会话建立请求携带服务网络标识符。For example, step 601 can also be implemented as step 7011, and the key management method shown in Figure 8 can also include step 708, so that the UE carries the service network identifier through the application session establishment request.

又如，步骤602也可实现为步骤7021或7022，步骤604也可实现为步骤7061或7062，使得服务网络中的AF和服务网络中的AAnFProxy能够基于不同的情况实现不同的AKMA应用密钥请求和AKMA应用密钥响应。As another example, step 602 can also be implemented as step 7021 or 7022, and step 604 can also be implemented as step 7061 or 7062, so that AF in the service network and AAnFProxy in the service network can implement different AKMA application key requests based on different situations. and AKMA application key responses.

图12示出了本申请一个示例性实施例提供的密钥管理方法的流程图，应用于漫游场景下，该方法包括如下步骤：Figure 12 shows a flow chart of a key management method provided by an exemplary embodiment of the present application. When applied in a roaming scenario, the method includes the following steps:

示意性的，在服务网络中的AF与UE进行通信之前，需要确定二者之间是否可以使用AKMA服务。在步骤801之前，通过UE与AUSF之间的主鉴权流程，以使得UE和AUSF分别在本地生成相同的K _AUSF、K _AKMA以及A-KID。 Illustratively, before the AF in the service network communicates with the UE, it needs to be determined whether the AKMA service can be used between the two. Before step 801, the main authentication process between the UE and the AUSF is passed, so that the UE and the AUSF locally generate the same K _AUSF , _KAKMA and A-KID respectively.

步骤801：UE向服务网络中的AF发送应用会话建立请求。Step 801: The UE sends an application session establishment request to the AF in the serving network.

示意性的，应用会话建立请求用于触发应用会话的建立请求，应用会话建立请求可用Application Session Establishment Request表示。Illustratively, the application session establishment request is used to trigger the application session establishment request, and the application session establishment request can be represented by Application Session Establishment Request.

其中，应用会话建立请求中携带有A-KID和/或服务网络标识符，A-KID用于指示终端的AKMA密钥的标识符；服务网络标识符用于指示终端的服务网络，用于触发服务网络中的AF在终端的服务网络标识符与归属网络标识不一致的情况下，向服务网络中的AAnFProxy发送密钥管理请求。Among them, the application session establishment request carries A-KID and/or service network identifier. A-KID is used to indicate the identifier of the terminal's AKMA key; the service network identifier is used to indicate the service network of the terminal and is used to trigger When the service network identifier of the terminal is inconsistent with the home network identifier, the AF in the service network sends a key management request to AAnFProxy in the service network.

可选的，TS 33.535中限定了A-KID应采用IETF RFC 7542中条款2.2规定的NAI格式，比如：用户名@安全域。Optional, TS 33.535 stipulates that A-KID should adopt the NAI format specified in clause 2.2 of IETF RFC 7542, such as: username@security domain.

步骤8021：服务网络中的AF向服务网络中的AAnFProxy发送第一AKMA应用密钥请求。Step 8021: The AF in the service network sends the first AKMA application key request to AAnFProxy in the service network.

示意性的，第一AKMA应用密钥请求用于指示服务网络中的AF需要终端标识，第一AKMA应用密钥请求包括A-KID和/或AF_ID。(If the AF does not have an active context associated with the A-KID,then the AF selects the AAnFProxy in the serving network and sends request to AAnFProxy with the A-KID to request the K _AF.The AF also includes its identity(AF_ID)in the request.The AF sends AKMA Application Key Request if the policy in AF indicates it needs the UE identity.) Illustratively, the first AKMA application key request is used to indicate that the AF in the service network requires a terminal identification, and the first AKMA application key request includes A-KID and/or AF_ID. (If the AF does not have an active context associated with the A-KID,then the AF selects the AAnFProxy in the serving network and sends request to AAnFProxy with the A-KID to request the K _AF .The AF also includes its identity( AF_ID) in the request.The AF sends AKMA Application Key Request if the policy in AF indicates it needs the UE identity.)

步骤8022：服务网络中的AF向服务网络中的AAnFProxy发送第二AKMA应用密钥请求。Step 8022: The AF in the service network sends a second AKMA application key request to AAnFProxy in the service network.

示意性的，第二AKMA应用密钥请求用于指示服务网络中的AF不需要终端标识，第二AKMA应用密钥请求包括A-KID和/或AF_ID。(The AF sends the request via the AKMA Application Key AnonUser Request if the policy in AF indicates the AF does not need the UE identity.)Illustratively, the second AKMA application key request is used to indicate that the AF in the service network does not require a terminal identification, and the second AKMA application key request includes A-KID and/or AF_ID. (The AF sends the request via the AKMA Application Key AnonUser Request if the policy in AF indicates the AF does not need the UE identity.)

应当理解的是，步骤8021和步骤8022择一执行，不能同时执行。It should be understood that step 8021 and step 8022 are executed alternatively and cannot be executed at the same time.

步骤8031：服务网络中的AAnFProxy向归属网络中的AAnF发送第一应用密钥获取请求。Step 8031: AAnFProxy in the service network sends a first application key acquisition request to AAnF in the home network.

示意性的，第一应用密钥获取请求用于在服务网络中的AF需要终端标识的情况下，向归属网络中的AAnF请求服务网络中的AF的AKMA应用密钥信息。可选的，第一应用密钥获取请求可使用Naanf_AKMA_ApplicationKey_Get Request表示。(The AAnFProxy sends the request via the Naanf_AKMA_ApplicationKey_Get service operation if it receives AKMA Application Key Request from the AF.)Illustratively, the first application key acquisition request is used to request the AKMA application key information of the AF in the serving network from the AAnF in the home network when the AF in the serving network requires a terminal identification. Optionally, the first application key acquisition request can be represented by Naanf_AKMA_ApplicationKey_Get Request. (The AAnFProxy sends the request via the Naanf_AKMA_ApplicationKey_Get service operation if it receives AKMA Application Key Request from the AF.)

根据步骤8021，服务网络中的AAnFProxy能够确定服务网络中的AF需要终端标识；服务网络中的AAnFProxy向归属网络中的AAnF发送第一应用密钥获取请求，第一应用密钥获取请求包括A-KID和/或AF_ID。According to step 8021, AAnFProxy in the service network can determine that the AF in the service network requires a terminal identification; AAnFProxy in the service network sends a first application key acquisition request to AAnF in the home network, and the first application key acquisition request includes A- KID and/or AF_ID.

步骤8032：服务网络中的AAnFProxy向归属网络中的AAnF发送第二应用密钥获取请求。Step 8032: AAnFProxy in the service network sends a second application key acquisition request to AAnF in the home network.

示意性的，第二应用密钥获取请求用于在服务网络中的AF不需要终端标识的情况下，向归属网络中的AAnF请求服务网络中的AF的AKMA应用密钥信息，第二应用密钥获取请求可用Naanf_AKMA_ApplicationKey_AnonUser_Get Request表示。(The AAnFProxy sends the request via the Naanf_AKMA_ApplicationKey_AnonUser_Get service operation if it receives AKMA Application Key AnonUser Request from the AF.)Illustratively, the second application key acquisition request is used to request the AKMA application key information of the AF in the serving network from the AAnF in the home network when the AF in the serving network does not need a terminal identification. The second application key The key acquisition request can be represented by Naanf_AKMA_ApplicationKey_AnonUser_Get Request. (The AAnFProxy sends the request via the Naanf_AKMA_ApplicationKey_AnonUser_Get service operation if it receives AKMA Application Key AnonUser Request from the AF.)

根据步骤8022，服务网络中的AAnFProxy能够确定服务网络中的AF不需要终端标识；服务网络中的AAnFProxy向归属网络中的AAnF发送第二应用密钥获取请求，第二应用密钥获取请求包括A-KID和/或AF_ID。According to step 8022, AAnFProxy in the service network can determine that the AF in the service network does not need a terminal identification; AAnFProxy in the service network sends a second application key acquisition request to AAnF in the home network, and the second application key acquisition request includes A -KID and/or AF_ID.

应当理解的是，步骤8031和步骤8032择一执行，不能同时执行。It should be understood that step 8031 and step 8032 can be executed alternatively and cannot be executed at the same time.

可选的，在执行步骤8031或步骤8032之前，服务网络中的AAnFProxy还需要确定归属网络中的AAnF，本申请实施例提供的密钥管理方法，还包括：Optionally, before executing step 8031 or step 8032, the AAnFProxy in the serving network also needs to determine the AAnF in the home network. The key management method provided by the embodiment of the present application also includes:

服务网络中的AAnFProxy通过服务网络和归属网络中的NRF发现归属网络中的AAnF。AAnFProxy in the service network discovers AAnF in the home network through the NRF in the service network and home network.

