[go: up one dir, main page]

WO2025241968A1 - Procédé de gestion de service akma et appareil de communication - Google Patents

Procédé de gestion de service akma et appareil de communication

Info

Publication number
WO2025241968A1
WO2025241968A1 PCT/CN2025/094965 CN2025094965W WO2025241968A1 WO 2025241968 A1 WO2025241968 A1 WO 2025241968A1 CN 2025094965 W CN2025094965 W CN 2025094965W WO 2025241968 A1 WO2025241968 A1 WO 2025241968A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
session
akma
application
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/CN2025/094965
Other languages
English (en)
Chinese (zh)
Inventor
郭龙华
吴义壮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2025241968A1 publication Critical patent/WO2025241968A1/fr
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent

Definitions

  • This application relates to the field of wireless communication technology, and in particular to a management method and communication device for AKMA services.
  • AF application function
  • AKMA application authentication and key management for applications
  • This application provides a management method and communication device for AKMA services, which are used to achieve proper management of AKMA services.
  • a network in which terminal devices cannot use AKMA services can also be referred to as a network that does not allow terminal devices to use AKMA services.
  • a network in which terminal devices can use AKMA services can also be referred to as a network that allows terminal devices to use AKMA services.
  • embodiments of this application provide a method for managing AKMA services, which can be executed by a first device.
  • the "first device" in this application can refer to an AF network element, a component within an AF network element (e.g., a communication module, processor, circuit, chip, or chip system), or a logic module or software capable of implementing all or part of the functions of an AF network element.
  • the method includes: receiving an AKMA service shutdown notification message, the AKMA service shutdown notification message including information about a first network, the AKMA service shutdown notification message being used to notify the shutdown of AKMA services on the first network; obtaining information about the current network corresponding to a first session of a terminal device, the first session being used to transmit first AKMA services between the terminal device and an application function network element; and determining whether to shut down the first AKMA service based on the AKMA service shutdown notification message and the information about the current network corresponding to the first session.
  • the first device can obtain information about networks where the terminal device is not allowed to perform AKMA services, as well as information about the current network corresponding to the session used to carry AKMA services between the terminal device and the application function network element. This allows for accurate determination of whether AKMA services can be performed between the terminal device and the application function network element, and a decision on whether to close the AKMA service. This achieves network-level management of AKMA services, which helps improve user experience. Compared to a scheme that always closes the AKMA service of a terminal device on all networks it is registered with if it is not allowed to perform AKMA services on a certain network, this application can achieve network-level AKMA service closure, minimizing AKMA service interruptions.
  • determining whether to close the first AKMA service based on the AKMA service closure notification message and the information of the current network corresponding to the first session includes: closing the first AKMA service if the current network corresponding to the first session is the first network.
  • the first AKMA service carried by the first session is transmitted in the first network. Since the terminal device cannot use the AKMA service in the first network, the first AKMA service is turned off, thus achieving the correct management of the AKMA service.
  • obtaining the current network information corresponding to the first session of the terminal device includes: receiving a first notification message, the first notification message including information about the first network, and the first notification message indicating that the network corresponding to the first session has changed to the first network.
  • One possible implementation further includes: when the current network corresponding to the second session of the terminal device is the second network, not closing the second AKMA service between the terminal device and the application function network element, wherein the second session is used to transmit the second AKMA service, and the second network is different from the first network.
  • the current network corresponding to the second session of the terminal device is the second network. Therefore, the second AKMA service carried by the second session is transmitted in the second network. Since the terminal device can use the AKMA service in the second network, the second AKMA service is not closed, thus achieving correct management of the AKMA service.
  • determining whether to close the first AKMA service based on the AKMA service closure notification message and the information of the current network corresponding to the first session includes: if the current network corresponding to the first session is a second network, then the first AKMA service is not closed, where the second network is different from the first network.
  • the current network corresponding to the first session of the terminal device is the second network. Therefore, the first AKMA service carried by the first session is transmitted in the second network. Since the terminal device can use the AKMA service in the second network, the first AKMA service is not closed, thus achieving correct management of the AKMA service.
  • obtaining the current network information corresponding to the first session of the terminal device includes: receiving a second notification message, the second notification message including information about the second network, and the second notification message indicating that the network corresponding to the first session is the second network.
  • the method further includes: sending a first subscription request message, the first subscription request message being used to subscribe to network changes corresponding to the first session.
  • the first subscription request message includes one or more of the information of the first session, the identifier of the terminal device, or a first event identifier; the first event identifier is used to indicate a network change event.
  • the first notification message includes one or more of the information of the first session, the identifier of the terminal device, or a first event identifier; the first event identifier is used to indicate a network change event.
  • the AKMA service shutdown notification message also includes information about the second network.
  • embodiments of this application provide a management method for AKMA services, which can be executed by a first device.
  • the "first device" in this application can refer to an AF network element, a component within an AF network element (e.g., a communication module, processor, circuit, chip, or chip system), or a logic module or software capable of implementing all or part of the functions of an AF network element.
  • the method includes: receiving an application session establishment request message, the application session establishment request message requesting the establishment of an application session for transmitting a third AKMA service between a terminal device and an application function network element, the application session being carried by the third session on the terminal device; obtaining information about the current network corresponding to the third session; and determining whether to allow the establishment of the application session based on the information about the current network corresponding to the third session.
  • the first device determines whether to allow the establishment of the application session based on the information of the current network corresponding to the third session carrying the application session, and on which networks the terminal device can use AKMA services. This realizes network-level management of AKMA services and helps to improve the user experience.
  • determining whether to allow the establishment of the application session based on the information of the current network corresponding to the third session includes: if the current network corresponding to the third session is a first network, refusing to establish the application session, wherein the first network is a network in which the terminal device cannot use AKMA services.
  • the application session requested by the terminal device is carried on the third session.
  • the current network corresponding to the third session is the first network where the terminal device cannot use AKMA services. Therefore, it is determined that the application session is not allowed to be established, and the application session is rejected. This can achieve correct management of AKMA services.
  • determining whether to allow the establishment of the application session based on the information of the current network corresponding to the third session includes: allowing the establishment of the application session if the current network corresponding to the third session is a second network, wherein the second network is a network in which the terminal device can use AKMA services.
  • the application session requested by the terminal device is carried on a third session, and the current network corresponding to the third session is a second network where the terminal device can use AKMA services, then it is determined that the application session can be allowed to be established, and AKMA services can be managed correctly.
  • obtaining the information of the current network corresponding to the third session includes: sending a second subscription request message, the second subscription request message being used to subscribe to network changes corresponding to the third session; and receiving a third notification message, the third notification message including the information of the current network corresponding to the third session.
  • the second subscription request message includes one or more of the information of the third session, the identifier of the terminal device, or a second event identifier; the second event identifier is used to indicate a network change event.
  • the third session is the same session as the first or second session in any implementation of the first aspect.
  • any implementation of the second aspect can be combined with any implementation of the first aspect, for example, the any implementation of the second aspect can be executed after any implementation of the first aspect.
  • the third session is different from both the first and second sessions in any implementation of the first aspect.
  • any implementation of the second aspect can be implemented alone or in combination with any implementation of the first aspect.
  • embodiments of this application provide a management method for AKMA services, which can be executed by a second device.
  • the "second device" in this application can refer to an AKMA network element, a component within an AKMA network element (e.g., a communication module, processor, circuit, chip, or chip system), or a logic module or software capable of implementing all or part of the AKMA network element functions.
  • the method includes: determining that a terminal device cannot use the AKMA service in a first network; sending an AKMA service shutdown notification message to the terminal device, the AKMA service shutdown notification message including information about the first network or roaming policy information, the roaming policy information including information about the networks where the terminal device cannot use the AKMA service, and the information about the networks where the terminal device cannot use the AKMA service including information about the first network.
  • terminal devices can obtain information about networks that do not allow AKMA services, which helps terminal devices make accurate decisions on whether to release the corresponding application sessions. This enables network-level management of AKMA services and helps improve user experience.
  • embodiments of this application provide a management method for AKMA services, which can be executed by a third device.
  • the "third device” in this application can refer to a terminal device, a component within the terminal device (e.g., a communication module, processor, circuit, chip, or chip system), or a logic module or software capable of implementing all or part of the terminal device's functions.
  • the method includes: sending an application session establishment request message, the application session establishment request message requesting the establishment of an application session for transmitting AKMA services between the terminal device and an application function network element; receiving an application session establishment response message, the application session establishment response message indicating successful establishment of the application session; receiving an AKMA service closure notification message, the AKMA service closure notification message including information about a first network or roaming policy information, the roaming policy information including information about networks where the terminal device cannot use AKMA services, the information about networks where the terminal device cannot use AKMA services including information about the first network; and determining whether to release the application session based on the AKMA service closure notification message and the network information corresponding to the application session.
  • the third device can obtain information about networks where the terminal device is not allowed to perform AKMA services, as well as information about the networks corresponding to the application sessions used to carry AKMA services between the terminal device and application function network elements. This allows for accurate determination of whether AKMA services can be performed between the terminal device and the application function network elements, and a decision on whether to release the application session. This achieves network-level management of AKMA services, which helps improve user experience. Compared to a scheme that always disables AKMA services for the terminal device across all networks if it is not allowed to perform AKMA services on a certain network, this application can achieve network-level AKMA service shutdown, minimizing AKMA service interruptions.
  • determining whether to release the application session based on the AKMA service shutdown notification message and the network information corresponding to the application session includes: releasing the application session when the network corresponding to the application session is the first network.
  • the terminal device cannot use AKMA service on the first network, but the network corresponding to the application session used to transmit AKMA service is the first network, it is determined that the application session needs to be released, which can achieve proper management of AKMA service.
  • determining whether to release the application session based on the AKMA service shutdown notification message and the network information corresponding to the application session includes: if the network corresponding to the application session is a second network, not releasing the application session, wherein the second network is different from the first network and is a network in which the terminal device can use the AKMA service.
  • the terminal device since the terminal device cannot use AKMA service on the first network but can use AKMA service on the second network, and the network corresponding to the application session used to transmit AKMA service is the second network, it is determined that the application session will not be released, thus enabling correct management of AKMA service.
  • embodiments of this application provide a management method for AKMA services, which can be executed by a first device.
  • the "first device" in this application can refer to an AF network element, a component within an AF network element (e.g., a communication module, processor, circuit, chip, or chip system), or a logic module or software capable of implementing all or part of the functions of the AF network element.
  • the method includes: receiving an application session establishment request message from a terminal device, the application session establishment request message requesting the establishment of an application session for transmitting AKMA services between the terminal device and an application function network element, the application session establishment request message including an AKMA key identifier, the application session being carried on a first session; sending an application key request message to an AKMA anchor function network element, the application key request message including the AKMA key identifier; receiving an application key response message from the AKMA anchor function network element, the application key response message including an application key corresponding to the AKMA key identifier, the application key response message indicating that the terminal device is not allowed to use AKMA services in the first network and/or is allowed to use AKMA services in the second network; obtaining information about the current network corresponding to the first session; and determining whether to allow the application session based on the information about the current network corresponding to the first session and the application key response message.
  • the first device receives an application key response message from the AKMA anchor function network element.
  • the application key response message includes an application key and also indicates that the terminal device is not allowed to use AKMA services in the first network and/or is allowed to use AKMA services in the second network. This helps the first device to more accurately determine whether to allow the terminal device to request the establishment of an application session, and realizes accurate management of AKMA services between the terminal device and the application function network element.
  • obtaining the information of the current network corresponding to the first session includes: obtaining the information of the current network corresponding to the first session based on the application key response message.
  • the first device triggers the first device to obtain the current network information corresponding to the first session based on the application key response message, which can realize timely and accurate acquisition of the current network information corresponding to the first session.
  • obtaining the information of the current network corresponding to the first session includes: sending a subscription request message to the session management function network element, the subscription request message being used to subscribe to the network information corresponding to the first session; and receiving a notification message from the session management function network element, the notification message including the information of the current network corresponding to the first session.
  • the subscription request message includes one or more of the information of the first session, the identifier of the terminal device, or an event identifier, wherein the event identifier is used to indicate a network change event.
  • determining whether to allow the application session based on the information of the current network corresponding to the first session and the application key response message includes: rejecting the application session if the current network corresponding to the first session is the first network.
  • the first device can correctly determine and reject the application session requested by the terminal device, which helps to achieve proper management of AKMA services.
  • determining whether to allow the application session based on the information of the current network corresponding to the first session and the application key response message includes: allowing the application session if the current network corresponding to the first session is the second network.
  • the first device can correctly determine the application session that the terminal device is allowed to request to establish, which helps to achieve proper management of AKMA services.
  • embodiments of this application provide a management method for AKMA services, which can be executed by a second device.
  • the "second device" in this application can refer to an AKMA network element, a component within an AKMA network element (e.g., a communication module, processor, circuit, chip, or chip system), or a logic module or software capable of implementing all or part of the AKMA network element functions.
  • the method includes: receiving an application key request message from an application function network element, the application key request message including an AKMA key identifier; and sending an application key response message to the application function network element, based on whether a terminal device is allowed to use AKMA services in a first network and/or a second network, the application key response message indicating whether the terminal device is allowed to use AKMA services in the first network and/or the second network.
  • the second device sends an application key response message to the application function network element.