其中，以归属网络中的NRF使用hNRF表示，服务网络中的NRF使用vNRF表示为例，服务网络中的AAnFProxy发现归属网络中的AAnF的过程可实现为如下：服务网络中的AAnFProxy通过服务网络标识符确定vNRF；vNRF根据服务网络中的AAnFProxy传送的归属网络标识符，能够确定hNRF；hNRF根据预设策略判断归属网络中的AAnF有权为服务网络中的AAnFProxy及AF服务，随后授权归属网络中的AAnFProxy访问归属网络中的AAnF。Among them, taking the NRF in the home network as hNRF and the NRF in the service network as vNRF as an example, the process of AAnFProxy in the service network discovering the AAnF in the home network can be implemented as follows: AAnFProxy in the service network identifies the service network through determine the vNRF; vNRF can determine hNRF based on the home network identifier transmitted by AAnFProxy in the service network; hNRF determines that the AAnF in the home network has the right to serve AAnFProxy and AF in the service network based on the preset policy, and then authorizes the home network The AAnFProxy accesses the AAnF in the home network.

步骤804：在归属网络中的AAnF存储有终端的AKMA密钥的情况下，归属网络中的AAnF基于终端的AKMA密钥生成服务网络中的AF的AKMA应用密钥。Step 804: In the case where the AAnF in the home network stores the AKMA key of the terminal, the AAnF in the home network generates the AKMA application key of the AF in the serving network based on the AKMA key of the terminal.

其中，AKMA应用密钥用于指示UE和服务网络中的AF之间的通信密钥，可用K _AF表示。 Among them, the AKMA application key is used to indicate the communication key between the UE and the AF in the serving network, which can be represented by K _AF .

示例性的，AKMA应用密钥的生成可通过如下方式实现：归属网络中的AAnF根据应用密钥获取请求得到A-KID和AF_ID；随后，归属网络中的AAnF可基于AKMA密钥和AF_ID生成AKMA应用密钥。Exemplarily, the AKMA application key can be generated in the following manner: AAnF in the home network obtains A-KID and AF_ID based on the application key acquisition request; subsequently, AAnF in the home network can generate AKMA based on the AKMA key and AF_ID. Application key.

可选的，归属网络中的AAnF可根据A-KID对应的终端的AKMA密钥的存在，来验证UE是否被授权使用AKMA服务。(The AAnF shall verify whether the subscriber is authorized to use AKMA based on the presence of the UE specific K _AKMA key identified by the A-KID.) Optionally, the AAnF in the home network can verify whether the UE is authorized to use the AKMA service based on the existence of the AKMA key of the terminal corresponding to the A-KID. (The AAnF shall verify whether the subscriber is authorized to use AKMA based on the presence of the UE specific K _AKMA key identified by the A-KID.)

可选的，在执行步骤804之前，归属网络中的AAnF还需要执行如下步骤：根据授权信息或策略，确定归属网络中的AAnF是否可以向服务网络中的AF及服务网络中的代理实体提供服务。Optionally, before performing step 804, the AAnF in the home network also needs to perform the following steps: determine whether the AAnF in the home network can provide services to the AF in the service network and the proxy entity in the service network based on the authorization information or policy. .

其中，在归属网络中的AAnF可以向服务网络中的AF及服务网络中的代理实体提供服务的情况下，执行步骤804；在归属网络中的AAnF不可以向服务网络中的AF及服务网络中的代理实体提供服务的情况下，归属网络中的AAnF可拒绝执行步骤804，并向服务网络中的AAnFProxy反馈错误响应。(The AAnF in the home network shall check whether the AAnF can provide the service to the AF and AAnFProxy based on the configured local policy or based on the authorization information or policy provided by the NRF using the AF_ID of AF.If it succeeds,the following procedures are executed.Otherwise,the AAnF shall reject the procedure.)Among them, if the AAnF in the home network can provide services to the AF in the service network and the proxy entity in the service network, step 804 is performed; the AAnF in the home network cannot provide services to the AF in the service network and the proxy entity in the service network. In the case where the proxy entity provides services, the AAnF in the home network may refuse to perform step 804 and feed back an error response to the AAnFProxy in the serving network. (The AAnF in the home network shall check whether the AAnF can provide the service to the AF and AAnFProxy based on the configured local policy or based on the authorization information or policy provided by the NRF using the AF_ID of AF. If it succeeds, the The following procedures are executed. Otherwise, the AAnF shall reject the procedure.)

在一种实现场景下，归属网络中的AAnF可能存储有终端的AKMA密钥，也可未存储终端的AKMA密钥。归属网络中的AAnF存储有终端的AKMA密钥的情况下，归属网络中的AAnF基于终端的AKMA密钥生成服务网络中的AF的AKMA应用密钥(If K _AKMA is present in AAnF,the AAnF shall derive K _AF for the AF.)；在归属网络中的AAnF未存储有终端的AKMA密钥的情况下，归属网络中的AAnF反馈错误响应(If K _AKMA is not present in the AAnF,the AAnF shall continue with step 4 with an error response.)。 In one implementation scenario, the AAnF in the home network may or may not store the AKMA key of the terminal. When the AAnF in the home network stores the AKMA key of the terminal, the AAnF in the home network generates the AKMA application key of the AF in the service network based on the AKMA key of the terminal (If K _AKMA is present in AAnF, the AAnF shall derive K _AF for the AF.); When the AAnF in the home network does not store the AKMA key of the terminal, the AAnF in the home network feeds back an error response (If K _AKMA is not present in the AAnF, the AAnF shall continue with step 4 with an error response.).

步骤8051：归属网络中的AAnF向服务网络中的AAnFProxy发送第一应用密钥获取响应。Step 8051: AAnF in the home network sends a first application key acquisition response to AAnFProxy in the service network.

其中，第一应用密钥获取响应与第一应用密钥获取请求对应，用于在服务网络中的AF需要终端标识的情况下，归属网络中的AAnF向服务网络中的AAnFProxy反馈AF的AKMA应用密钥信息。(The AAnF sends Naanf_AKMA_ApplicationKey_Get response to the AAnFProxy with SUPI,K _AF,the K _AF expiration time,and the SUPI of UE.) Wherein, the first application key acquisition response corresponds to the first application key acquisition request, and is used for the AAnF in the home network to feed back the AF's AKMA application to the AAnFProxy in the service network when the AF in the service network requires the terminal identification. Key information. (The AAnF sends Naanf_AKMA_ApplicationKey_Get response to the AAnFProxy with SUPI,K _AF ,the K _AF expiration time,and the SUPI of UE.)

可选的，第一应用密钥获取响应可使用Naanf_AKMA_ApplicationKey_Get Response表示。可选的，AF的AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥(K _AF)、AKMA应用密钥的过期时间(K _AF expTime)和SUPI。 Optionally, the first application key acquisition response may be represented by Naanf_AKMA_ApplicationKey_Get Response. Optionally, the AKMA application key information of AF includes at least one of the following information: AKMA application key (K _AF ), expiration time of the AKMA application key (K _AF expTime), and SUPI.

根据步骤8031，在服务网络中的AF需要终端标识的情况下，归属网络中的AAnF接收到服务网络中的AAnFProxy发送的第一应用密钥获取请求；在生成AKMA应用密钥后，归属网络中的AAnF向服务网络中的AAnFProxy发送第一应用密钥获取响应。According to step 8031, when the AF in the service network requires the terminal identification, the AAnF in the home network receives the first application key acquisition request sent by AAnFProxy in the service network; after generating the AKMA application key, the AAnF in the home network The AAnF sends the first application key acquisition response to AAnFProxy in the service network.

步骤8052：归属网络中的AAnF向服务网络中的AAnFProxy发送第二应用密钥获取响应。Step 8052: AAnF in the home network sends a second application key acquisition response to AAnFProxy in the service network.

示意性的，第二应用密钥获取响应与第一应用密钥获取请求对应，用于在服务网络中的AF不需要终端标识的情况下，归属网络中的AAnF向服务网络中的AAnFProxy反馈AF的AKMA应用密钥信息。(The AAnF sends Naanf_AKMA_ApplicationKey_AnonUser_Get response to the AAnFProxy with K _AF and the K _AF expiration time.) Illustratively, the second application key acquisition response corresponds to the first application key acquisition request, and is used for AAnF in the home network to feed back AF to AAnFProxy in the service network when the AF in the service network does not require a terminal identification. AKMA application key information. (The AAnF sends Naanf_AKMA_ApplicationKey_AnonUser_Get response to the AAnFProxy with K _AF and the K _AF expiration time.)

可选的，第一应用密钥获取响应可使用Naanf_AKMA_ApplicationKey_AnonUser_Get Response表示。可选的，AF的AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥(K _AF)和AKMA应用密钥的过期时间(K _AF expTime)。 Optionally, the first application key acquisition response may be represented by Naanf_AKMA_ApplicationKey_AnonUser_Get Response. Optionally, the AKMA application key information of the AF includes at least one of the following information: the AKMA application key (K _AF ) and the expiration time of the AKMA application key (K _AF expTime).

根据步骤8032，在服务网络中的AF需要终端标识的情况下，归属网络中的AAnF接收到服务网络中的AAnFProxy发送的第一应用密钥获取请求；在生成AKMA应用密钥后，归属网络中的AAnF向服务网络中的AAnFProxy发送第一应用密钥获取响应。According to step 8032, when the AF in the service network requires the terminal identification, the AAnF in the home network receives the first application key acquisition request sent by AAnFProxy in the service network; after generating the AKMA application key, the AAnF in the home network The AAnF sends the first application key acquisition response to AAnFProxy in the service network.

应当理解的是，步骤8051和步骤8052择一执行，不能同时执行。It should be understood that step 8051 and step 8052 can be executed alternatively and cannot be executed at the same time.

根据前述内容，步骤8031/8032、804和8051/8052给出了服务网络中的AF的AKMA应用密钥信息由归属网络中的AAnF生成的实现方式。According to the foregoing content, steps 8031/8032, 804 and 8051/8052 provide an implementation manner in which the AKMA application key information of the AF in the serving network is generated by the AAnF in the home network.

在一种可选的实现场景下，服务网络中的AF的AKMA应用密钥信息还可由服务网络中的AAnFProxy生成。比如，服务网络中的AAnFProxy根据应用密钥获取请求得到A-KID和AF_ID；随后，服务网络中的AAnFProxy可基于AKMA密钥和AF_ID生成AKMA应用密钥。In an optional implementation scenario, the AKMA application key information of AF in the service network can also be generated by AAnFProxy in the service network. For example, AAnFProxy in the service network obtains A-KID and AF_ID based on the application key acquisition request; subsequently, AAnFProxy in the service network can generate an AKMA application key based on the AKMA key and AF_ID.

步骤8061：服务网络中的AAnFProxy向服务网络中的AF发送第一AKMA应用密钥响应。Step 8061: AAnFProxy in the service network sends the first AKMA application key response to AF in the service network.

其中，第一AKMA应用密钥响应与第一AKMA应用密钥请求对应。The first AKMA application key response corresponds to the first AKMA application key request.

可选的，第一AKMA应用密钥响应可使用AKMA Application Key Response表示；AF的AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥、AKMA应用密钥的过期时间和SUPI。(The AAnFProxy sends AKMA Application Key Response to AF in the serving network with SUPI,K _AF,the K _AF expiration time,and the SUPI of UE.) Optionally, the first AKMA Application Key Response can be represented by an AKMA Application Key Response; the AKMA Application Key information of the AF includes at least one of the following information: the AKMA Application Key, the expiration time of the AKMA Application Key, and SUPI. (The AAnFProxy sends AKMA Application Key Response to AF in the serving network with SUPI,K _AF ,the K _AF expiration time,and the SUPI of UE.)

根据步骤8021，服务网络中的AAnFProxy接收服务网络中的AF发送的第一AKMA应用密钥请求，第一AKMA应用密钥请求用于指示服务网络中的AF需要终端标识；随后，服务网络中的AAnFProxy向服务网络中的AF发送第一AKMA应用密钥响应。According to step 8021, AAnFProxy in the service network receives the first AKMA application key request sent by the AF in the service network. The first AKMA application key request is used to indicate that the AF in the service network requires a terminal identification; subsequently, the AF in the service network AAnFProxy sends the first AKMA application key response to the AF in the service network.

步骤8062：服务网络中的AAnFProxy向服务网络中的AF发送第二AKMA应用密钥响应。Step 8062: AAnFProxy in the service network sends a second AKMA application key response to AF in the service network.

其中，第二AKMA应用密钥响应与第二AKMA应用密钥请求对应。The second AKMA application key response corresponds to the second AKMA application key request.

可选的，第二AKMA应用密钥响应可使用AKMA Application Key AnonUser Response表示；AF的AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥、AKMA应用密钥的过期时间。(The AAnFProxy sends AKMA Application Key AnonUser Response to the AF with K _AF and K _AF expiration time.) Optionally, the second AKMA Application Key response may be represented by an AKMA Application Key AnonUser Response; the AKMA Application Key information of the AF includes at least one of the following information: the AKMA Application Key and the expiration time of the AKMA Application Key. (The AAnFProxy sends AKMA Application Key AnonUser Response to the AF with K _AF and K _AF expiration time.)

根据步骤8022，服务网络中的AAnFProxy接收服务网络中的AF发送的第二AKMA应用密钥请求，第二AKMA应用密钥请求用于指示服务网络中的AF不需要终端标识；随后，服务网络中的AAnFProxy向服务网络中的AF发送第二AKMA应用密钥响应。According to step 8022, AAnFProxy in the service network receives the second AKMA application key request sent by the AF in the service network. The second AKMA application key request is used to indicate that the AF in the service network does not require a terminal identification; subsequently, the AF in the service network The AAnFProxy sends a second AKMA application key response to the AF in the serving network.

应当理解的是，步骤8061和步骤8062择一执行，不能同时执行。It should be understood that step 8061 and step 8062 can be executed alternatively and cannot be executed at the same time.

步骤807：服务网络中的AF向访问UE发送应用会话建立响应。Step 807: The AF in the serving network sends an application session establishment response to the visiting UE.

UE在接收到应用会话建立响应后，可根据AKMA应用密钥响应中携带的AF的AKMA应用密钥信息，根据接收到的不同的AKMA应用密钥响应，获取到的AF的AKMA应用密钥信息也不同。其中，第一AKMA应用密钥响应中携带的AF的AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥、AKMA应用密钥的过期时间和SUPI；第二AKMA应用密钥响应中携带的AF的AKMA应用密钥信息包括如下信息中的至少一种：AKMA应用密钥、AKMA应用密钥的过期时间。After receiving the application session establishment response, the UE can obtain the AKMA application key information of the AF based on the AKMA application key information of the AF carried in the AKMA application key response and based on the different AKMA application key responses received. Also different. Wherein, the AKMA application key information of AF carried in the first AKMA application key response includes at least one of the following information: AKMA application key, expiration time of the AKMA application key and SUPI; the second AKMA application key response The AKMA application key information of the AF carried in includes at least one of the following information: the AKMA application key and the expiration time of the AKMA application key.

可选的，在UE接收到服务网络中的AF反馈的应用会话的拒绝信息后，UE可重新发送应用会话建立请求，该应用会话建立请求中携带有新的A-KID和/或服务网络标识符。(If the information in step 8061 or 8062 indicates failure of AKMA key request,the AF shall reject the Application Session Establishment by including a failure cause.Afterwards,UE may trigger a new Application Session Establishment request with the latest A-KID to the AKMA AF.)Optionally, after the UE receives the rejection information of the application session fed back by the AF in the service network, the UE can resend the application session establishment request, and the application session establishment request carries the new A-KID and/or service network identification. symbol. (If the information in step 8061 or 8062 indicates failure of AKMA key request, the AF shall reject the Application Session Establishment by including a failure cause. Afterwards, UE may trigger a new Application Session Establishment request with the latest A-KID to the A KMA AF.)

示意性的，参考图12，不同的执行主体具有如下不同的功能。Schematically, referring to Figure 12, different execution entities have the following different functions.

1、UE一侧(UE side)：1. UE side:

终端能够向服务网络中的AF发送服务网络标识符(The UE should be able to send serving network identifier to the AF)。The terminal can send the serving network identifier to the AF in the serving network (The UE should be able to send serving network identifier to the AF).

2、归属网络中的AAnF一侧((AAnF side)：2. AAnF side in the home network ((AAnF side):

归属网络中的AAnF能够从服务网络中的AAnFProxy接收A-KID、AF_ID(AAnF should be able to receive A-KID,AF_ID from the AAnFProxy)。AAnF in the home network can receive A-KID, AF_ID from AAnFProxy in the service network (AAnF should be able to receive A-KID, AF_ID from the AAnFProxy).