  • the application key response message indicates whether the terminal device is allowed to use AKMA service in the first network and/or the second network. This helps the application function network element to more accurately determine whether to allow the application session requested by the terminal device to be established, and realizes accurate management of AKMA service between the terminal device and the application function network element.
  • sending an application key response message to the application function network element based on whether the terminal device is allowed to use AKMA services in the first network and the second network includes: if it is determined that the terminal device is not allowed to use AKMA services in the first network but is allowed to use AKMA services in the second network, sending the application key response message to the application function network element, the application key response message including an application key generated based on the AKMA key identifier corresponding to the AKMA key, and the application key response message also including information from the first network and/or the second network; wherein the information from the first network indicates that the terminal device is not allowed to use AKMA services in the first network; and the information from the second network indicates that the terminal device is allowed to use AKMA services in the second network.
  • sending an application key response message to the application function network element based on whether the terminal device is allowed to use the AKMA service in the first network and the second network includes: if it is determined that the terminal device is allowed to use the AKMA service in both the first network and the second network, sending the application key response message to the application function network element, wherein the application key response message is used to indicate that the terminal device is allowed to use the AKMA service in both the first network and the second network.
  • the application key response message includes an application key, which is generated based on the AKMA key identifier corresponding to the AKMA key.
  • sending an application key response message to the application function network element based on whether the terminal device is allowed to use the AKMA service in the first network and the second network includes: if it is determined that the terminal device is not allowed to use the AKMA service in the first network and the second network, sending the application key response message to the application function network element, wherein the application key response message is used to indicate rejection of the application key request message. Specifically, the application key response message does not include an application key.
  • the application key response message further includes information about the first network and information about the second network; wherein the information about the first network indicates that the terminal device is allowed to use the AKMA service in the first network; and the information about the second network indicates that the terminal device is allowed to use the AKMA service in the second network.
  • embodiments of this application provide a communication device that has the function of implementing any of the methods described in the first to second aspects and the sixth aspect.
  • This function can be implemented in hardware or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-described functions.
  • embodiments of this application provide a communication device that has the function of implementing any of the methods described in the third and fifth aspects above.
  • This function can be implemented in hardware or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-described functions.
  • embodiments of this application provide a communication device that has the function of implementing any of the methods described in the fourth aspect.
  • This function can be implemented in hardware or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the described function.
  • embodiments of this application provide a communication apparatus, including units or means for performing various steps of any of the implementation methods in the first to sixth aspects described above.
  • embodiments of this application provide a communication device, including a processor and an interface circuit.
  • the processor is used to communicate with other devices through the interface circuit and to execute any of the implementation methods in the first to sixth aspects described above.
  • the processor may include one or more.
  • the communication device may further include a memory for storing computer instructions, the memory being coupled to a processor that executes the computer instructions stored in the memory to cause the device to perform any of the implementation methods of the first to sixth aspects described above.
  • embodiments of this application also provide a computer program product, which includes a computer program or instructions that, when executed by a communication device, cause any of the implementation methods in the first to sixth aspects to be performed.
  • embodiments of this application also provide a computer-readable storage medium storing instructions that, when executed on a communication device, cause any of the implementation methods in the first to sixth aspects described above to be performed.
  • this application provides a chip (or chip system) including a processor coupled to a memory storing a computer program; the processor is configured to invoke part or all of the computer program in the memory, such that any implementation of the first to sixth aspects described above is executed.
  • this application provides a communication system, including a first device and a second device.
  • the first device is used to implement any of the methods described in the first aspect above.
  • the second device is used to send an AKMA service shutdown notification message to the first device.
  • this application provides a communication system, including a first device for implementing any implementation method of the fifth aspect above and a second device for implementing any implementation method of the sixth aspect above.
  • Figure 1 is a schematic diagram of a 5G network architecture based on a service-oriented architecture
  • Figure 2 is a schematic diagram of a 5G network architecture based on a point-to-point interface
  • Figure 3 is a schematic diagram of the architecture for adding AKMA-related functions in a 5G network
  • Figure 4 is a schematic diagram of a method for generating K AKMA provided in an embodiment of this application.
  • Figure 5 is a schematic diagram of a method of using K AKMA provided in an embodiment of this application.
  • Figure 6 is a schematic diagram of the AKMA service shutdown method provided in an embodiment of this application.
  • Figure 7 is a schematic diagram of the AKMA service shutdown method provided in an embodiment of this application.
  • Figure 8(a) is a flowchart illustrating the AKMA service management method provided in an embodiment of this application.
  • Figure 8(b) is a flowchart illustrating the AKMA service management method provided in an embodiment of this application.
  • Figure 8(c) is a flowchart illustrating the AKMA service management method provided in an embodiment of this application.
  • Figure 9(a) is an example of the relationship between session and network provided in an embodiment of this application.
  • Figure 9(b) shows an example of the relationship between session and network provided in an embodiment of this application.
  • Figure 9(c) is an example of the relationship between session and network provided in an embodiment of this application.
  • Figure 9(d) is an example of the relationship between session and network provided in the embodiments of this application.
  • FIG. 10 is a flowchart illustrating the AKMA service management method provided in an embodiment of this application.
  • FIG 11 is a flowchart illustrating the AKMA service management method provided in an embodiment of this application.
  • Figure 12 is a flowchart illustrating the AKMA service management method provided in an embodiment of this application.
  • Figure 13 is a flowchart illustrating the AKMA service management method provided in an embodiment of this application.
  • Figure 14 is a schematic diagram of a communication device provided in an embodiment of this application.
  • Figure 15 is a schematic diagram of a communication device provided in an embodiment of this application.
  • the 3GPP standards group developed the Next Generation System architecture, known as the 5th generation (5G) network architecture.
  • This architecture not only supports radio access technologies defined by the 3GPP standards group (such as Long Term Evolution (LTE) and 5G Radio Access Network (RAN)) to access the 5G core network (CN), but also supports access to the core network using non-3GPP access technologies through non-3GPP interworking functions (N3IWF) or next-generation packet data gateways (ngPDG).
  • LTE Long Term Evolution
  • RAN 5G Radio Access Network
  • N3IWF non-3GPP interworking functions
  • ngPDG next-generation packet data gateways
  • Figure 1 is a schematic diagram of a service-based 5G network architecture.
  • the 5G network architecture shown in Figure 1 may include access network equipment and core network equipment.
  • Terminal devices taking user equipment (UE) as an example in the figure
  • DN data network
  • the core network equipment includes, but is not limited to, some or all of the following network elements: authentication server function (AUSF) network element (not shown in the figure), unified data management (UDM) network element, unified data repository (UDR) network element, network repository function (NRF) network element (not shown in the figure), network exposure function (NEF) network element (not shown in the figure), application function (AF) network element, policy control function (PCF) network element, access and mobility management function (AMF) network element, session management function (SMF) network element, and user plane function (UPF) network element.
  • AUSF authentication server function
  • UDM unified data management
  • UDR network repository function
  • NEF network exposure function
  • AF application function
  • PCF policy control function
  • AMF access and mobility management function
  • SMF session management function
  • UPF user plane function
  • Terminal devices can be UEs, mobile stations, mobile terminal devices, etc. They can be widely used in various scenarios, such as device-to-device (D2D), vehicle-to-everything (V2X) communication, machine-type communication (MTC), Internet of Things (IoT), virtual reality, augmented reality, industrial control, autonomous driving, telemedicine, smart grids, smart furniture, smart offices, smart wearables, smart transportation, and smart cities.
  • Terminal devices can be mobile phones, tablets, computers with wireless transceiver capabilities, wearable devices, vehicles, urban air mobility vehicles (such as drones and helicopters), ships, robots, robotic arms, smart home devices, etc.
  • Terminal devices store long-term keys and related functions. When performing two-way authentication with core network elements (such as AMF and AUSF elements), the terminal device uses the long-term key and related functions to verify the authenticity of the network.
  • core network elements such as AMF and AUSF elements
  • Access network equipment can be either radio access network (RAN) equipment or wired access network equipment.
  • RAN equipment includes 3GPP access network equipment, untrusted non-3GPP access network equipment, and trusted non-3GPP access network equipment.
  • 3GPP access network equipment includes, but is not limited to: evolved NodeBs (eNodeBs) in LTE, next-generation NodeBs (gNBs) in 5G mobile communication systems, base stations in future mobile communication systems, or modules or units that perform some base station functions, such as central units (CUs) and distributed units (DUs).
  • eNodeBs evolved NodeBs
  • gNBs next-generation NodeBs
  • 5G mobile communication systems base stations in future mobile communication systems
  • modules or units that perform some base station functions such as central units (CUs) and distributed units (DUs).
  • CUs central units
  • DUs distributed units
  • Untrusted non-3GPP access network equipment includes, but is not limited to: untrusted non-3GPP access gateways or N3IWF devices, untrusted wireless local area network (WLAN) access points (APs), switches, and routers.
  • Trusted non-3GPP access network equipment includes, but is not limited to: trusted non-3GPP access gateways, trusted WLAN APs, switches, and routers.
  • Wired access network equipment includes, but is not limited to: wireline access gateway, fixed telephone network equipment, switches, and routers.
  • Access network equipment and terminal equipment can be fixed or mobile. They can be deployed on land, including indoors or outdoors, handheld or vehicle-mounted; they can also be deployed on water; and they can be deployed in the air on aircraft, balloons, and satellites. The embodiments of this application do not limit the application scenarios of the access network equipment and terminal equipment.
  • the AMF (Agency Flow Management) network element includes functions such as mobility management and access authentication/authorization. In addition, it is responsible for transmitting user policies between terminal devices and the PCF (Programmable Flow Management) network element.
  • SMF network elements include functions such as performing session management, executing control policies issued by PCF network elements, selecting UPF network elements, or allocating Internet Protocol (IP) addresses to terminal devices.
  • IP Internet Protocol
  • UPF network elements include functions such as user plane data forwarding, session/flow-level billing statistics, and bandwidth limiting.
  • UDM network elements include functions such as managing contracted data or authorizing user access.
  • UDR includes functions for storing and retrieving data of various types, such as contract data, policy data, or application data.
  • NEF network elements are used to support the opening of capabilities and events.
  • AF Application Provider
  • network elements convey application-side requests to the network side, such as QoS requirements or user state event subscriptions.
  • AF can be a third-party functional entity or an application service deployed by the operator, such as the IP Multimedia Subsystem (IMS) voice call service.
  • IMS IP Multimedia Subsystem
  • AF network elements include AF network elements within the core network (i.e., the operator's AF network elements) and third-party AF network elements (such as an enterprise's application server).
  • PCF Portable Component Function
  • PCF network elements include policy control functions responsible for billing, QoS bandwidth guarantees, mobility management, and terminal device policy decisions at the session and service flow levels.
  • PCF network elements include Access and Mobility Management Policy Control Function (AM PCF) network elements and Session Management Policy Control Function (SM PCF) network elements.
  • AM PCF network elements are used to formulate AM policies and user policies for terminal devices; AM PCF network elements can also be referred to as policy control network elements providing services to terminal devices (PCF for a UE).
  • SM PCF network elements are used to formulate session management policies (SM policies) for sessions; SM PCF network elements can also be referred to as policy control network elements providing services to Protocol Data Unit (PDU) sessions (PCF for a PDU session).
  • PDU Protocol Data Unit
  • NRF network elements can be used to provide network element discovery functionality, providing network element information corresponding to the network element type based on requests from other network elements. NRF network elements also provide network element management services, such as network element registration, updates, deregistration, and network element status subscription and push.
  • the AUSF network element is responsible for authenticating users to determine whether a user or device is allowed to access the network.
  • a Domain Provider is a network located outside of the carrier's network.
  • a carrier's network can connect to multiple DNs, and various services can be deployed on a DN, providing data and/or voice services to terminal devices.
  • a DN might be the private network of a smart factory.
  • Sensors installed in the workshop can act as terminal devices, and a control server for these sensors is deployed within the DN.
  • the control server provides services to the sensors. Sensors can communicate with the control server, receive instructions from it, and transmit the collected sensor data back to the control server accordingly.
  • Another example is a DN serving as an internal office network for a company. Employees' mobile phones or computers can act as terminal devices, accessing information and data resources on the company's internal office network.
  • Npcf, Nudr, Nudm, Naf, Namf, and Nsmf are the service interfaces provided by the PCF, UDR, UDM, AF, AMF, and SMF network elements, respectively, used to invoke the corresponding service operations.
  • N1, N2, N3, N4, and N6 are interface sequence numbers, and their meanings are as follows:
  • N1 The interface between the AMF network element and the terminal device, which can be used to transmit non-access stratum (NAS) signaling (such as QoS rules from the AMF network element) to the terminal device.
  • NAS non-access stratum
  • N2 The interface between the AMF network element and the access network equipment, which can be used to transmit radio bearer control information from the core network side to the access network equipment.
  • N3 The interface between the access network equipment and the UPF network element, mainly used to transmit uplink and downlink user plane data between the access network equipment and the UPF network element.
  • N4 The interface between SMF network elements and UPF network elements. It can be used to transmit information between the control plane and the user plane, including the distribution of forwarding rules, QoS rules, traffic statistics rules, etc. from the control plane to the user plane, as well as the reporting of information from the user plane.
  • N6 The interface between the UPF network element and the DN, used to transmit uplink and downlink user data streams between the UPF network element and the DN.