归属网络中的AAnF能够将UE的K _AF、K _AF的过期时间和SUPI发送给服务网络中的AAnFProxy(AAnF should be able to send K _AF,K _AF expiration time,and SUPI of the UE to the AAnFProxy)。 AAnF in the home network can send K _AF ,K _AF expiration time, and SUPI of the UE to the AAnFProxy in the serving network (AAnF should be able to send K _AF ,K _AF expiration time, and SUPI of the UE to the AAnFProxy) .

归属网络中的AAnF能够向服务网络中的AAnFProxy发送错误响应(AAnF should be able to send error response to the AAnFProxy)。The AAnF in the home network can send an error response to the AAnFProxy in the service network (AAnF should be able to send error response to the AAnFProxy).

3、服务网络中的AF(AF side)：3. AF (AF side) in the service network:

服务网络中的AF能够从UE接收A-KID(AF should be able to receive A-KID from the UE)。The AF in the service network can receive A-KID from the UE (AF should be able to receive A-KID from the UE).

服务网络中的AF能够通过向服务网络中的服务网络中的AAnFProxy发送A-KID和AF_ID来向UE的归属网络中的AAnF请求K _AF(AF should be able to request K _AF from AAnF in the home network of UE by sending A-KID and AF_ID to AAnFProxy in the serving network)。 The AF in the service network can request K AF from AAnF in the home network of the UE by sending A _{-KID and AF_ID to AAnFProxy in the service network (AF should be able to request K AF} _from AAnF in the home network of UE by sending A-KID and AF_ID to AAnFProxy in the serving network).

服务网络中的AF能够从服务网络中的AAnFProxy中获取UE的K _AF、K _AF的过期时间和SUPI(AF should be able to obtain K _AF,K _AF expiration,and SUPI of the UE from the AAnFProxy)。 The AF in the service network can obtain the K _AF of the UE, the expiration time of K _AF and SUPI from the AAnFProxy in the service network (AF should be able to obtain K _AF ,K _AF expiration, and SUPI of the UE from the AAnFProxy).

服务网络中的AF能够从服务网络中的AAnFProxy获得错误响应(AF should be able to obtain error responsefrom the AAnFProxy)。AF in the service network can obtain error response from the AAnFProxy in the service network (AF should be able to obtain error response from the AAnFProxy).

当服务网络中的AF需要UE的身份信息时，AF应该能够向服务网络中的AAnFProxy发送第一AKMA应用密钥请求(AF should be able to send AKMA ApplicationKey Request to AAnFProxy when the AF needs the identity information of the UE)。When the AF in the service network needs the identity information of the UE, the AF should be able to send the AKMA ApplicationKey Request to AAnFProxy when the AF needs the identity information of the UE).

当服务网络中的AF不需要UE的身份信息时，AF应该能够向服务网络中的AAnFProxy发送第二AKMA应用密钥请求(AF should be able to send AKMA ApplicationKey AnonUser Request to AAnFProxy when the AF does not need the identity information of the UE)。When the AF in the service network does not need the identity information of the UE, the AF should be able to send AKMA ApplicationKey AnonUser Request to AAnFProxy when the AF does not need the identity information of the UE).

4、服务网络中的AAnFProxy一侧(AAnFProxy side)：4. AAnFProxy side in the service network:

服务网络中的AAnFProxy功能可以实现为服务网络中单独的网络功能，或者是服务网络中任何NF的一部分，或者是3GPP运营商域内的可信应用功能(AAnfProxy functionality may be implemented as a separate network function in the serving network,or be part of any NF in the serving network,or as a trusted AF)。The AAnFProxy functionality in the service network may be implemented as a separate network function in the service network, or as part of any NF in the service network, or as a trusted application function within the 3GPP operator domain (AAnfProxy functionality may be implemented as a separate network function in the serving network, or be part of any NF in the serving network, or as a trusted AF).

服务网络中的AAnFProxy能够从服务网络中的AF接收A-KID和AF_ID(AAnFProxy should be able to receive A-KID and AF_ID from the AF)。AAnFProxy in the service network can receive A-KID and AF_ID from the AF in the service network (AAnFProxy should be able to receive A-KID and AF_ID from the AF).

服务网络中的AAnFProxy能够通过服务网络和归属网络中的NRF发现UE归属网络中的AAnF(AAnFProxy should be able to discover AAnF in the home network of UE via NRFs in the serving network and home network)。AAnFProxy in the serving network can discover AAnF in the UE's home network through NRFs in the serving network and home network (AAnFProxy should be able to discover AAnF in the home network of UE via NRFs in the serving network and home network).

服务网络中的AAnFProxy能够通过向UE归属网络中的AAnF发送A-KID和AF_ID来请求AF的K _AF和K _AF的过期时间(AAnFProxy should be able to request K _AF and K _AF expiration time for AF by send A-KID and AF_ID to the AAnF in the home network of UE)。 AAnFProxy in the serving network can request K _{AF and K AF expiration time for AF by sending A-KID and AF_ID to AAnF in the UE home network (AAnFProxy should be able to request K AF and K AF} _expiration _time _for AF by send A-KID and AF_ID to the AAnF in the home network of UE).

服务网络中的AAnFProxy能够从UE归属网络中的AAnF获取K _AF、K _AF过期时间和SUPI(AAnFProxy should be able to obtain K _AF,K _AF expiration time,and SUPI from AAnF in the home network of UE)。 AAnFProxy in the service network can obtain K _AF , K _AF expiration time, and SUPI from AAnF in the home network of UE (AAnFProxy should be able to obtain K _AF ,K _AF expiration time, and SUPI from AAnF in the home network of UE).

服务网络中的AAnFProxy能够从UE的归属网络中的AAnF获得错误响应(AAnFProxy should be able to obtain error response from AAnF in the home network of UE)。AAnFProxy in the service network can obtain error response from AAnF in the UE's home network (AAnFProxy should be able to obtain error response from AAnF in the home network of UE).

服务网络中的AAnFProxy能够在UE的归属网络中向AAnF请求Naanf_AKMA_ApplicationKey_AnonUser_Get服务(AAnFProxy should be able to request Naanf_AKMA_ApplicationKey_AnonUser_Get service from AAnF in the home network of UE)。AAnFProxy in the service network can request the Naanf_AKMA_ApplicationKey_AnonUser_Get service from AAnF in the home network of the UE (AAnFProxy should be able to request Naanf_AKMA_ApplicationKey_AnonUser_Get service from AAnF in the home network of UE).

服务网络中的AAnFProxy能够在UE的归属网络中向AAnF请求Naanf_AKMA_ApplicationKey_Get服务(AAnFProxy should be able to request Naanf_AKMA_ApplicationKey_Get service from AAnF in the home network of UE)。AAnFProxy in the service network can request the Naanf_AKMA_ApplicationKey_Get service from AAnF in the home network of the UE (AAnFProxy should be able to request Naanf_AKMA_ApplicationKey_Get service from AAnF in the home network of UE).

服务网络中的AAnFProxy能够将UE的K _AF、K _AF过期和SUPI发送给服务网络中的AF(AAnFProxy should be able to send K _AF,K _AF expiration,and SUPI of the UE to the AF)。 AAnFProxy in the service network can send K _AF , K _AF expiration, and SUPI of the UE to the AF (AAnFProxy should be able to send K _AF ,K _AF expiration, and SUPI of the UE to the AF).

服务网络中的AAnFProxy能够向服务网络中的AF发送错误响应(AAnFProxy should be able to send error responseto the AF)。AAnFProxy in the service network can send error responses to the AF in the service network (AAnFProxy should be able to send error response to the AF).

综上所述，本申请实施例提供了一种密钥管理方法，基于服务网络中的AAnFProxy、服务网络中的AF和归属网络中的AAnF之间的交互，能够实现AKMA应用密钥请求和AKMA应用密钥响应，以使得终端能够获取到服务网络中的AF的AKMA应用密钥信息。To sum up, the embodiments of this application provide a key management method that can realize AKMA application key request and AKMA based on the interaction between AAnFProxy in the service network, AF in the service network and AAnF in the home network. The application key response enables the terminal to obtain the AKMA application key information of the AF in the service network.

以下为本申请的装置实施例，对于装置实施例中未详细描述的细节，可以结合参考上述方法实施例中相应的记载，本文不再赘述。The following are device embodiments of the present application. For details that are not described in detail in the device embodiments, reference may be made to the corresponding records in the above method embodiments and will not be described again here.

图13示出了本申请一个示例性实施例提供的密钥管理装置的示意图，该装置包括：Figure 13 shows a schematic diagram of a key management device provided by an exemplary embodiment of the present application. The device includes:

接收模块1310，用于接收服务网络中的AF发送的AKMA应用密钥请求；The receiving module 1310 is used to receive the AKMA application key request sent by the AF in the service network;

发送模块1320，用于向服务网络中的AF反馈AKMA应用密钥响应，AKMA应用密钥响应包括服务网络中的AF的AKMA应用密钥信息。The sending module 1320 is configured to feed back an AKMA application key response to the AF in the service network, where the AKMA application key response includes the AKMA application key information of the AF in the service network.

可选的，服务网络中的AF的AKMA应用密钥信息由归属网络中的AAnF生成，发送模块1320，还用于向归属网络中的AAnF发送应用密钥获取请求；接收模块1310，还用于接收归属网络中的AAnF反馈的应用密钥获取响应，应用密钥获取响应包括服务网络中的AF的AKMA应用密钥信息。Optionally, the AKMA application key information of the AF in the serving network is generated by the AAnF in the home network. The sending module 1320 is also used to send an application key acquisition request to the AAnF in the home network; the receiving module 1310 is also used to Receive an application key acquisition response fed back by the AAnF in the home network. The application key acquisition response includes the AKMA application key information of the AF in the serving network.

可选的，AKMA应用密钥信息包括如下中的至少一种：服务网络中的AF的AKMA应用密钥；AKMA应用密钥的过期时间；SUPI。Optionally, the AKMA application key information includes at least one of the following: the AKMA application key of the AF in the service network; the expiration time of the AKMA application key; SUPI.

可选的，发送模块1320，用于在服务网络中的AF需要终端标识的情况下，向归属网络中的AAnF发送第一应用密钥获取请求。Optionally, the sending module 1320 is configured to send a first application key acquisition request to the AAnF in the home network when the AF in the serving network requires a terminal identity.

可选的，第一应用密钥获取请求包括如下中的至少一种：AKMA密钥标识符，AKMA密钥标识符是用于指示终端的AKMA密钥的标识符；AF标识符，AF标识符是用于指示服务网络中的AF的标识符。Optionally, the first application key acquisition request includes at least one of the following: AKMA key identifier, which is an identifier used to indicate the AKMA key of the terminal; AF identifier, which is an AF identifier. is an identifier used to indicate the AF in the service network.

可选的，接收模块1310，用于接收服务网络中的AF发送的第一AKMA应用密钥请求，第一AKMA应用密钥请求用于指示服务网络中的AF需要终端标识。Optionally, the receiving module 1310 is configured to receive a first AKMA application key request sent by the AF in the service network, where the first AKMA application key request is used to indicate that the AF in the service network requires a terminal identity.

可选的，AKMA应用密钥信息包括如下中的至少一种：服务网络中的AF的AKMA应用密钥；AKMA应用密钥的过期时间。Optionally, the AKMA application key information includes at least one of the following: the AKMA application key of the AF in the service network; and the expiration time of the AKMA application key.

可选的，发送模块1320，用于在服务网络中的AF不需要终端标识的情况下，向归属网络中的AAnF发送第二应用密钥获取请求。Optionally, the sending module 1320 is configured to send a second application key acquisition request to the AAnF in the home network when the AF in the serving network does not require a terminal identification.

可选的，第二应用密钥获取请求包括如下中的至少一种：AKMA密钥标识符，AKMA密钥标识符是用于指示终端的AKMA密钥的标识符；AF标识符， AF标识符是用于指示服务网络中的AF的标识符。Optionally, the second application key acquisition request includes at least one of the following: AKMA key identifier, which is an identifier used to indicate the AKMA key of the terminal; AF identifier, AF identifier is an identifier used to indicate the AF in the service network.

可选的，接收模块1310，用于接收服务网络中的AF发送的第二AKMA应用密钥请求，第二AKMA应用密钥请求用于指示服务网络中的AF不需要终端标识。Optionally, the receiving module 1310 is configured to receive a second AKMA application key request sent by the AF in the service network, where the second AKMA application key request is used to indicate that the AF in the service network does not require a terminal identification.

可选的，AKMA密钥标识符由服务网络中的AF从终端处获取。Optionally, the AKMA key identifier is obtained from the terminal by the AF in the service network.

可选的，接收模块1310，还用于接收归属网络中的AAnF反馈的错误响应，错误响应是在归属网络中的AAnF中未存储有终端的AKMA密钥的情况下发送的；发送模块1320，还用于向服务网络中的AF发送错误响应。Optionally, the receiving module 1310 is also used to receive an error response fed back by the AAnF in the home network. The error response is sent when the AKMA key of the terminal is not stored in the AAnF in the home network; the sending module 1320, Also used to send error responses to AF in the service network.

可选的，该装置还包括发现模块1330，用于通过服务网络和归属网络中的NRF发现归属网络中的AAnF。Optionally, the device also includes a discovery module 1330, configured to discover the AAnF in the home network through the NRF in the serving network and the home network.

可选的，服务网络中的代理实体是服务网络中单独的NF；或者，服务网络中的代理实体是服务网络中任一NF的一部分；或者，服务网络中的代理实体是可信应用功能。Optionally, the proxy entity in the service network is a separate NF in the service network; or the proxy entity in the service network is part of any NF in the service network; or the proxy entity in the service network is a trusted application function.

图14示出了本申请一个示例性实施例提供的密钥管理装置的示意图，该装置包括：Figure 14 shows a schematic diagram of a key management device provided by an exemplary embodiment of the present application. The device includes:

接收模块1410，用于接收服务网络中的代理实体发送的应用密钥获取请求；The receiving module 1410 is used to receive the application key acquisition request sent by the proxy entity in the service network;

生成模块1420，用于在归属网络中的AAnF中存储有终端的AKMA密钥的情况下，基于终端的AKMA密钥生成服务网络中的AF的AKMA应用密钥；The generation module 1420 is configured to generate the AKMA application key of the AF in the service network based on the AKMA key of the terminal when the AKMA key of the terminal is stored in the AAnF in the home network;

发送模块1430，用于向服务网络中的代理实体反馈应用密钥获取响应，应用密钥获取响应包括服务网络中的AF的AKMA应用密钥信息。The sending module 1430 is configured to feed back an application key acquisition response to the proxy entity in the service network, where the application key acquisition response includes the AKMA application key information of the AF in the service network.

可选的，AKMA应用密钥信息包括如下中的至少一种：AKMA应用密钥；AKMA应用密钥的过期时间；SUPI。Optionally, the AKMA application key information includes at least one of the following: AKMA application key; expiration time of the AKMA application key; SUPI.

可选的，接收模块1410，用于接收服务网络中的代理实体发送的第一应用密钥获取请求，第一应用密钥获取请求用于指示服务网络中的AF需要终端标识。Optionally, the receiving module 1410 is configured to receive a first application key acquisition request sent by the proxy entity in the service network, where the first application key acquisition request is used to indicate that the AF in the service network requires a terminal identity.

可选的，AKMA应用密钥信息包括如下中的至少一种：AKMA应用密钥；AKMA应用密钥的过期时间。Optionally, the AKMA application key information includes at least one of the following: AKMA application key; expiration time of the AKMA application key.

可选的，接收模块1410，用于接收服务网络中的代理实体发送的第二应用密钥获取请求，第二应用密钥获取请求用于指示服务网络中的AF不需要终端标识。Optionally, the receiving module 1410 is configured to receive a second application key acquisition request sent by the proxy entity in the service network. The second application key acquisition request is used to indicate that the AF in the service network does not require a terminal identification.

可选的，发送模块1430，还用于在归属网络中的AAnF中未存储有终端的AKMA密钥的情况下，向服务网络中的代理实体反馈错误响应。Optionally, the sending module 1430 is also configured to feed back an error response to the proxy entity in the serving network when the AKMA key of the terminal is not stored in the AAnF in the home network.

可选的，生成模块1420，还用于根据授权信息或策略，确定归属网络中的AAnF是否向服务网络中的AF及服务网络中的代理实体提供服务；在归属网络中的AAnF中存储有终端的AKMA密钥且归属网络中的AAnF向服务网络中的AF及服务网络中的代理实体提供服务的情况下，基于终端的AKMA密钥生成服务网络中的AF的AKMA应用密钥。Optionally, the generation module 1420 is also used to determine whether the AAnF in the home network provides services to the AF in the service network and the proxy entity in the service network according to the authorization information or policy; the AAnF in the home network stores terminals AKMA key and the AAnF in the home network provides services to the AF in the service network and the proxy entity in the service network, the AKMA application key of the AF in the service network is generated based on the AKMA key of the terminal.