  • Figure 2 is a schematic diagram of a 5G network architecture based on point-to-point interfaces. The functions of the network elements are described in Figure 1, and will not be repeated here. The main difference between Figure 2 and Figure 1 is that the interfaces between the control plane network elements in Figure 1 are service-oriented interfaces, while the interfaces between the control plane network elements in Figure 2 are point-to-point interfaces.
  • N5 The interface between the AF network element and the PCF network element, which can be used for application service request distribution and network event reporting.
  • N7 The interface between PCF network elements and SMF network elements, which can be used to issue PDU session granularity and service data flow granularity control policies.
  • N8 The interface between the AMF network element and the UDM network element. It can be used by the AMF network element to obtain access and mobility management related subscription data and authentication data from the UDM network element, as well as by the AMF network element to register terminal device mobility management related information with the UDM network element.
  • N9 User plane interface between UPF network elements, used to transmit uplink and downlink user data streams between UPF network elements.
  • N10 The interface between SMF network elements and UDM network elements. It can be used for SMF network elements to obtain session management-related subscription data from UDM network elements, and for SMF network elements to register terminal device session-related information with UDM.
  • N11 The interface between SMF network elements and AMF network elements. It can be used to transmit PDU session tunnel information between access network devices and UPF network elements, transmit control messages sent to terminal devices, and transmit radio resource control information sent to access network devices.
  • N15 The interface between PCF network elements and AMF network elements, which can be used to issue terminal equipment policies and access control related policies.
  • N35 The interface between UDM network elements and UDR network elements, which can be used by UDM network elements to obtain user subscription data information from UDR network elements.
  • N36 The interface between PCF network elements and UDR network elements, which can be used by PCF network elements to obtain policy-related contract data and application data related information from UDR network elements.
  • Figure 3 is a schematic diagram of the architecture for adding AKMA-related functions to a 5G network.
  • Figure 3 shows the 5G architecture shown in Figure 1 with AKMA-related functions added.
  • AKMA-related functions can also be added to the 5G architecture shown in Figure 2, and the principle is similar, so it will not be elaborated further.
  • FIG. 3 introduces a new AAnF network element.
  • This AAnF network element can request the AKMA root key (i.e., K AKMA ) from the AUSF network element. Then, the AAnF network element determines the application key (i.e., K AF ) used by the AF network element and the validity period of K AF based on K AKMA .
  • K AKMA AKMA root key
  • K AF application key
  • the AF network element obtains the valid time of K AF and K AF from the AAnF network element through interaction with the AAnF network element.
  • the AF network element can be located inside or outside the 5G core network. If the AF network element is inside the 5G core network, it can interact directly with the PCF network element. If the AF network element is outside the 5G core network, it can interact with the PCF network element via the NEF network element, meaning the NEF network element acts as an intermediate network element between the AF network element and the PCF network element.
  • the AUSF network element supports authentication (also known as authorization) for both 3GPP access and non-3GPP access, and can generate K AKMA for the AAnF network element.
  • the AF network element can obtain services from the AAnF network element.
  • the AF network element can interact with the AAnF network element to obtain the valid time of K AF and K AF .
  • Ua* is a reference point between the UE and the AF network element, used for message interaction between the UE and the AF network element, and can support key generation in the AKMA process.
  • the aforementioned network element or function can be a network component in a hardware device, a software function running on dedicated hardware, or a virtualized function instantiated on a platform (e.g., a cloud platform).
  • a platform e.g., a cloud platform
  • the aforementioned network element or function can be implemented by one device, multiple devices working together, or a functional module within a single device; this application embodiment does not specifically limit this.
  • this application uses a UE as an example of a terminal device in its embodiments.
  • the UE described below can be replaced with any terminal device.
  • the AUSF network element, UDM network element, AAnF network element, AF network element, NEF network element, NRF network element, and SMF network element are abbreviated as AUSF, UDM, AAnF, AF, NEF, NRF, and SMF, respectively.
  • Figure 4 is a schematic diagram of a method for generating K AKMA according to an embodiment of this application. The method includes the following steps:
  • step 401 during the primary authentication process, AUSF sends an authentication request message to UDM. Accordingly, UDM receives the authentication request message.
  • the authentication request message includes a Subscription Permanent Identifier (SUPI) or a Subscription Concealed Identifier (SUCI). This authentication request message is used to request an authentication vector from the UDM, which is used to trigger primary authentication between the core network and the UE.
  • SUPI Subscription Permanent Identifier
  • SUCI Subscription Concealed Identifier
  • the authentication request message can be a Numd_UEAuthentication Get Request message.
  • the main authentication process is also called the main authorization process, which will be explained here and will not be repeated hereafter.
  • step 402 the UDM sends an authentication response message to the AUSF.
  • the AUSF then receives this authentication response message.
  • the authentication response message includes the authentication vector.
  • the authentication response message will also contain AKMA indication information.
  • UE support for AKMA services means that the UE has AKMA capability and that the UE's services can use AKMA.
  • the AKMA indication information is used to trigger AUSF to generate a K AKMA .
  • AKMA service refers to a service or service that provides security protection between the UE and AF based on a key generated by AKMA. Specifically, it can be an application session or application service between the UE and AF. AKMA service can be implemented through an application session/connection/link established between the UE and AF.
  • the AKMA service in this application embodiment can also be referred to as AKMA service; this will be used consistently here, and will not be repeated in other embodiments.
  • the authentication response message may also include a routing identifier (RID), which is used to select AAnF, meaning that AAnF can be selected based on the RID.
  • RID routing identifier
  • the authentication response message can be a Num_UEAuthentication_Get Response message.
  • Step 403 If AUSF receives AKMA instruction information from UDM, after the main authentication process is successfully completed, AUSF generates K AKMA and AKMA key identifier (A-KID) based on the AUSF root key (K AUSF ).
  • A-KID is used to identify K AKMA .
  • A-KID is the Network Access Identifier (NAI) format, i.e., username@example.
  • the username portion includes the RID and the AKMA Temporary UE Identifier (A-TID).
  • the RID is part of the SUCI and is represented by 1 to 4 decimal digits.
  • the A-TID is a temporary identifier generated based on K AUSF .
  • the example portion includes the Home Network Identifier, which can specifically be the identification information of the home public land mobile network (HPLMN ID).
  • the home public land mobile network is also called the home public land mobile network or the local public land mobile network.
  • the UE after the main authentication process, the UE also generates K AKMA and A-KID based on K AUSF in the same way as AUSF.
  • step 404 the AUSF selects an AAnF and sends a key registration request message to the selected AAnF.
  • the AAnF then receives the key registration request message.
  • the key registration request message includes SUPI, A-KID, and K AKMA .
  • AUSF selects AAnF based on RID.
  • the key registration request message can be a Naanf_AKMA_AnchorKey_Register Request message.
  • step 405 AAnF sends a key registration response message to AUSF. AUSF then receives this key registration response message.
  • the key registration response message can be a Naanf_AKMA_AnchorKey_RegisterResponse message.
  • AAnF only stores the latest information sent by AUSF.
  • AUSF sends a new A-KID and a new K AKMA to AAnF
  • AAnF will delete the old A-KID and the old K AKMA , and save the new A-KID and the new K AKMA .
  • the UE and AAnF store the same K AKMA , which makes it easy for the UE and AAnF to use the K AKMA to derive other keys in the future.
  • FIG. 5 is a schematic diagram of a method for using K AKMA provided in an embodiment of this application.
  • the AF belongs to a network element in the 3GPP core network or a network element outside the 3GPP core network.
  • the following interactions between the AF and AAnF can be relayed through the NEF.
  • the main authentication process and K AKMA generation process shown in the embodiment of Figure 4 are completed.
  • the UE needs to complete registration and establish a PDU session.
  • This PDU session is used to transmit user plane data (e.g., AKMA service) between the UE and the AF.
  • the AF can obtain the UE's IP address and UEID (e.g., GPSI).
  • the AF requests the UE's IP address for the current PDU session from the SMF.
  • the SMF provides the UE's IP address and UEID (e.g., GPSI) to the AF.
  • UEID e.g., GPSI
  • the method includes the following steps:
  • Step 501 The UE sends an Application Session Establishment Request message to the AF.
  • the AF receives the Application Session Establishment Request message.
  • the application session establishment request message includes A-KID.
  • the A-KID is generated by the UE during the K AKMA generation process, prior to step 501.
  • the K AKMA generation process can be referenced in the embodiment shown in Figure 4.
  • Step 502 If there is no A-KID related context on the AF, the AF selects an AAnF and sends an application key request message to the AAnF. Accordingly, the AAnF receives the application key request message.
  • the application key request message includes an A-KID and an AF ID.
  • the A-KID comes from step 501.
  • the AF ID is used to identify the AF.
  • the AF ID can be used as an input parameter when calculating K AFs to achieve key isolation between different AFs.
  • AF can select AAnF based on RID.
  • the application key request message can be a Naanf_AKMA_ApplicationKey_Get_Request message or a Naanf_AKMA_ApplicationKey_AnonUser_Getservice message.
  • step 503 when AAnF determines that AF requires a Generic Public Subscription Identity (GPSI) based on local rules, AAnF sends a request message to UDM. Accordingly, UDM receives the request message.
  • GPSI Generic Public Subscription Identity
  • This request message is used to request the UE's GPSI.
  • the request message may carry the UE's SUPI to request the GPSI corresponding to that SUPI.
  • the request message could be a Nudm_SDM_Get Request message.
  • Step 504 optionally, UDM sends a response message to AAnF. AAnF then receives the response message.
  • the response message includes the UE's GPSI.
  • AAnF stores the GPSI as the UE's AKMA context.
  • steps 503 to 504 do not need to be executed.
  • the response message could be a Nudm_SDM_Get Response message.
  • Step 505 optionally, AAnF sends a subscription request message to UDM. Accordingly, UDM receives the subscription request message.
  • the subscription request message contains the UE's SUPI or GPSI, and is used to request the UE's roaming status report or roaming status information.
  • the subscription request message can be a Nudm_EventExposure_Subscribe Request message.
  • Step 506 optionally, UDM sends a subscription response message to AAnF. AAnF then receives the subscription response message.
  • the subscription response message contains the UE's roaming status information.
  • the roaming status information includes the public land mobile network (PLMN) information registered by the UE.
  • PLMN public land mobile network
  • the roaming status information also includes indication information indicating whether the PLMN is the home network.
  • the PLMN information registered by the UE can be referred to as the information of the first network.
  • the PLMN information registered by the UE includes the identifiers of two PLMNs, which can also be referred to as the information of the first network and the information of the second network, respectively.
  • the UDM sends a notification message to the AAnF, which carries the changed roaming status information.
  • the subscription response message can be a Nudm_EventExposure_Subscribe Response message.
  • Step 507 AAnF obtains K AKMA based on A-KID, generates K AF based on K AKMA and AF ID, and determines the validity period of K AF .
  • AAnF obtains the A-KID and the corresponding K AKMA during the main authentication process and the K AKMA generation process, and stores the A-KID and K AKMA locally.
  • step 508 AAnF sends an application key response message to AF.
  • AF receives the application key response message.
  • the application key response message includes K AF and the validity period of K AF .
  • the application key response message can be a Naanf_AKMA_ApplicationKey_Get Response message.
  • the application key response message may carry SUPI or GPSI.
  • the application key response message does not carry SUPI or GPSI.
  • step 509 the AF sends an Application Session Establishment Response message to the UE.
  • the UE receives the Application Session Establishment Response message.
  • the UE in any step after the main authentication process and the K AKMA generation process, the UE also generates the K AF and determines the validity period of the K AF in the same way as AAnF.
  • the UE and AAnF determine the same K AF and K AF validity period based on K AKMA , and AAnF sends the K AF and K AF validity period to the AF. Subsequently, the UE and AF can use the K AF to protect the transmission content between the UE and AF, which helps to improve communication security.
  • AAnF can determine whether AKMA services are allowed based on local configuration and the UE's roaming status information. This will be explained below.
  • FIG. 6 is a schematic diagram of a method for disabling AKMA service provided in an embodiment of this application. This embodiment is for a scenario where no re-authentication (or re-authorization) occurs between the UE and the core network. The method includes the following steps:
  • Step 601 The UE registers with the first network.
  • the first network may be a home public land mobile network (HPLMN).
  • HPLMN home public land mobile network
  • Step 602 The UE accesses the AF, the AF obtains K AF , and the AF provides AAnF with a Uniform Resource Identifier (URI) for service shutdown.
  • URI Uniform Resource Identifier
  • This URI is used by ANF to locate the AF that needs to shut down AKMA services.
  • this URI could be the IP address of the AF.
  • Step 603 AAnF receives a notification message from UDM, which includes the UE's roaming status information. Based on the UE's roaming status information, AAnF detects that the network the UE is registered with has changed.
  • the network registered by the UE changes from registering to the first network to registering to the second network, or changes from registering to the first network to registering to both the first and second networks simultaneously.
  • the first network can be a network that the UE connects to via 3GPP access or a network that connects via non-3GPP access.
  • the second network can be a network connected via 3GPP access or a network connected via non-3GPP access.
  • Step 604 AAnF determines that AF provided a URI for service shutdown, and local rules indicate that the UE cannot use AKMA services on the second network.
  • Step 605 AAnF sends an AKMA service shutdown notification message to AF.
  • AF receives the AKMA service shutdown notification message.