图15示出了本申请一个示例性实施例提供的密钥管理装置的示意图，该装置包括：Figure 15 shows a schematic diagram of a key management device provided by an exemplary embodiment of the present application. The device includes:

接收模块1510，用于接收终端发送的服务网络标识符和AKMA密钥标识符；The receiving module 1510 is used to receive the service network identifier and the AKMA key identifier sent by the terminal;

发送模块1520，用于在终端的服务网络标识符与归属网络标识不一致的情况下，向服务网络中的代理实体发送AKMA应用密钥请求；The sending module 1520 is configured to send an AKMA application key request to the proxy entity in the serving network when the terminal's serving network identifier is inconsistent with the home network identifier;

接收模块1510，还用于接收服务网络中的代理实体反馈的AKMA应用密钥响应，AKMA应用密钥响应包括服务网络中的AF的AKMA应用密钥信息。The receiving module 1510 is also configured to receive an AKMA application key response fed back by the proxy entity in the service network. The AKMA application key response includes the AKMA application key information of the AF in the service network.

可选的，发送模块1520，用于向服务网络中的代理实体发送第一AKMA应用密钥请求，第一AKMA应用密钥请求用于指示服务网络中的AF需要终端标识。Optionally, the sending module 1520 is configured to send a first AKMA application key request to the proxy entity in the service network, where the first AKMA application key request is used to indicate that the AF in the service network requires a terminal identity.

可选的，第一AKMA应用密钥请求包括如下中的至少一种：AKMA密钥标识符，AKMA密钥标识符是用于指示终端的AKMA密钥的标识符；AF标识符，AF标识符是用于指示服务网络中的AF的标识符。Optionally, the first AKMA application key request includes at least one of the following: AKMA key identifier, the AKMA key identifier is an identifier used to indicate the AKMA key of the terminal; AF identifier, AF identifier is an identifier used to indicate the AF in the service network.

可选的，发送模块1520，用于向服务网络中的代理实体发送第二AKMA应用密钥请求，第二AKMA应用密钥请求用于指示服务网络中的AF不需要终端标识。Optionally, the sending module 1520 is configured to send a second AKMA application key request to the proxy entity in the service network, where the second AKMA application key request is used to indicate that the AF in the service network does not require a terminal identity.

可选的，第二AKMA应用密钥请求包括如下中的至少一种：AKMA密钥标识符，AKMA密钥标识符是用于指示终端的AKMA密钥的标识符；AF标识符， AF标识符是用于指示服务网络中的AF的标识符。Optionally, the second AKMA application key request includes at least one of the following: AKMA key identifier, which is an identifier used to indicate the AKMA key of the terminal; AF identifier, AF identifier is an identifier used to indicate the AF in the service network.

可选的，接收模块1510，还用于接收服务网络中的代理实体反馈的错误响应，错误响应是归属网络中的AAnF在未存储有终端的AKMA密钥的情况下发送给服务网络中的代理实体的。Optionally, the receiving module 1510 is also used to receive an error response fed back by the proxy entity in the service network. The error response is sent by the AAnF in the home network to the proxy in the service network without storing the AKMA key of the terminal. Entity.

可选的，接收模块1510，用于接收终端发送的应用会话建立请求，应用会话建立请求携带有服务网络标识符和AKMA密钥标识符；发送模块1520，还用于向终端反馈应用会话建立响应。Optionally, the receiving module 1510 is configured to receive an application session establishment request sent by the terminal. The application session establishment request carries the service network identifier and the AKMA key identifier; the sending module 1520 is also configured to feed back the application session establishment response to the terminal. .

可选的，应用会话建立请求包括AKMA密钥标识符，AKMA密钥标识符携带有服务网络标识符；或者，应用会话建立请求包括AKMA密钥标识符和服务网络标识符；其中，AKMA密钥标识符是用于指示终端的AKMA密钥的标识符。Optionally, the application session establishment request includes the AKMA key identifier, and the AKMA key identifier carries the service network identifier; or, the application session establishment request includes the AKMA key identifier and the service network identifier; where, the AKMA key The identifier is an identifier used to indicate the AKMA key of the terminal.

可选的，发送模块1520，还用于在接收到服务网络中的代理实体反馈的错误响应的情况下，向终端反馈应用会话的拒绝信息，拒绝信息中包括响应失败原因。Optionally, the sending module 1520 is also configured to feed back rejection information of the application session to the terminal when receiving an error response fed back by the proxy entity in the service network. The rejection information includes the reason for the response failure.

可选的，AKMA密钥标识符采用NAI格式。Optionally, the AKMA key identifier is in NAI format.

图16示出了本申请一个示例性实施例提供的密钥管理装置的示意图，该装置包括：Figure 16 shows a schematic diagram of a key management device provided by an exemplary embodiment of the present application. The device includes:

发送模块1610，用于向服务网络中的应用功能AF发送服务网络标识符和AKMA密钥标识符，服务网络标识符用于触发服务网络中的AF在终端的服务网络标识符与归属网络标识不一致的情况下，向服务网络中的代理实体发送AKMA应用密钥请求。The sending module 1610 is used to send the service network identifier and the AKMA key identifier to the application function AF in the service network. The service network identifier is used to trigger the service network identifier of the AF in the service network to be inconsistent with the home network identifier of the terminal. In this case, send an AKMA application key request to the proxy entity in the service network.

可选的，发送模块1610，用于向服务网络中的AF发送应用会话建立请求，应用会话建立请求携带有服务网络标识符和AKMA密钥标识符；该装置还包括接收模块1620，用于接收服务网络中的AF反馈的应用会话建立响应。Optionally, the sending module 1610 is used to send an application session establishment request to the AF in the service network. The application session establishment request carries the service network identifier and the AKMA key identifier; the device also includes a receiving module 1620, used to receive Application session establishment response fed back by AF in the service network.

图17示出了本申请一个示例性实施例提供的通信设备(终端或网络设备)的结构示意图，该通信设备包括：处理器1701、接收器1702、发射器1703、存储器1704和总线1705。Figure 17 shows a schematic structural diagram of a communication device (terminal or network device) provided by an exemplary embodiment of the present application. The communication device includes: a processor 1701, a receiver 1702, a transmitter 1703, a memory 1704 and a bus 1705.

处理器1701包括一个或者一个以上处理核心，处理器1701通过运行软件程序以及模块，从而执行各种功能应用以及信息处理。The processor 1701 includes one or more processing cores. The processor 1701 executes various functional applications and information processing by running software programs and modules.

接收器1702和发射器1703可以实现为一个通信组件，该通信组件可以是一块通信芯片。The receiver 1702 and the transmitter 1703 can be implemented as a communication component, and the communication component can be a communication chip.

存储器1704通过总线1705与处理器1701相连。Memory 1704 is connected to processor 1701 through bus 1705.

存储器1704可用于存储至少一个指令，处理器1701用于执行该至少一个指令，以实现上述方法实施例中由终端执行的密钥管理方法的各个步骤。The memory 1704 may be used to store at least one instruction, and the processor 1701 is used to execute the at least one instruction to implement each step of the key management method executed by the terminal in the above method embodiment.

此外，存储器1704可以由任何类型的易失性或非易失性存储设备或者它们的组合实现，易失性或非易失性存储设备包括但不限于：磁盘或光盘，电可擦除可编程只读存储器(Electrically-Erasable Programmable Read Only Memory，EEPROM)，可擦除可编程只读存储器(Erasable Programmable Read Only Memory，EPROM)，静态随时存取存储器(Static Random Access Memory，SRAM)，只读存储器(Read-Only Memory，ROM)，磁存储器，快闪存储器，可编程只读存储器(Programmable Read-Only Memory，PROM)。Additionally, memory 1704 may be implemented by any type of volatile or non-volatile storage device, or combination thereof, including but not limited to: magnetic or optical disks, electrically erasable programmable Read-only memory (Electrically-Erasable Programmable Read Only Memory, EEPROM), erasable programmable read-only memory (Erasable Programmable Read Only Memory, EPROM), static random access memory (Static Random Access Memory, SRAM), read-only memory (Read-Only Memory, ROM), magnetic memory, flash memory, programmable read-only memory (Programmable Read-Only Memory, PROM).

图18示出了本申请一个示例性实施例提供的网元设备的结构示意图，该网元设备包括：处理器1801、存储器1802和通信组件1803。Figure 18 shows a schematic structural diagram of a network element device provided by an exemplary embodiment of the present application. The network element device includes: a processor 1801, a memory 1802, and a communication component 1803.

处理器1801与存储器1802相连，存储器1802与通信组件1803相连。The processor 1801 is connected to the memory 1802, and the memory 1802 is connected to the communication component 1803.