  • the AKMA service shutdown notification message carries first information, which is associated with the UE's AKMA service. This AKMA service shutdown notification message is used to instruct the AF to shut down the AKMA service of the UE corresponding to the first information.
  • the first information includes one or more of the following:
  • the UE's second identifier is different from its first identifier.
  • the UE's first identifier is SUPI
  • its second identifier is GPSI.
  • the UE's first identifier is GSPI
  • its second identifier is SUPI.
  • the AAnF stores the correspondence between the UE's first identifier and its second identifier.
  • Context ID is used to indicate the context of the connection between AAnF and AF. This context ID can be generated by AAnF.
  • the AKMA service shutdown notification message can be a Naanf_AKMA_ServiceDisableNotification message.
  • the AF stops or shuts down the AKMA service of the UE corresponding to the first information.
  • the following describes the specific implementation method of AF disabling AKMA service of UE.
  • Scenario 1 The first piece of information includes A-KID.
  • the AF can pre-store the correspondence between A-KID and UE's AKMA service.
  • the AF can use this correspondence to determine the AKMA service of the UE corresponding to A-KID.
  • the AF can also pre-store the correspondence between A-KID and application key, as well as the correspondence between application key and UE's AKMA service.
  • the AF can determine the application key corresponding to A-KID based on the correspondence between A-KID and application key, and then determine the AKMA service of UE corresponding to application key based on the correspondence between application key and specific AKMA service.
  • the first information includes the UE's second identifier.
  • the AF can pre-store the correspondence between the UE's second identifier and the UE's AKMA service.
  • the AF can use this correspondence to determine the UE's AKMA service corresponding to the UE's second identifier.
  • the AF can also pre-store the correspondence between the UE's second identifier and the A-KID and/or application key, as well as the correspondence between the A-KID and/or application key and the UE's AKMA service.
  • the AF can determine the A-KID and/or application key corresponding to the UE's second identifier based on the correspondence between the UE's second identifier and the A-KID and/or application key, and then determine the UE's AKMA service corresponding to the A-KID and/or application key based on the correspondence between the A-KID and/or application key and the UE's AKMA service.
  • the first piece of information includes a context identifier.
  • the AF can pre-store the mapping relationship between the context identifier and the UE's AKMA service. The AF can then use this mapping relationship to determine the AKMA service of the UE corresponding to the context identifier.
  • the AF can also pre-store the mapping between the context identifier and the A-KID and/or application key, as well as the mapping between the A-KID and/or application key and the UE's AKMA service.
  • the AF can determine the A-KID and/or application key corresponding to the context identifier based on the mapping between the context identifier and the A-KID and/or application key, and then determine the UE's AKMA service corresponding to the A-KID and/or application key based on the mapping between the A-KID and/or application key and the UE's AKMA service.
  • the AF closes the AKMA service, which can be one or more of the following operations: deleting the connection, link or session related to the AKMA service; deleting the context related to the AKMA service; deleting cached data or signaling related to the AKMA service; or sending a connection, link or session release message to the UE to disconnect the connection, link or session with the UE.
  • Step 606 AF sends an AKMA service shutdown response message to AAnF.
  • AAnF receives the AKMA service shutdown response message.
  • the AKMA service shutdown response message can be a Naanf_AKMA_ServiceDisableNotification response message.
  • the AAnF when a UE changes its registration from the first network to the second network, and the UE cannot use the AKMA service in the second network, the AAnF notifies the AF to shut down the AKMA service of the UE associated with A-KID.
  • FIG. 7 is a schematic diagram of another method for disabling AKMA services provided in an embodiment of this application. This method is for scenarios where the UE's registered network changes and the UE undergoes at least two authentications, i.e., re-authentication (or re-authorization) occurs between the UE and the core network.
  • the method includes the following steps:
  • Step 701 the main authentication process and the K AKMA generation process.
  • step 701 is shown in steps 401 to 405 of the embodiment in Figure 4.
  • the UE registers with the first network and completes the registration process on the first network after passing the primary authentication.
  • the K AKMA and A-KID generated by AUSF are referred to as K AKMA #1 and A-KID #1.
  • Step 702 The UE sends an application session establishment request message to the AF, triggering the AF to obtain the K AF corresponding to A-KID#1 and the validity period of the K AF from the AAnF.
  • step 702 The specific implementation process of step 702 is shown in steps 501 to 509 of the embodiment in Figure 5.
  • step 703 the UE and the core network perform primary authentication again, and the AUSF sends a key registration request message to the AAnF.
  • the AAnF receives this key registration request message.
  • the key registration request message includes SUPI, A-KID#2, and K AKMA #2.
  • A-KID#2 and K AKMA #2 are generated by AUSF, and the UE also generates the same A-KID#2 and K AKMA #2.
  • the key registration request message can be a Naanf_AKMA_Key_Register Request message.
  • the scenarios in which the UE and the core network perform primary authentication again include any of the following:
  • the UE moves from the first network to the second network for access (such as when N2 handover occurs), meaning the UE still maintains single registration.
  • Scenario 2 The UE registers to the first network through a first access method (such as 3GPP access) and also registers to the second network through a second access method (such as non-3GPP access), i.e., the UE performs dual registration.
  • a first access method such as 3GPP access
  • a second access method such as non-3GPP access
  • step 704 AAnF sends a key registration response message to AUSF. AUSF then receives this key registration response message.
  • the key registration response message can be a Naanf_AKMA_AnchorKey_RegisterResponse message.
  • AAnF only stores the latest information sent by AUSF. Therefore, when primary authentication (also known as secondary primary authentication, re-authentication, secondary authorization, or re-authorization) occurs again, after AUSF sends A-KID#2 and K AKMA #2 to AAnF, AAnF deletes the old A-KID and K AKMA , i.e., A-KID#1 and K AKMA #1, and stores the new A-KID and K AKMA , i.e., A-KID#2 and K AKMA #2.
  • primary authentication also known as secondary primary authentication, re-authentication, secondary authorization, or re-authorization
  • Step 705 UDM sends a notification message to AAnF. AAnF then receives this notification message.
  • the notification message carries the UE ID and roaming status information, where the UE ID can be SUPI or SUCI, etc.
  • roaming status information includes information from the second network.
  • roaming status information includes information from both the first and second networks.
  • the notification information could be a Nudm_EventExposure_Notification message.
  • Step 706 AAnF determines that AF provided a URI for service shutdown, and local rules indicate that the UE cannot use AKMA services on the second network.
  • Step 707 AAnF sends an AKMA service shutdown notification message to AF.
  • AF receives the AKMA service shutdown notification message.
  • the AKMA service shutdown notification message carries A-KID#1, which is used to identify AKMA keys that cannot be used (e.g., K AF ).
  • the AKMA service shutdown notification message can be a Naanf_AKMA_ServiceDisableNotification message.
  • step 708 AF sends an AKMA service shutdown response message to AAnF.
  • AAnF receives the AKMA service shutdown response message.
  • the AKMA service shutdown response message can be a Naanf_AKMA_ServiceDisableNotification response message.
  • the AF Upon receiving A-KID#2, the AF stops or shuts down the AKMA service of the UE corresponding to A-KID#1.
  • Embodiments of this application provide a management method for AKMA services to achieve proper management of AKMA services, thereby improving user experience. It should be understood that this application is proposed for situations involving re-authentication, but is not limited to re-authentication scenarios; for example, the method of this application can also be used in single-registration scenarios.
  • first device can refer to either the AF (Automatic AF), a component of the AF (e.g., a communication module, processor, circuit, chip, or chip system), or a logic module or software capable of implementing all or part of the AF's functions.
  • second device can refer to either the AAnF (Automatic Angle AF), a component of the AAnF (e.g., a communication module, processor, circuit, chip, or chip system), or a logic module or software capable of implementing all or part of the AAnF's functions.
  • third device can refer to either the UE (User Equipment), a component of the UE (e.g., a communication module, processor, circuit, chip, or chip system), or a logic module or software capable of implementing all or part of the UE's functions.
  • UE User Equipment
  • component of the UE e.g., a communication module, processor, circuit, chip, or chip system
  • logic module or software capable of implementing all or part of the UE's functions.
  • AF, AAnF, and UE are used as examples of the first device, second device, and third device, respectively.
  • AF, AAnF, and UE appearing anywhere thereafter can be replaced with the first device, second device, and third device, respectively. This will be consistently stated here and will not be repeated elsewhere.
  • Figure 8(a) is a flowchart illustrating an AKMA service management method provided in an embodiment of this application.
  • At least one session has been established between the UE and the AF, such as a first session and a second session.
  • Each of these at least one sessions carries one or more application sessions, which refer to application layer sessions used to transmit AKMA services between the UE and the AF.
  • the first session carries application session #1 between the UE and the AF, and application session #1 transmits the first AKMA service between the UE and the AF.
  • the first session is used to transmit the first AKMA service, that is, the first session is used to transmit the user plane data of the first AKMA service.
  • the second session carries application session #2 between the UE and the AF, and application session #2 transmits the second AKMA service between the UE and the AF.
  • the second session is used to transmit the second AKMA service, that is, the second session is used to transmit the user plane data of the second AKMA service.
  • At least one session can be a PDU session or other types of sessions, and this application embodiment does not limit this.
  • Each session is transmitted through a network.
  • a network e.g., a network connected via 3GPP access or a network connected via non-3GPP access
  • at least one session of the UE is transmitted in the same network.
  • a dual registration scenario if the UE registers to two networks (e.g., one connected via 3GPP access and the other via non-3GPP access), then different sessions may be transmitted in different networks.
  • different sessions can also be transmitted in the same network, and this application does not limit this.
  • the method includes the following steps:
  • step 801a AAnF sends an AKMA service shutdown notification message to AF.
  • AF receives the AKMA service shutdown notification message.
  • the AKMA service shutdown notification message includes information about the first network (e.g., PLMN ID #1), and is used to notify the user of the shutdown of the AKMA service on the first network. For example, if the ANF determines that the UE cannot use the AKMA service on the first network, it sends an AKMA service shutdown notification message to the AF.
  • PLMN ID #1 information about the first network
  • this AKMA service shutdown notification message which includes information about the first network, is that the UE cannot use the AKMA service on the first network.
  • the UE registers with both a first network and a second network.
  • the meaning of the AKMA service shutdown notification message including information about the first network can be: the UE cannot use the AKMA service on the first network, but the UE can use the AKMA service on the second network.
  • the AKMA service shutdown notification message sent by AAnF to AF carries information about the first and second networks (e.g., PLMN ID#2), or it does not carry such information.
  • the AKMA service shutdown notification message carries information about the first and second networks, it explicitly indicates the shutdown of the AKMA service on both the first and second networks.
  • the AKMA service shutdown notification message does not carry information about the first and second networks, it implicitly indicates the shutdown of the AKMA service on both the first and second networks.
  • Step 802a AF obtains the current network information corresponding to the UE's first session.
  • the information of the current network corresponding to the first session can be the PLMN ID, such as PLMN ID#1 or PLMN ID#2, etc.
  • step 802a may specifically involve: the AF sending a first subscription request message to the SMF, which is used to subscribe to network changes corresponding to the first session. Then, the SMF may send a notification message to the AF, and the AF determines the current network information corresponding to the first session based on the notification message.
  • the first session is used to transmit the first AKMA service between the UE and the AF.
  • an application session is established between the UE and the AF, which is used to transmit the first AKMA service between the UE and the AF.
  • This application session is carried on the first session, which may be, for example, a PDU session.
  • the first AKMA service is part or all of the AKMA service within the application session.
  • the first subscription request message may include one or more of the following: information about the first session, the UE's identifier, or a first event identifier.
  • the information about the first session may include, for example, the identifier of the first session and/or its IP address.
  • the UE's identifier may be SUPI or GPSI, etc.
  • the first event identifier is used to indicate network change events; for example, the first event identifier may specifically be a PLMN change event ID.
  • the AF after obtaining the information of the first session, the AF sends the first subscription request message to the SMF. That is, after obtaining the information of the first session, the AF actively subscribes to the network changes corresponding to the first session from the SMF.
  • the AF also carries an indication message in the application key response message in step 508.
  • This indication message indicates whether the application key (i.e., K AF ) is applicable or not applicable to any network.
  • the AF sends the first subscription request message to the SMF.
  • step 802a can be performed before step 801a.
  • the AF receives the indication message, it indicates that in the UE dual-registration scenario, the application key can be used in one network registered by the UE but not in the other. That is, the UE can use AKMA services in one network but cannot use AKMA services in the other. Therefore, the AF needs to know which network corresponds to the first session used to transmit AKMA services between the UE and the AF. In order to know which network corresponds to the first session, the AF sends the first subscription request message to the SMF.
  • the AF sends the first subscription request message to the SMF.
  • the SMF sends a response message to the AF, also known as a second notification message.
  • This second notification message carries information about a second network, indicating that the network corresponding to the first session is the second network.
  • the AF determines that the current network corresponding to the first session is the second network based on this second notification message.
  • the second notification message may also include one or more of the following: information about the first session, the UE's identifier, or a first event identifier.
  • the SMF after sending the second notification message, if the network corresponding to the first session subsequently changes, for example, from the second network to the first network, the SMF notifies the AF of the network change. For instance, the SMF sends a first notification message to the AF, carrying information about the first network, indicating that the network corresponding to the first session has changed to the first network.
  • the first notification message may also include one or more of the following: information about the first session, the UE's identifier, or a first event identifier.
  • the AF can obtain information about the current network corresponding to the UE's first session.
  • the AF can also determine the current network information corresponding to the first session through other means, such as the UE actively sending the current network information corresponding to the first session to the AF, or the AF requesting the current network information corresponding to the first session from the UE, and so on.
  • This application does not limit the method by which the AF obtains the current network information corresponding to the first session.
  • This application does not limit the order of steps 801a and 802a.
  • Step 803a The AF determines whether to close the first AKMA service based on the AKMA service shutdown notification message and the information of the current network corresponding to the first session.
  • This application embodiment uses either the first network or the second network corresponding to the first session as an example for illustration.
  • the first network and the second network are different.
  • the first network is a network that the UE connects to via 3GPP access
  • the second network is a network that the UE connects to via a non-3GPP access method
  • the first network is a network that the UE connects to via a non-3GPP access method
  • the second network is a network that the UE connects to via 3GPP access.
  • Scenario 1 The UE cannot use AKMA service on the first network, but the UE can use AKMA service on the second network.
  • the AKMA service shutdown notification message when the AKMA service shutdown notification message carries information about the first network, it indicates that the UE cannot use the AKMA service on the first network, but the UE can use the AKMA service on the second network.
  • the AF does not disable the first AKMA service. Specifically, when the current network corresponding to the UE's first session is the second network, the first AKMA service carried by the first session is transmitted in the second network, and the UE can use the AKMA service in the second network. Therefore, the AF does not disable the first AKMA service between the UE and the AF. This scenario can be seen in the example diagram of Figure 9(a). Further, if a second session exists and the current network corresponding to the second session is the first network, then the AF disables the second AKMA service.
  • This second session is used to carry the application session between the UE and the AF, and this application session is used to transmit the second AKMA service between the UE and the AF.
  • This scenario can be seen in the example diagram of Figure 9(b).
  • the AF does not disable the first AKMA service, but disables the second AKMA service.
  • the AF disables the first AKMA service. Specifically, when the current network corresponding to the UE's first session is the first network, the first AKMA service carried by the first session is transmitted in the first network. Since the UE cannot use AKMA services in the first network, the AF disables the first AKMA service between the UE and the AF. This scenario can be seen in the example diagram of Figure 9(c). Furthermore, if a second session exists and the current network corresponding to the second session is the second network, the AF does not disable the second AKMA service.
  • This second session is used to carry the application session between the UE and the AF, and this application session is used to transmit the second AKMA service between the UE and the AF.
  • This scenario can be seen in the example diagram of Figure 9(d).
  • the AF disables the first AKMA service but not the second AKMA service.
  • Scenario 2 The UE cannot use AKMA services in either the first or second network.
  • the AKMA service shutdown notification message carries information about the first network and the second network, or if the AKMA service shutdown notification message does not carry information about the first network and the second network, it indicates that the UE cannot use the AKMA service in either the first network or the second network.
  • the AF shuts down the first AKMA service. Specifically, since the UE cannot use the AKMA service in either the first network or the second network, the first AKMA service carried by the first session cannot continue regardless of whether the current network corresponding to the first session is the first network or the second network, therefore the AF shuts down the first AKMA service. Similarly, if a second session further exists, if the current network corresponding to the second session is either the first network or the second network, the AF shuts down the second AKMA service, where the second session is used to transmit the second AKMA service between the UE and the AF.
  • the AF closes the AKMA service, such as closing the first AKMA service or the second AKMA service, which can specifically be one or more of the following operations: deleting the connection, link or session related to the AKMA service; deleting the context related to the AKMA service; deleting cached data or signaling related to the AKMA service; or sending a connection, link or session release message to the UE to disconnect the connection, link or session with the UE.
  • the AF can obtain information about networks where the UE is not allowed to conduct AKMA services, as well as information about the current network corresponding to the session used to carry the AKMA service between the UE and the AF. This allows for accurate determination of whether AKMA services can be conducted between the UE and the AF, and a decision on whether to disable the AKMA service. This achieves network-level management of AKMA services, contributing to improved user experience. Compared to a scheme that always disables AKMA services on all networks registered to the UE if it is not allowed to conduct AKMA services on a certain network, this application can achieve network-level AKMA service disabling, minimizing AKMA service interruptions.
  • Figure 8(b) is a flowchart illustrating an AKMA service management method provided in an embodiment of this application. The method includes the following steps:
  • step 801b the UE sends an application session establishment request message to the AF.
  • the AF receives the application session establishment request message.
  • the application session establishment request message requests the establishment of an application session for transmitting third AKMA services between the UE and the AF.
  • This application session is carried on the UE's third session.
  • This third session is used to transmit user plane traffic for the third AKMA services.
  • the UE has already established a third session (e.g., a PDU session), and then the UE sends this application session establishment request message to the AF to request the establishment of an application session carried on this third session for transmitting AKMA services between the UE and the AF.
  • a third session e.g., a PDU session
  • Step 802b AF obtains information about the current network corresponding to the third session.
  • step 802b may specifically involve the AF sending a second subscription request message to the SMF, which is used to subscribe to network changes corresponding to the third session.
  • the SMF can then send a notification message to the AF, which determines the current network information corresponding to the third session based on the notification message.
  • the second subscription request message may include one or more of the following: information about the third session, the UE's identifier, or a second event identifier.
  • the information about the third session may include, for example, the identifier of the third session and/or its IP address.
  • the UE's identifier may be SUPI or GPSI, etc.
  • the second event identifier is used to indicate network change events; for example, the second event identifier may specifically be a PLMN change event ID.
  • the SMF sends a response message to the AF, also known as a third notification message.
  • This third notification message carries information about the current network corresponding to the third session.
  • the AF determines the information about the current network corresponding to the third session based on this third notification message.
  • the SMF if the network corresponding to the third session changes, the SMF notifies the AF that the current network corresponding to the third session has changed. For example, the SMF sends a third notification message to the AF, indicating that the current network corresponding to the third session has changed, and this third notification message carries information about the changed network corresponding to the third session.
  • the third notification message also includes one or more of the following: information about the third session, the UE's identifier, or a second event identifier.
  • the AF can obtain information about the current network corresponding to the UE's third session.
  • the AF can also determine the current network information corresponding to the third session in other ways, such as the UE actively sending the current network information corresponding to the third session to the AF, or the AF requesting the current network information corresponding to the third session from the UE, and so on.
  • This application does not limit the method by which the AF obtains the current network information corresponding to the third session.
  • Step 803b The AF determines whether to allow the establishment of an application session based on the information of the current network corresponding to the third session.
  • the application session establishment request message is rejected.
  • the first network is a network where the UE cannot use AKMA services.
  • the AF determines that the establishment of this application session is not allowed, and therefore rejects the establishment of the application session, thus enabling correct management of AKMA services.
  • the establishment of an application session is allowed, i.e., an application session establishment request message is allowed.
  • the second network is the network where the UE can use AKMA services.
  • the application session requested by the UE is carried on the third session, and the current network corresponding to this third session is the second network where the UE can use AKMA services. Therefore, the AF determines that the establishment of the application session is allowed, thus enabling correct management of AKMA services.
  • the AF received an AKMA service shutdown notification message.
  • This AKMA service shutdown notification message includes information about the first network but does not include information about the second network.
  • This AKMA service shutdown notification message is used to indicate that the UE cannot use the AKMA service in the first network. Therefore, the AF determines that the UE cannot use the AKMA service in the first network, but can use the AKMA service in the second network.
  • the AF can determine, through other methods, that the UE cannot use AKMA services on the first network but can use them on the second network.
  • the AMF, SMF, or UDM can send an indication message to the AF, which indicates the network information registered by the UE and the networks within the registered network that allow the UE to access AKMA services.
  • the AF determines whether to allow the establishment of the application session based on the information of the current network corresponding to the third session carrying the application session, and on which networks the UE can use AKMA services. This achieves network-level management of AKMA services and helps improve the user experience.
  • the embodiment of Figure 8(b) may be executed after the embodiment of Figure 8(a).
  • the first session For example, suppose that the third session in the embodiment of Figure 8(b) and the first session in the embodiment of Figure 8(a) are the same session, hereinafter collectively referred to as the first session.
  • the current network corresponding to the first session is the first network
  • the first network is a network where the UE cannot use AKMA services, then the AF shuts down the first AKMA service.
  • step 803a the UE executes step 801b, that is, the UE sends an application session establishment request message to the AF, which requests the establishment of an application session for transmitting the third AKMA service between the UE and the AF, and the application session is carried in the UE's first session.
  • the information of the network corresponding to the first session obtained by the AF in step 802b is the information of the first network.
  • the AF determines that the establishment of the application session is not allowed based on the information of the network corresponding to the first session (i.e., the information of the first network).
  • the first network is a network where the UE cannot use AKMA services
  • the application session requested by the UE in step 801b is carried on this first session.
  • the network corresponding to this first session is the first network, therefore, the AF does not allow the establishment of this application session in step 803b.
  • the current network corresponding to the first session is the second network
  • the second network is a network where the UE can use AKMA services, so the AF does not close the first AKMA service.
  • the UE executes step 801b, that is, the UE sends an application session establishment request message to the AF.
  • This application session establishment request message requests the establishment of an application session for transmitting third AKMA services between the UE and the AF, and this application session is carried on the UE's first session.
  • the information of the network corresponding to the first session obtained by the AF in step 802b is the information of the second network.
  • the AF determines that the establishment of the application session is allowed based on the information of the network corresponding to the first session (i.e., the information of the second network). This is because the second network is the network where the UE can use AKMA services, and the application session requested by the UE in step 801b is carried by the first session, which corresponds to the second network.
  • step 803b the AF allows the establishment of the application session. Furthermore, if the third session in the embodiment of Figure 8(b) is the same session as the second session in the embodiment of Figure 8(a), a similar implementation method exists, which will not be elaborated further.
  • Figure 8(c) is a flowchart illustrating an AKMA service management method provided in an embodiment of this application. The method includes the following steps:
  • step 801c the UE sends an application session establishment request message to the AF.
  • the AF receives the application session establishment request message.
  • the application session establishment request message requests the establishment of an application session for transmitting AKMA services between the UE and the AF.
  • step 802c the AF sends an application session establishment response message to the UE.
  • the UE receives the application session establishment response message.
  • the application session establishment response message indicates that the application session was successfully established.
  • the UE and AF can perform AKMA services. For example, in a single registration scenario, the AKMA service is transmitted through the registered network. In a dual registration scenario, the AKMA service is transmitted through either the first or second network.
  • step 803c is executed.
  • step 803c AAnF sends an AKMA service shutdown notification message to the UE.
  • the UE receives the AKMA service shutdown notification message.
  • the AKMA service shutdown notification message includes information about a first network. This message is used to notify the UE that the AKMA service cannot be used on the first network. Based on this method, the AKMA service shutdown notification message carries information about the networks where the UE is registered and therefore cannot use the AKMA service. For example, if the UE is registered to both a first and a second network, and the UE cannot use the AKMA service on the first network but can use it on the second network, then the AKMA service shutdown notification message includes information about the first network.
  • the AKMA service shutdown notification message includes roaming policy information.
  • This roaming policy information includes information about networks where the UE cannot use the AKMA service, including information about the first network.
  • the AKMA service shutdown notification message carries information about networks where the UE cannot use the AKMA service, not just information about networks where the UE is registered. For example, if the UE is registered to a first network and a second network, and the UE cannot use the AKMA service in either the first or third network, but can use it in the second network, then the AKMA service shutdown notification message carries roaming policy information, including information about the first and third networks.
  • the UE Based on this roaming policy information and the information about the networks the UE is registered to (i.e., the first and second networks), the UE determines that it cannot use the AKMA service in the currently registered first network, but can use it in the currently registered second network. Since the UE is not currently registered to the third network, the information about the third network can be ignored.
  • step 803c can also be executed after step 801c. That is, step 803c is not limited to being executed after step 801c or step 802c.
  • the roaming policy information can also be configured on the UE.
  • the AKMA service shutdown notification message may not carry information about the first network or the roaming policy information.
  • the UE can obtain the roaming policy information locally and determine, based on the roaming policy information, that the UE cannot use the AKMA service in the registered first network, and can use the AKMA service in the registered second network.
  • Step 804c The UE determines whether to release the application session based on the AKMA service shutdown notification message and the network information corresponding to the application session.
  • the UE when the network corresponding to the aforementioned application session is the first network, the UE releases the application session. Based on this method, since the UE cannot use AKMA services on the first network, and the network corresponding to the application session used to transmit AKMA services is the first network, the UE determines that it needs to release the application session. For example, the UE sends an application session release request to the AF to trigger the application session release procedure.
  • the UE determines not to release the application session. Based on this method, since the UE cannot use AKMA services on the first network but can use them on the second network, and the network corresponding to the application session used to transmit AKMA services is the second network, the UE determines not to release the application session.
  • the UE can obtain information about networks where AKMA services are not permitted, as well as information about the networks corresponding to the application sessions used to carry AKMA services between the UE and the AF. This allows for accurate determination of whether AKMA services can be conducted between the UE and the AF, and a decision on whether to release the application session. This achieves network-level management of AKMA services, contributing to improved user experience. Compared to a scheme that permanently disables AKMA services for a UE across all networks if it is not permitted on a particular network, this application enables network-level AKMA service shutdown, minimizing AKMA service interruptions.