存储器1802可用于存储至少一个指令和计算机程序，处理器1801用于执行该至少一个指令和计算机程序，以实现上述方法实施例中由核心网网元执行的密钥管理方法的处理步骤。其中，处理步骤是指除接收步骤和发送步骤之外的其他步骤。The memory 1802 can be used to store at least one instruction and computer program, and the processor 1801 is used to execute the at least one instruction and computer program to implement the processing steps of the key management method performed by the core network element in the above method embodiment. Among them, the processing steps refer to other steps except the receiving step and the sending step.

通信组件1803用于实现上述方法实施例中由核心网网元执行的密钥管理方法的接收步骤和发送步骤。The communication component 1803 is used to implement the receiving steps and sending steps of the key management method executed by the core network element in the above method embodiment.

本申请实施例还提供了一种代理实体，代理实体包括通信组件；通信组件，用于接收服务网络中的AF发送的AKMA应用密钥请求；向服务网络中的AF反馈AKMA应用密钥响应，AKMA应用密钥响应包括服务网络中的AF的AKMA应用密钥信息。The embodiment of the present application also provides a proxy entity. The proxy entity includes a communication component; the communication component is used to receive the AKMA application key request sent by the AF in the service network; and feed back the AKMA application key response to the AF in the service network. The AKMA application key response includes the AKMA application key information of the AF in the serving network.

本申请实施例还提供了一种AAnF，AAnF包括通信组件和处理器；通信组件，用于接收服务网络中的代理实体发送的应用密钥获取请求；处理器，用于在归属网络中的AAnF中存储有终端的AKMA密钥的情况下，基于终端的AKMA密钥生成服务网络中的AF的AKMA应用密钥；通信组件，还用于向服务网络中的代理实体反馈应用密钥获取响应，应用密钥获取响应包括服务网络中的AF的AKMA应用密钥信息。The embodiment of the present application also provides an AAnF. The AAnF includes a communication component and a processor; the communication component is used to receive an application key acquisition request sent by the proxy entity in the service network; and the processor is used for the AAnF in the home network. When the AKMA key of the terminal is stored in the terminal, the AKMA application key of the AF in the service network is generated based on the AKMA key of the terminal; the communication component is also used to feed back the application key acquisition response to the proxy entity in the service network. The application key acquisition response includes the AKMA application key information of the AF in the service network.

本申请实施例还提供了一种AF，AF包括通信组件；通信组件，用于接收终端发送的服务网络标识符和AKMA密钥标识符；在终端的服务网络标识符与归属网络标识不一致的情况下，向服务网络中的代理实体发送AKMA应用密钥请求；接收服务网络中的代理实体反馈的AKMA应用密钥响应，AKMA应用密钥响应包括服务网络中的AF的AKMA应用密钥信息。The embodiment of the present application also provides an AF. The AF includes a communication component; a communication component for receiving the service network identifier and the AKMA key identifier sent by the terminal; in the case where the service network identifier of the terminal is inconsistent with the home network identifier Next, send an AKMA application key request to the proxy entity in the service network; receive an AKMA application key response fed back by the proxy entity in the service network, where the AKMA application key response includes the AKMA application key information of the AF in the service network.

本申请实施例还提供了一种终端，终端包括收发器；收发器，用于：向服务网络中的AF发送服务网络标识符和AKMA密钥标识符，服务网络标识符用于触发服务网络中的AF在终端的服务网络标识符与归属网络标识不一致的情况下，向服务网络中的代理实体发送AKMA应用密钥请求。The embodiment of the present application also provides a terminal. The terminal includes a transceiver; the transceiver is configured to: send a service network identifier and an AKMA key identifier to the AF in the service network, and the service network identifier is used to trigger the When the terminal's serving network identifier is inconsistent with the home network identifier, the AF sends an AKMA application key request to the proxy entity in the serving network.

本申请实施例还提供了一种计算机可读存储介质，存储介质中存储有计算机程序，计算机程序用于被处理器执行，以实现如上所述的密钥管理方法。Embodiments of the present application also provide a computer-readable storage medium. A computer program is stored in the storage medium, and the computer program is used to be executed by a processor to implement the key management method as described above.

本申请实施例还提供了一种芯片，芯片包括可编程逻辑电路和/或程序指令，当芯片运行时，用于实现如上所述的密钥管理方法。An embodiment of the present application also provides a chip. The chip includes programmable logic circuits and/or program instructions, and is used to implement the key management method as described above when the chip is running.

本申请实施例还提供了一种计算机程序产品或计算机程序，计算机程序产品或计算机程序包括计算机指令，计算机指令存储在计算机可读存储介质中，处理器从计算机可读存储介质读取并执行计算机指令，以实现如上所述的密钥管理方法。Embodiments of the present application also provide a computer program product or computer program. The computer program product or computer program includes computer instructions. The computer instructions are stored in a computer-readable storage medium. The processor reads and executes the computer program from the computer-readable storage medium. Instructions to implement the key management method as described above.

以上所述仅为本申请的可选实施例，并不用以限制本申请，凡在本申请的精神和原则之内，所作的任何修改、等同替换、改进等，均应包含在本申请的保护范围之内。The above are only optional embodiments of the present application and are not intended to limit the present application. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the present application shall be included in the protection of the present application. within the range.

Claims

A key management method, characterized in that the method is applied in a roaming scenario, the method is executed by an agent entity in a service network, and the method includes:

Receive the application authentication and key management AKMA application key request sent by the application function AF in the service network;

Feed back an AKMA application key response to the AF in the service network, where the AKMA application key response includes the AKMA application key information of the AF in the service network.

The method according to claim 1, characterized in that:

The AKMA application key information of the AF in the service network is generated by the proxy entity in the service network;

Alternatively, the AKMA application key information of the AF in the serving network is generated by the AKMA anchor function network element AAnF in the home network.

The method according to claim 2, characterized in that the AKMA application key information of the AF in the serving network is generated by the AAnF in the home network, and the method further includes:

Send an application key acquisition request to the AAnF in the home network;

Receive an application key acquisition response fed back by the AAnF in the home network, where the application key acquisition response includes AKMA application key information of the AF in the serving network.

The method according to claim 3, characterized in that the AKMA application key information includes at least one of the following:

The AKMA application key of the AF in the service network;

The expiration time of the AKMA application key;

The terminal's subscription permanent identifier SUPI.

The method according to claim 4, characterized in that sending an application key acquisition request to the AAnF in the home network includes:

When the AF in the serving network requires a terminal identification, a first application key acquisition request is sent to the AAnF in the home network.

The method according to claim 5, wherein the first application key acquisition request includes at least one of the following:

AKMA key identifier, the AKMA key identifier is an identifier used to indicate the AKMA key of the terminal;

AF identifier, the AF identifier is an identifier used to indicate the AF in the service network.

The method according to claim 5, characterized in that receiving the AKMA application key request sent by the AF in the service network includes:

Receive a first AKMA application key request sent by the AF in the service network, where the first AKMA application key request is used to indicate that the AF in the service network needs the terminal identity.

The AKMA application key of the AF in the service network;

The expiration time of the AKMA application key.

The method according to claim 8, characterized in that sending an application key acquisition request to the AAnF in the home network includes:

When the AF in the serving network does not need the terminal identification, a second application key acquisition request is sent to the AAnF in the home network.

The method according to claim 9, characterized in that the second application key acquisition request includes at least one of the following:

The method according to claim 9, characterized in that receiving the AKMA application key request sent by the AF in the service network includes:

Receive a second AKMA application key request sent by the AF in the service network, where the second AKMA application key request is used to indicate that the AF in the service network does not need the terminal identity.

The method according to claim 6 or 10, characterized in that,

The AKMA key identifier is obtained from the terminal by the AF in the service network.

The method according to any one of claims 1 to 12, characterized in that the method further includes:

Receive an error response fed back by the AAnF in the home network, where the error response is sent when the AKMA key of the terminal is not stored in the AAnF in the home network;

Send the error response to the AF in the service network.

The AAnF in the home network is discovered through the network storage function NRF in the serving network and the home network.

The method according to any one of claims 1 to 12, characterized in that,

The proxy entity in the service network is an independent network function NF in the service network;

Alternatively, the proxy entity in the service network is part of any NF in the service network;

Alternatively, the proxy entity in the service network is a trusted application function within the 3GPP operator domain.

A key management method, characterized in that the method is applied in a roaming scenario and is executed by the anchor function network element AAnF of the application authentication and key management AKMA in the home network. The method includes:

Receive the application key acquisition request sent by the proxy entity in the service network;

When the AKMA key of the terminal is stored in the AAnF in the home network, generate the AKMA application key of the application function AF in the service network based on the AKMA key of the terminal;

Feed back an application key acquisition response to the proxy entity in the service network, where the application key acquisition response includes application authentication and key management AKMA application key information of the AF in the service network.