  • FIG. 8(a) to 8(c) The embodiments of Figures 8(a) to 8(c) above will be described below with reference to specific examples.
  • the embodiment in Figure 10 below is a specific example combining the embodiments of Figure 8(a) and Figure 8(b).
  • the embodiment in Figure 11 below is a specific example of the embodiment in Figure 8(c).
  • Network #1 and Network #2 in the embodiments of Figures 10 and 11 below are specific examples of the second network and the first network in the aforementioned embodiments, respectively.
  • FIG. 10 is a flowchart illustrating an AKMA service management method provided in an embodiment of this application. The method includes the following steps:
  • Step 1001 Master authentication process and K AKMA generation process.
  • step 1001 The specific implementation process of step 1001 is shown in steps 401 to 405 of the embodiment in Figure 4.
  • K AKMA and A-KID generated by AUSF are referred to as K AKMA #1 and A-KID #1, respectively.
  • Step 1002 Application session establishment process between UE and AF.
  • step 1002 The specific implementation process of step 1002 is shown in steps 501 to 509 of the embodiment in Figure 5.
  • the UE and AAnF determine the same K AF and K AF validity period based on K AKMA , and AAnF sends the K AF and K AF validity period to the AF. Subsequently, the UE and AF can use the K AF to protect the transmitted content between the UE and the AF.
  • the UE completes registration and establishes a PDU session, which is used to transmit user plane data (e.g., AKMA service) between the UE and the AF.
  • the AF can obtain the UE's IP address and UEID (e.g., GPSI).
  • the SMF provides the UE's IP address and UEID (e.g., GPSI) to the AF.
  • this PDU session will be referred to as the first PDU session.
  • the first PDU session is a specific example of the first session in the aforementioned embodiment of Figure 8(a).
  • Step 1003 AF sends a subscription request message to SMF.
  • SMF receives the subscription request message.
  • the subscription request message includes at least one of the following: UE ID, PLMN change event ID, or information from the first PDU session. This subscription request message is used to subscribe to changes in the PLMN identifier corresponding to the first PDU session.
  • the UE ID can be SUPI or GPSI, etc.
  • the UE ID is used to identify the UE.
  • the PLMN change event ID is used to identify that the requested event is a PLMN change event.
  • Information from a PDU session can include an IP address, and this information is used to identify the session.
  • the subscription request can be an Nsmf_EventExposure message.
  • step 1003 the AF can send the subscription request to the SMF through the interface between the AF and the SMF.
  • step 1003 AF can send a subscription request to NEF through the interface between AF and NEF, and then NEF sends the subscription request to SMF through the interface between NEF and SMF, that is, the subscription request is relayed through NEF.
  • step 1003 can occur before step 1002. Specifically, step 1003 is executed after the PDU session is established and before the UE sends the application session establishment request message. Alternatively, step 1003 can occur within step 1002, for example, after the AF receives the application session establishment request message. Or, step 1003 can occur after step 1002, for example, after the AF sends the application session establishment response message to the UE.
  • the SMF sends a subscription response message to the AF, which carries the identifier of the PLMN corresponding to the first PDU session.
  • this PLMN is referred to as network #1
  • the identifier of the PLMN corresponding to the first PDU session is called the information of network #1.
  • step 1004 the UE and the core network perform primary authentication again, and the AUSF sends a key registration request message to the AAnF.
  • the AAnF receives this key registration request message.
  • the key registration request message includes SUPI, A-KID#2, and K AKMA #2.
  • A-KID#2 and K AKMA #2 are generated by AUSF, and the UE also generates the same A-KID#2 and K AKMA #2.
  • the key registration request message can be a Naanf_AKMA_Key_Register Request message.
  • the UE registers to network #1 through a first access method (such as 3GPP access) and also registers to network #2 through a second access method (such as non-3GPP access), i.e., the UE performs dual registration.
  • a first access method such as 3GPP access
  • a second access method such as non-3GPP access
  • the first access method can be non-3GPP access
  • the second access method can be 3GPP access.
  • step 1005 AAnF sends a key registration response message to AUSF.
  • AUSF receives the key registration response message.
  • the key registration response message can be a Naanf_AKMA_AnchorKey_RegisterResponse message.
  • AAnF After AUSF sends A-KID#2 and K AKMA #2 to AAnF, AAnF saves A-KID#2 and K AKMA #2.
  • Step 1006 UDM sends a notification message to AAnF. AAnF then receives this notification message.
  • the notification message carries the UE ID and roaming status information, where the UE ID can be SUPI or SUCI, etc.
  • roaming status information includes information about network #1 and network #2.
  • Network #1 can be the identifier of a PLMN, and network #2 can be the identifier of another PLMN.
  • the notification information could be a Nudm_EventExposure_Notification message.
  • step 1006 is the UDM responding to the AAnF's subscription by sending a notification message to the AAnF. Specifically, in the aforementioned step 1002, the AAnF sends a subscription request message to the UDM for subscribing to the UE's roaming status information, as detailed in step 505 of the aforementioned embodiment in Figure 5.
  • Step 1007 AAnF determines that the UE cannot use AKMA services in network #2.
  • the AAnF locally pre-configures a list of allowed networks and/or a list of disallowed networks for the UE.
  • the list of allowed networks contains networks where the UE is permitted to use AKMA services while roaming; that is, if the UE's roaming network is included in the list of allowed networks, the UE is permitted to use AKMA services on that roaming network.
  • the list of disallowed networks contains networks where the UE is not permitted to use AKMA services while roaming; that is, if the UE's roaming network is included in the list of disallowed networks, the UE is not permitted to use AKMA services on that roaming network.
  • the AAnF can determine whether the UE can use AKMA services on network #2. For example, if network #2 is included in the list of allowed networks, the AAnF determines that the UE can use AKMA services. Conversely, if network #2 is included in the list of disallowed networks, the AAnF determines that the UE cannot use AKMA services.
  • AAnF can first determine whether network #2 is the UE's HPLMN. If network #2 is an HPLMN, then it is determined that the UE can use AKMA services on network #2. If network #2 is not an HPLMN, then AAnF further determines whether the UE can use AKMA services on network #2.
  • Step 1008 AAnF sends an AKMA service shutdown notification message to AF.
  • AF receives the AKMA service shutdown notification message.
  • step 1008 is executed.
  • step 1008 is executed.
  • the AKMA service shutdown notification message carries information or indication information about network #2. This indication information is used to indicate that the UE cannot use AKMA services in the newly registered network (i.e., network #2). This AKMA service shutdown notification message is used to indicate the shutdown of AKMA services between the UE and AF in network #2.
  • the AKMA service shutdown notification message carries information from both network #1 and network #2, or it does not carry such information.
  • This AKMA service shutdown notification message is used to indicate the shutdown of AKMA service between the UE and AF in both networks #1 and network #2.
  • the AKMA service shutdown notification message carries information from both networks #1 and network #2, it explicitly indicates the shutdown of AKMA service between the UE and AF in both networks #1 and network #2.
  • the AKMA service shutdown notification message does not carry information from both networks #1 and network #2, it implicitly indicates the shutdown of AKMA service between the UE and AF in both networks #1 and network #2.
  • the AKMA service shutdown notification message may also carry first information, which may include one or more of the following:
  • the UE's second identifier is different from its first identifier.
  • the UE's first identifier is SUPI
  • its second identifier is GPSI.
  • the UE's first identifier is GSPI
  • its second identifier is SUPI.
  • the AAnF stores the correspondence between the UE's first identifier and its second identifier.
  • Context ID is used to indicate the context of the connection between AAnF and AF. This context ID can be generated by AAnF.
  • AAnF also locally stores information about networks that the UE is not allowed to use AKMA services. For example, it stores information about network #2, or it stores information about both network #1 and network #2.
  • the AKMA service shutdown notification message can be a Naanf_AKMA_ServiceDisableNotification message.
  • Step 1009 optionally, the SMF sends a notification message to the AF.
  • the AF receives the notification message.
  • the SMF sends a notification message to the AF.
  • This notification message includes information about network #2 and is used to notify the user that the network corresponding to the first PDU session has changed to network #2.
  • the notification message in step 1009 is sent in response to the subscription request in step 1003.
  • the notification message could be an Nsmf_Event_Exposure_Notification message.
  • Step 1010 AF determines whether to disable the UE's AKMA service.
  • step 1008 carries information about network #2 and step 1009 is not executed, indicating that the UE can perform AKMA services on network #1 but not on network #2, and the network corresponding to the first PDU session is network #1
  • the AF determines that the UE can continue to perform AKMA services, and therefore it is not necessary to disable the UE's AKMA services. That is, although the UE cannot use AKMA services on network #2, the UE is actually performing AKMA services on network #1, and the UE is permitted to perform AKMA services on network #1.
  • step 1008 carries information about network #2 and step 1009 has been executed, indicating that the UE can perform AKMA services on network #1 but not on network #2, and the network corresponding to the first PDU session has changed to network #2
  • the AF determines that the UE cannot continue performing AKMA services and therefore needs to disable the UE's AKMA service. That is, the first PDU session used to transmit AKMA services between the UE and the AF is migrated to network #2, but since the UE cannot use AKMA services on network #2, the UE's AKMA service needs to be disabled.
  • step 1008 if step 1008 carries information about network #1 and network #2, or does not carry information about network #1 and network #2, it indicates that the UE cannot perform AKMA service in either network #1 or network #2. In this case, regardless of whether step 1009 has been executed, the AF will shut down the UE's AKMA service.
  • the AF when it is necessary to disable the AKMA service of the UE, and the first information is carried in step 1008 above, the AF can determine the AKMA service of the UE based on the first information and disable the AKMA service of the UE.
  • the specific implementation method of disabling the corresponding AKMA service based on the first information please refer to the relevant description in step 605 of the embodiment in Figure 6, which will not be repeated here.
  • the above method enables accurate shutdown of the UE's AKMA service, avoiding service interruption caused by erroneous shutdown of the UE's AKMA service and improving user experience.
  • steps 1011 to 1014 may be performed after step 1010.
  • the solution constituted by steps 1011 to 1014 can be implemented in combination with the solution constituted by steps 1001 to 1013, or they can be implemented as separate embodiments. That is, the solution constituted by steps 1011 to 1014 and the solution constituted by steps 1001 to 1013 may not be executed in the same process and are not coupled to each other.
  • step 1011 the UE sends an application session establishment request message to the AF. Accordingly, the AF receives the application session establishment request message.
  • the application session establishment request message includes A-KID#1, A-KID#2, or other A-KIDs, which are used by AF to find the corresponding AKMA key.
  • the UE completes the establishment of a second PDU session, which is used to transmit user plane data (e.g., AKMA service) between the UE and the AF.
  • user plane data e.g., AKMA service
  • the AF can obtain the UE's IP address and UEID (e.g., GPSI).
  • the second PDU session here is a specific example of the third session in the aforementioned embodiment of Figure 8(b).
  • step 1012 the AF sends a subscription request message to the SMF.
  • the SMF receives the subscription request message.
  • the subscription request message includes at least one of the following: UE ID, PLMN change event ID, or information from the second PDU session. This subscription request message is used to subscribe to changes in the PLMN identifier corresponding to the second PDU session.
  • the UE ID can be SUPI or GPSI, etc.
  • the UE ID is used to identify the UE.
  • the PLMN change event ID is used to identify that the requested event is a PLMN change event.
  • Information from a PDU session can include an IP address, and this information is used to identify the session.
  • the subscription request can be an Nsmf_EventExposure message.
  • the AF in step 1012, can send the subscription request to the SMF through the interface between the AF and the SMF.
  • AF can send a subscription request to NEF through the interface between AF and NEF, and then NEF sends the subscription request to SMF through the interface between NEF and SMF, that is, the subscription request is relayed through NEF.
  • Step 1013 The SMF sends a subscription response message to the AF.
  • the AF receives the subscription response message.
  • the subscription response message carries information about the network corresponding to the second PDU session.
  • This network information can be network #1, network #2, or information from other networks.
  • Step 1014 AF determines whether to allow the establishment of an application session.
  • the AF when the network corresponding to the second PDU session is network #2, the AF does not allow the establishment of an application session, that is, it rejects the application session establishment request message.
  • step 1008 carries information about network #2 and step 1009 is not executed, indicating that the UE can perform AKMA services in network #1. Therefore, the AF allows the establishment of an application session, that is, allows the application session establishment request message.
  • step 1008 carries information about network #1 and network #2 (or step 1008 does not carry information about network #1 and network #2), then AF does not allow the establishment of an application session, that is, it rejects the application session establishment request message.
  • AAnF sends information about networks that do not allow AKMA services to the AF, enabling the AF to accurately determine which networks or networks the UE cannot use for AKMA services. This allows the AF to accurately shut down the AKMA services of the UE in the corresponding networks, rather than shutting down the AKMA services of the UE in all registered networks. This reduces AKMA service interruptions and helps improve the user experience.
  • steps 1001-1002, 1004-1006, and 1009 can all be optional steps to achieve the purpose of this invention.
  • FIG 11 is a flowchart illustrating an AKMA service management method provided in an embodiment of this application. The method includes the following steps:
  • Steps 1101 to 1102 are the same as steps 1001 to 1002 in the embodiment of Figure 10.
  • the UE completes registration and establishes a PDU session, which is used to transmit user plane data (e.g., AKMA service) between the UE and the AF.
  • user plane data e.g., AKMA service
  • the AF can obtain the UE's IP address and UEID (e.g., GPSI).
  • the SMF provides the UE's IP address and UEID (e.g., GPSI) to the AF.
  • this PDU session will be referred to as the first PDU session.
  • Steps 1103 to 1106 are the same as steps 1004 to 1007 in the embodiment of Figure 10.
  • Step 1107 AAnF sends an AKMA service shutdown notification message to the UE.
  • the UE receives the AKMA service shutdown notification message.
  • AAnF can send the AKMA service shutdown notification message to AMF, and then AMF can forward the AKMA service shutdown notification message to UE.
  • AMF can send the AKMA service shutdown notification message to UE in a downlink NAS message (DL NAS message).
  • DL NAS message downlink NAS message
  • the AKMA service shutdown notification message can be a Naanf_AKMA_ServiceDisableNotification message.
  • the AKMA service shutdown notification message carries information about the networks in which the UE is registered and which do not allow the UE to use the AKMA service, or it carries roaming policy information.
  • the roaming policy information includes information on networks that the UE is not allowed to use AKMA services. These networks can include both networks the UE has registered with and networks the UE has not registered with.
  • the UE is registered to both network #1 and network #2, and the networks that disallow the UE to use AKMA services include network #2 and a third network.
  • the AKMA service shutdown notification message carries information about network #2. Based on this message, the UE determines that AKMA services can be used on network #1 but not on network #2.
  • the AKMA service shutdown notification message carries roaming policy information, which includes network #2 and a third network. Based on this policy information and the network information the UE is registered with, the UE determines that AKMA services can be used on network #1 but not on network #2.
  • the roaming policy information mentioned above can also be pre-configured on the UE, or sent to the UE by AAnF in a step before step 1107. In this case, the roaming policy information does not need to be carried in step 1107.
  • the triggering timing for AF to execute step 1107 may include, but is not limited to, one or more of the following:
  • the roaming strategy information carried in step 1105 includes information about network #1 and network #2.
  • AKMA service shutdown notification message in step 1107 can also be replaced with other messages, such as AKMA service shutdown message, shutdown message, instruction message, notification message or other messages. This application does not limit this.
  • Step 1108 The UE determines whether to disable the UE's AKMA service.
  • a UE registers with both network #1 and network #2, and determines that AKMA service can be used in network #1 but not in network #2 based on the AKMA service shutdown notification message, and the first PDU session corresponds to network #1, meaning it is transmitted through network #1, then it is determined that the UE's AKMA service does not need to be shut down.
  • a UE registers with both network #1 and network #2, and determines from the AKMA service shutdown notification message that AKMA service can be used in network #1 but not in network #2, and the first PDU session corresponds to network #2 (i.e., transmission is through network #2), then it is determined that the UE's AKMA service needs to be shut down. For instance, the UE can initiate an application session release procedure to the AF.
  • AAnF sends roaming policy information or information about networks that do not allow the UE to use AKMA services in the networks the UE is registered with. This allows the UE to accurately determine which networks or networks the UE cannot use AKMA services in, and thus accurately shut down the AKMA services of the UE in the corresponding networks, rather than shutting down the AKMA services of the UE in all the networks the UE is registered with. This can reduce AKMA service interruptions and help improve the user experience.
  • FIG. 12 is a flowchart illustrating an AKMA service management method provided in an embodiment of this application. The method includes the following steps:
  • Step 1201 The UE sends an application session establishment request message to the AF.
  • the AF receives the application session establishment request message.
  • the application session establishment request message requests the establishment of an application session for transmitting AKMA services between the UE and the AF.
  • This application session is carried on a first session, which can be a PDU session or other types of sessions.
  • the application session establishment request message includes the AKMA key identifier (A-KID).
  • the UE registers with both a first network and a second network.
  • the first network is a network that the UE connects to via 3GPP access
  • the second network is a network that the UE connects to via a non-3GPP access method
  • the first network is a network that the UE connects to via a non-3GPP access method
  • the second network is a network that the UE connects to via 3GPP access.
  • step 1202 AF sends an application key request message to AAnF.
  • AAnF receives the application key request message.
  • the application key request message includes an AKMA key identifier (A-KID), which is used to request the application key corresponding to the A-KID.
  • A-KID AKMA key identifier
  • the application key request message can be a Naanf_AKMA_ApplicationKey_Get_Request message or a Naanf_AKMA_ApplicationKey_AnonUser_Getservice message.
  • step 1203 AAnF sends an application key response message to AF based on whether the UE is allowed to use AKMA services in the first and second networks. Accordingly, AF receives the application key response message.
  • the application key response message includes an application key (K AF ), which is used to protect the AKMA service between the UE and the AF.
  • K AF application key
  • AAnF obtains the AKMA key (K AKMA ) corresponding to the A-KID in the application key request message, and then AAnF generates the application key based on the K AKMA .
  • the application key request message also includes an AF ID, so AAnF can generate the application key based on the K AKMA and the AF ID.
  • AAnF generates the validity period of the K AF at the same time as generating it, so the application key response message may also include the validity period of the K AF .
  • the application key response message is also used to indicate whether the UE is allowed to use AKMA services in the first network and/or the second network.
  • the application key response message may also include information about the first network and/or the second network.
  • Allowing the UE to use AKMA services in the first network can be understood as allowing the UE to use the aforementioned application key, AKMA key, or AKMA key identifier corresponding to the AKMA service in the first network, or as meaning the application key is effective in the first network.
  • Disallowing the UE to use AKMA services in the first network can also be understood as disallowing the UE to use the aforementioned application key, AKMA key, or AKMA key identifier corresponding to the AKMA service in the first network, or as meaning the application key is not effective in the first network.
  • Allowing the UE to use AKMA services in the second network can also be understood as allowing the UE to use the aforementioned application key, AKMA key, or AKMA key identifier corresponding to the AKMA service in the second network, or as meaning the application key is effective in the second network.
  • Disallowing the UE to use AKMA services in the second network can also be understood as disallowing the UE to use the aforementioned application key, AKMA key, or AKMA key identifier corresponding to the AKMA service in the second network, or as meaning the application key is not effective in the second network.
  • ANF can determine whether a UE is allowed to use AKMA services in a first network and/or a second network based on local configuration information.
  • the local configuration information includes information about the UE's allowed and/or disallowed networks.
  • the allowed network information includes information about networks that allow the UE to use AKMA services (e.g., one or more PLMN IDs), and the disallowed network information includes information about networks that disallow the UE to use AKMA services (e.g., one or more PLMN IDs).
  • the allowed network information includes information about the second network but not the first network
  • ANF determines that the UE is not allowed to use AKMA services in the first network but is allowed to use AKMA services in the second network.
  • the disallowed network information includes information about the first network but not the second network, ANF determines that the UE is not allowed to use AKMA services in the first network but is allowed to use AKMA services in the second network.
  • AAnF uses a whitelist to instruct the AF whether the UE is allowed to use AKMA services in the first network and/or the second network. For example, if the UE is allowed to use AKMA services in a certain network, the network information is included in the application key response message; if the UE is not allowed to use AKMA services in a certain network, the network information is not included in the application key response message.
  • the first implementation method is described in three scenarios.
  • Scenario 1 If ANF determines that the UE is not allowed to use AKMA services on the first network but is allowed to use AKMA services on the second network, it sends an application key response message to AF.
  • This application key response message includes an application key and information about the second network. The information about the second network indicates that the UE is allowed to use AKMA services on the second network.
  • the information of the second network includes PLMN ID#2 and/or indication information, which indicates that the UE is permitted to use AKMA services in the second network.
  • indication information indicates that the UE is permitted to use AKMA services in the second network.
  • Scenario 2 If ANF determines that the UE is permitted to use the AKMA service in both the first and second networks, it sends an application key response message to AF.
  • This message includes an application key, as well as information from both the first and second networks. Specifically, the information from the first network indicates that the UE is permitted to use the AKMA service in the first network, and the information from the second network indicates that the UE is permitted to use the AKMA service in the second network.
  • the information of the first network includes PLMN ID #1 and/or indication information #1, which indicates that the UE is allowed to use AKMA services in the first network.
  • indication information #1 indicates that the UE is allowed to use AKMA services in the first network.
  • the information of the second network includes PLMN ID#2 and/or indication information#2, which indicates that the UE is allowed to use AKMA services in the second network.
  • indication information#2 indicates that the UE is allowed to use AKMA services in the second network.
  • Scenario 3 If the AUNF determines that the UE is not allowed to use AKMA services on the first network and not allowed to use AKMA services on the second network, it sends an application key response message to the AF. This application key response message does not include the application key, nor does it include information about the first network or the second network. This application key response message is used to indicate a rejection of the application key request.
  • AAnF uses a blacklist to instruct the AF whether the UE is allowed to use AKMA services in the first network and/or the second network. For example, if the UE is allowed to use AKMA services in a certain network, the application key response message will not carry information about that network; if the UE is not allowed to use AKMA services in a certain network, the application key response message will carry information about that network.
  • the second implementation method is described in three scenarios.
  • ANF determines that the UE is not allowed to use AKMA services on the first network but is allowed to use AKMA services on the second network, it sends an application key response message to AF.
  • This application key response message includes an application key and information about the first network. The information about the first network indicates that the UE is not allowed to use AKMA services on the first network.
  • the information of the first network includes PLMN ID#1 and/or indication information, which indicates that the UE is not allowed to use AKMA services in the first network.
  • indication information indicates that the UE is not allowed to use AKMA services in the first network.
  • AAnF determines that the UE is allowed to use AKMA services in the first network and in the second network, it sends an application key response message to the AF.
  • This application key response message includes the application key but does not include information about the first network or the second network.
  • the application key response message does not include information about the first network and the second network, it is used to implicitly indicate that the UE is allowed to use the AKMA service in the first network and in the second network, or to be understood as allowing the UE to use the AKMA service in the network where the UE is registered.
  • ANF determines that the UE is not allowed to use AKMA services on the first network and not allowed to use AKMA services on the second network, it sends an application key response message to AF.
  • This application key response message does not include the application key, nor does it include information about the first network or the second network.
  • This application key response message is used to indicate a rejection of the application key request.
  • AAnF uses whitelists and blacklists to instruct the AF whether the UE is allowed to use the AKMA service in the first network and/or the second network.
  • the application key response message includes information about the first network and the second network, with the information from the first network indicating whether the UE is allowed to use the AKMA service in the first network and the information from the second network indicating whether the UE is allowed to use the AKMA service in the second network.
  • the third implementation method is described in three scenarios.
  • ANF determines that the UE is not allowed to use the AKMA service on the first network but is allowed to use the AKMA service on the second network, it sends an application key response message to AF.
  • This application key response message includes an application key, as well as information from both the first and second networks. Specifically, the information from the first network indicates that the UE is not allowed to use the AKMA service on the first network, and the information from the second network indicates that the UE is allowed to use the AKMA service on the second network.
  • the information of the first network includes PLMN ID #1 and/or indication information #1, which indicates that the UE is not allowed to use AKMA services in the first network.
  • indication information #1 indicates that the UE is not allowed to use AKMA services in the first network.
  • the information of the second network includes PLMN ID#2 and/or indication information#2, which indicates that the UE is allowed to use AKMA services in the second network.
  • indication information#2 indicates that the UE is allowed to use AKMA services in the second network.
  • ANF determines that the UE is permitted to use the AKMA service in both the first and second networks, it sends an application key response message to AF.
  • This message includes an application key, as well as information from both the first and second networks. Specifically, the information from the first network indicates that the UE is permitted to use the AKMA service in the first network, and the information from the second network indicates that the UE is permitted to use the AKMA service in the second network.
  • the information of the first network includes PLMN ID #1 and/or indication information #1, which indicates that the UE is allowed to use AKMA services in the first network.
  • indication information #1 indicates that the UE is allowed to use AKMA services in the first network.
  • the information of the second network includes PLMN ID#2 and/or indication information#2, which indicates that the UE is allowed to use AKMA services in the second network.
  • indication information#2 indicates that the UE is allowed to use AKMA services in the second network.
  • ANF determines that the UE is not allowed to use AKMA services on the first network and not allowed to use AKMA services on the second network, it sends an application key response message to AF.
  • This application key response message does not include the application key, nor does it include information about the first network or the second network.
  • This application key response message is used to indicate a rejection of the application key request.
  • the application key response message can be a Naanf_AKMA_ApplicationKey_Get Response message.
  • Step 1204 AF obtains the current network information corresponding to the first session.
  • the information of the current network corresponding to the first session could be, for example, the PLMN ID.
  • the session requested by the UE in step 1201 above is carried on this first session.
  • the AF can request information about the current network corresponding to the first session from the SMF. For example, the AF sends a request message to the SMF requesting the information about the current network corresponding to the first session, and the SMF sends a notification message to the AF, which includes the information about the current network corresponding to the first session.
  • the request message can be a subscription request message, used to subscribe to the network information corresponding to the first session.
  • the SMF sends a notification message carrying the information about the current network corresponding to the first session to the AF, or when the network corresponding to the first session changes subsequently, the SMF sends a notification message carrying the information about the current network corresponding to the first session to the AF.
  • the subscription request message can include one or more of the information of the first session, the UE's identifier, or an event identifier, where the event identifier indicates a network change event.
  • This application does not limit the implementation method of the AF obtaining the current network information corresponding to the first session.