The method according to claim 16, characterized in that the AKMA application key information includes at least one of the following:

The AKMA application key;

The expiration time of the AKMA application key;

The subscription permanent identifier SUPI of the terminal.

The method according to claim 17, characterized in that receiving an application key acquisition request sent by a proxy entity in the service network includes:

Receive a first application key acquisition request sent by the proxy entity in the service network, where the first application key acquisition request is used to indicate that the AF in the service network requires a terminal identity.

The method according to claim 18, characterized in that the first application key acquisition request includes at least one of the following:

The AKMA application key;

The expiration time of the AKMA application key.

The method according to claim 20, characterized in that receiving an application key acquisition request sent by a proxy entity in the service network includes:

Receive a second application key acquisition request sent by the proxy entity in the service network, where the second application key acquisition request is used to indicate that the AF in the service network does not require a terminal identification.

The method according to claim 21, characterized in that the second application key acquisition request includes at least one of the following:

The method according to any one of claims 16 to 22, characterized in that the method further includes:

If the AKMA key of the terminal is not stored in the AAnF in the home network, an error response is fed back to the proxy entity in the serving network.

Determine whether the AAnF in the home network provides services to the AF in the service network and the proxy entity in the service network according to the authorization information or policy;

In the case where the AKMA key of the terminal is stored in the AAnF in the home network, generating the AKMA application key of the application function AF in the service network based on the AKMA key of the terminal includes:

In the case that the AAnF in the home network stores the AKMA key of the terminal and the AAnF in the home network provides services to the AF in the service network and the proxy entity in the service network, based on the terminal The AKMA key generates the AKMA application key of the AF in the service network.

The method according to claim 24, characterized in that:

The authorization information or policy is provided by a local policy or a network storage function NRF in the home network.

A key management method, characterized in that the method is applied in a roaming scenario and is executed by the application function AF in the service network. The method includes:

Receive the service network identifier and application authentication and key management AKMA key identifier sent by the terminal;

When the service network identifier of the terminal is inconsistent with the home network identifier, send an AKMA application key request to the proxy entity in the service network;

Receive an AKMA application key response fed back by the proxy entity in the service network, where the AKMA application key response includes AKMA application key information of the AF in the service network.

The method according to claim 26, characterized in that:

The method according to claim 26 or 27, characterized in that the AKMA application key information includes at least one of the following:

The AKMA application key of the AF in the service network;

The expiration time of the AKMA application key;

The terminal's subscription permanent identifier SUPI.

The method according to claim 28, characterized in that sending an AKMA application key request to the proxy entity in the service network includes:

Send a first AKMA application key request to the proxy entity in the service network, where the first AKMA application key request is used to indicate that the AF in the service network requires a terminal identity.

The method of claim 29, wherein the first AKMA application key request includes at least one of the following:

The AKMA application key of the AF in the service network;

The expiration time of the AKMA application key.

The method according to claim 31, characterized in that sending an AKMA application key request to the proxy entity in the service network includes:

Send a second AKMA application key request to the proxy entity in the service network, where the second AKMA application key request is used to indicate that the AF in the service network does not require a terminal identity.

The method of claim 32, wherein the second AKMA application key request includes at least one of the following:

The method according to any one of claims 26 to 33, characterized in that the method further includes:

Receive an error response fed back by the proxy entity in the service network. The error response is a situation where the anchor function network element AAnF of the AKMA for application authentication and key management in the home network does not store the AKMA key of the terminal. sent to the proxy entity in the service network.

The method according to any one of claims 26 to 33, characterized in that the service network identifier and AKMA key identifier sent by the receiving terminal include:

Receive an application session establishment request sent by the terminal, where the application session establishment request carries the service network identifier and the AKMA key identifier;

The method also includes:

Feed back an application session establishment response to the terminal.

The method according to claim 35, characterized in that:

The application session establishment request includes the AKMA key identifier, and the AKMA key identifier carries the service network identifier;

Alternatively, the application session establishment request includes the AKMA key identifier and the service network identifier;

Wherein, the AKMA key identifier is an identifier used to indicate the AKMA key of the terminal.

The method of claim 35, further comprising:

When an error response fed back by the proxy entity in the service network is received, rejection information of the application session is fed back to the terminal, where the rejection information includes the reason for the response failure.

The method according to claim 35, characterized in that:

The AKMA key identifier is in NAI format.

A key management method, characterized in that the method is applied in a roaming scenario, the method is executed by a terminal, and the method includes:

Send the service network identifier and the application authentication and key management AKMA key identifier to the application function AF in the service network, where the service network identifier is used to trigger the service network identifier of the AF in the service network on the terminal If the identifier is inconsistent with the home network identifier, send an AKMA application key request to the proxy entity in the serving network.

The method according to claim 39, characterized in that sending the service network identifier and the AKMA key identifier to the application function AF in the service network includes:

Send an application session establishment request to the AF in the service network, where the application session establishment request carries the service network identifier and the AKMA key identifier;

The method also includes:

Receive an application session establishment response from the AF feedback in the service network.

The method according to claim 40, characterized in that:

The application session establishment request includes the key identifier, and the AKMA key identifier carries the service network identifier;

A key management device, characterized in that the device includes:

A receiving module configured to receive an application authentication and key management AKMA application key request sent by the application function AF in the service network;

A sending module configured to feed back an AKMA application key response to the AF in the service network, where the AKMA application key response includes the AKMA application key information of the AF in the service network.

A key management device, characterized in that the device includes:

The receiving module is used to receive the application key acquisition request sent by the proxy entity in the service network;

A generation module configured to generate an AKMA application key for the application function AF in the service network based on the AKMA key of the terminal when the AKMA key of the terminal is stored in the AAnF in the home network;

A sending module configured to feed back an application key acquisition response to the proxy entity in the service network, where the application key acquisition response includes application authentication and key management AKMA application key information of the AF in the service network.

A key management device, characterized in that the device includes:

The receiving module is used to receive the service network identifier and the application authentication and key management AKMA key identifier sent by the terminal;

A sending module configured to send an AKMA application key request to the proxy entity in the service network when the service network identifier of the terminal is inconsistent with the home network identifier;

The receiving module is also configured to receive an AKMA application key response fed back by the proxy entity in the service network, where the AKMA application key response includes the AKMA application key information of the AF in the service network.

A key management device, characterized in that the device includes:

A sending module, configured to send a service network identifier and an application authentication and key management AKMA key identifier to the application function AF in the service network, where the service network identifier is used to trigger the AF in the service network to When the service network identifier of the terminal is inconsistent with the home network identifier, an AKMA application key request is sent to the proxy entity in the service network.

A proxy entity, characterized in that the proxy entity includes a communication component;

The communication component is configured to receive an application authentication and key management AKMA application key request sent by the application function AF in the service network;

An anchor function network element AAnF that applies authentication and key management AKMA, characterized in that the AAnF includes a communication component and a processor;

The communication component is used to receive an application key acquisition request sent by the proxy entity in the service network;

The processor is configured to generate an AKMA application key for the application function AF in the service network based on the AKMA key of the terminal when the AKMA key of the terminal is stored in the AAnF in the home network;

The communication component is also configured to feed back an application key acquisition response to the proxy entity in the service network. The application key acquisition response includes the application authentication and key management AKMA application key of the AF in the service network. information.

An application function AF, characterized in that the AF includes a communication component;

The communication component is used to receive the service network identifier and the application authentication and key management AKMA key identifier sent by the terminal;

A terminal, characterized in that the terminal includes a transceiver;

The transceiver is configured to: send a service network identifier and an application authentication and key management AKMA key identifier to an application function AF in the service network, where the service network identifier is used to trigger the AF in the service network When the service network identifier of the terminal is inconsistent with the home network identifier, an AKMA application key request is sent to the proxy entity in the service network.

A computer-readable storage medium, characterized in that a computer program is stored in the storage medium, and the computer program is used to be executed by a processor to implement the key as claimed in any one of claims 1 to 41 management methods.

A chip, characterized in that the chip includes programmable logic circuits and/or program instructions, which are used to implement the key management method according to any one of claims 1 to 41 when the chip is run.

A computer program product, characterized in that the computer program product includes computer instructions, the computer instructions are stored in a computer-readable storage medium, and a processor reads and executes the computer instructions from the computer-readable storage medium , to implement the key management method as described in any one of claims 1 to 41.