  • the AF can also actively request the UE to obtain the current network information corresponding to the first session, or the UE can actively send the current network information corresponding to the first session to the AF, and so on.
  • the AF obtains the information of the current network corresponding to the first session based on the application key response message.
  • This can also be understood as the AF obtaining the information of the current network corresponding to the first session based on the application key response message indicating that the UE is not allowed to use AKMA services in the first network and/or is allowed to use AKMA services in the second network.
  • the application key response message triggers the AF to obtain the information of the current network corresponding to the first session.
  • this implementation method corresponds to scenario 1 in implementation method one, scenario A in implementation method two, and scenario a in implementation method three described in step 1203 above.
  • the AF can obtain information about the current network corresponding to the first session based on the application key response message, or the AF can choose not to obtain information about the current network corresponding to the first session based on the application key response message.
  • this implementation method corresponds to scenario 2 in implementation method one, scenario B in implementation method two, and scenario b in implementation method three described in step 1203 above. If the AF does not obtain information about the current network corresponding to the first session, it can obtain it later when it is needed.
  • the AF when the AF receives an AKMA service shutdown notification message from ANF, it triggers the AF to obtain information about the current network corresponding to the first session.
  • the AF when the AF receives an AKMA service shutdown notification message from ANF, it triggers the AF to obtain information about the current network corresponding to the first session.
  • step 1204 if the application key response message indicates a rejection of the application key request, then AF does not execute step 1204 and subsequent step 1205.
  • this implementation corresponds to scenario 3 in implementation method one described in step 1203 above, scenario C in implementation method two, and scenario c in implementation method three.
  • Step 1205 The AF determines whether to allow the application session based on the information of the current network corresponding to the first session and the application key response message.
  • the AF rejects the application session, that is, the AF rejects the UE's application session establishment request message in step 1201, for example, the AF sends an application session response message to the UE indicating that the application session is rejected; if the current network corresponding to the first session is the second network, the AF allows the application session, that is, the AF allows the UE's application session establishment request message in step 1201, for example, the AF sends an application session response message to the UE indicating that the application session is allowed.
  • this implementation method corresponds to scenario 1 in implementation method one, scenario A in implementation method two, and scenario a in implementation method three described in step 1203 above.
  • the AF allows the application session. That is, the AF allows the UE's application session establishment request message in step 1201, for example, by sending an application session response message to the UE indicating that the application session is allowed. Alternatively, the AF directly determines that the application session is allowed based on the application key response message. For example, this implementation corresponds to scenario 2 in implementation method one, scenario B in implementation method two, and scenario b in implementation method three as described in step 1203 above.
  • the AF receives an application key response message from the AAnF.
  • the application key response message includes the application key and also indicates whether the UE is allowed to use AKMA services in the first network and the second network. This helps the AF to more accurately determine whether to allow the UE to request the establishment of an application session, and realizes accurate management of AKMA services between the UE and the AF.
  • FIG. 13 is a flowchart illustrating a management method for AKMA services provided in an embodiment of this application.
  • the embodiment in Figure 13 is a specific example of the embodiment in Figure 12 above.
  • the AF belongs to a network element within the 3GPP core network or to a network element outside the 3GPP core network.
  • the interactions between the AF and the AAnF mentioned below can all be relayed through the NEF.
  • step 1301 the main authentication process and the AKMA generation process shown in the embodiment of Figure 4 are completed.
  • the UE needs to complete registration and establish a PDU session.
  • This PDU session is used to transmit user plane data (e.g., AKMA services) between the UE and the AF.
  • user plane data e.g., AKMA services
  • the method includes the following steps:
  • Step 1301 The UE sends an application session establishment request message to the AF. Accordingly, the AF receives the application session establishment request message.
  • the application session establishment request message requests the establishment of an application session for transmitting AKMA services between the UE and the AF.
  • This application session is carried on a first session, which can be a PDU session or other types of sessions.
  • the application session establishment request message includes an AKMA key identifier (A-KID).
  • A-KID is generated by the UE during the AKMA generation process prior to step 1301.
  • the AKMA generation process can be referred to in the embodiment shown in Figure 4.
  • the UE registers with both a first network and a second network.
  • the first network is a network that the UE connects to via 3GPP access
  • the second network is a network that the UE connects to via a non-3GPP access method
  • the first network is a network that the UE connects to via a non-3GPP access method
  • the second network is a network that the UE connects to via 3GPP access.
  • step 1302 optionally, if there is no A-KID-related context on the AF, the AF selects an AAnF and sends an application key request message to the AAnF. Accordingly, the AAnF receives the application key request message.
  • the application key request message includes an A-KID, and optionally, an AF ID.
  • the A-KID originates from step 1301.
  • the AF ID is used to identify the AF.
  • the AF ID can be used as an input parameter when calculating K AFs to achieve key isolation between different AFs.
  • the application key request message can be a Naanf_AKMA_ApplicationKey_Get_Request message or a Naanf_AKMA_ApplicationKey_AnonUser_Getservice message.
  • step 1303 optionally, when AAnF determines that AF requires GPSI according to local rules, AAnF sends a request message to UDM. Accordingly, UDM receives the request message.
  • This request message is used to request the UE's GPSI.
  • the request message may carry the UE's SUPI to request the GPSI corresponding to that SUPI.
  • the request message could be a Nudm_SDM_Get Request message.
  • Step 1304 optionally, UDM sends a response message to AAnF. AAnF then receives the response message.
  • the response message includes the UE's GPSI.
  • AAnF stores the GPSI as the UE's AKMA context.
  • steps 1303 to 1304 do not need to be executed.
  • the response message could be a Nudm_SDM_Get Response message.
  • Step 1305 optionally, AAnF sends a subscription request message to UDM. Accordingly, UDM receives the subscription request message.
  • the subscription request message contains the UE's SUPI or GPSI, and is used to request the UE's roaming status report or roaming status information.
  • the subscription request message can be a Nudm_EventExposure_Subscribe Request message.
  • Step 1306 optionally, UDM sends a subscription response message to AAnF. AAnF then receives the subscription response message.
  • the subscription response message contains the UE's roaming status information.
  • the roaming status information includes the PLMN information registered by the UE.
  • the roaming status information also includes indication information indicating whether the PLMN is the home network.
  • This application considers a dual-registration scenario, that is, the PLMN information registered by the UE includes the identifiers of two PLMNs, such as PLMN ID#1 and PLMN ID#2.
  • the UDM sends a notification message to the AAnF, which carries the changed roaming status information.
  • the subscription response message can be a Nudm_EventExposure_Subscribe Response message.
  • Step 1307 AAnF obtains the AKMA key (K AKMA ) based on A-KID and generates the application key (K AF ) based on the AKMA key.
  • AAnF obtains the AKMA key (K AKMA ) corresponding to the A-KID in the application key request message, and then AAnF generates the application key based on the K AKMA .
  • the application key request message also includes an AF ID, so AAnF can generate the application key based on the K AKMA and the AF ID.
  • AAnF generates the validity period of the K AF at the same time as generating the K AF , so the application key response message may also include the validity period of the K AF .
  • AAnF obtains the A-KID and the corresponding K AKMA during the main authentication process and the K AKMA generation process, and stores the correspondence between A-KID and K AKMA locally.
  • step 1308 AAnF sends an application key response message to AF based on whether the UE is allowed to use AKMA services in the first and second networks. Accordingly, AF receives the application key response message.
  • Step 1308 is the same as step 1203 in the embodiment of Figure 12. Please refer to the foregoing description for details, and it will not be repeated here.
  • the application key response message may also carry SUPI or GPSI.
  • the application key response message does not carry SUPI or GPSI.
  • Step 1309 AF obtains information about the current network corresponding to the first session.
  • Step 1309 is the same as step 1204 in the embodiment of Figure 12. Please refer to the foregoing description for details, and it will not be repeated here.
  • Step 1310 The AF determines whether to allow the application session based on the information of the current network corresponding to the first session and the application key response message.
  • Step 1310 is the same as step 1205 in the embodiment of Figure 12. Please refer to the foregoing description for details, and it will not be repeated here.
  • Step 1311 The AF sends an application session establishment response message to the UE.
  • the UE receives the application session establishment response message.
  • the application session establishment response message indicates that the application session was successfully established.
  • the application session establishment response message indicates that the application session is refused to be established.
  • the UE can generate KAF in the same way as AAnF at any step after the main authentication process and the KAKMA generation process.
  • the UE can also determine the validity period of KAF .
  • the AF receives an application key response message from the AAnF.
  • the application key response message includes the application key and also indicates whether the UE is allowed to use AKMA services in the first network and the second network. This helps the AF to more accurately determine whether to allow the UE to request the establishment of an application session, and realizes accurate management of AKMA services between the UE and the AF.
  • the names of each message are only illustrative examples.
  • the names of the above messages may change, but as long as the changed messages have the same or similar functions as the above messages of this application, they also fall within the protection scope of this application.
  • AF, AAnF, or UE includes hardware structures and/or software modules corresponding to perform each function.
  • Those skilled in the art should readily recognize that, based on the units and method steps of the various examples described in conjunction with the embodiments disclosed in this application, this application can be implemented in hardware or a combination of hardware and computer software. Whether a function is executed in hardware or by computer software driving hardware depends on the specific application scenario and design constraints of the technical solution.
  • Figures 14 and 15 are schematic diagrams of possible communication devices provided in embodiments of this application. These communication devices can be used to implement the functions of AF, AAnF, or UE in the above method embodiments, and thus can also achieve the beneficial effects of the above method embodiments.
  • the communication device can be AF, AAnF, or UE.
  • the communication device 1400 shown in Figure 14 includes a processing unit 1410 and a transceiver unit 1420.
  • the communication device 1400 is used to implement the functions of AF, ANF, or UE in the above method embodiments.
  • the transceiver unit 1420 receives an AKMA service shutdown notification message, the AKMA service shutdown notification message including information of a first network, the AKMA service shutdown notification message being used to notify the shutdown of the AKMA service of the first network; the processing unit 1410 is used to obtain information of the current network corresponding to the first session of the terminal device, the first session being used to transmit the first AKMA service between the terminal device and the application function network element; and determines whether to shut down the first AKMA service based on the AKMA service shutdown notification message and the information of the current network corresponding to the first session.
  • the processing unit 1410 is configured to determine whether to close the first AKMA service based on the AKMA service closure notification message and the information of the current network corresponding to the first session, including: closing the first AKMA service when the current network corresponding to the first session is the first network.
  • the processing unit 1410 is configured to obtain the current network information corresponding to the first session of the terminal device, including: receiving a first notification message through the transceiver unit 1420, the first notification message including information of the first network, the first notification message indicating that the network corresponding to the first session has changed to the first network.
  • the processing unit 1410 is further configured to, when the current network corresponding to the second session of the terminal device is the second network, not to close the second AKMA service between the terminal device and the application function network element, wherein the second session is used to transmit the second AKMA service and the second network is different from the first network.
  • the processing unit 1410 is configured to determine whether to close the first AKMA service based on the AKMA service closure notification message and the information of the current network corresponding to the first session, including: not closing the first AKMA service if the current network corresponding to the first session is a second network, wherein the second network is different from the first network.
  • the processing unit 1410 is configured to obtain the current network information corresponding to the first session of the terminal device, including: receiving a second notification message through the transceiver unit 1420, the second notification message including information about the second network, the second notification message indicating that the network corresponding to the first session is the second network.
  • the transceiver unit 1420 is further configured to send a first subscription request message, which is used to subscribe to network changes corresponding to the first session.
  • the first subscription request message includes one or more of the information of the first session, the identifier of the terminal device, or a first event identifier; the first event identifier is used to indicate a network change event.
  • the first notification message includes one or more of the information of the first session, the identifier of the terminal device, or a first event identifier; the first event identifier is used to indicate a network change event.
  • the AKMA service shutdown notification message also includes information about the second network.
  • the transceiver unit 1420 is used to receive an application session establishment request message, which requests the establishment of an application session for transmitting third AKMA services between the terminal device and the application function network element, and the application session is carried on the third session of the terminal device; the processing unit 1410 is used to obtain the information of the current network corresponding to the third session; and determine whether to allow the establishment of the application session based on the information of the current network corresponding to the third session.
  • the processing unit 1410 is configured to determine whether to allow the establishment of the application session based on the information of the current network corresponding to the third session, including: refusing to establish the application session if the current network corresponding to the third session is a first network, wherein the first network is a network in which the terminal device cannot use AKMA services.
  • the processing unit 1410 is configured to determine whether to allow the establishment of the application session based on the information of the current network corresponding to the third session, including: allowing the establishment of the application session if the current network corresponding to the third session is a second network, wherein the second network is a network in which the terminal device can use AKMA services.
  • the processing unit 1410 is configured to obtain information about the current network corresponding to the third session, including: sending a second subscription request message through the transceiver unit 1420, the second subscription request message being used to subscribe to network changes corresponding to the third session; and receiving a third notification message, the third notification message including information about the current network corresponding to the third session.
  • the second subscription request message includes one or more of the information of the third session, the identifier of the terminal device, or a second event identifier; the second event identifier is used to indicate a network change event.
  • the transceiver unit 1420 is used to send an application session establishment request message, which requests the establishment of an application session for transmitting AKMA services between the terminal device and the application function network element; receive an application session establishment response message, which indicates that the application session has been successfully established; receive an AKMA service closure notification message, which includes information about a first network or roaming policy information, the roaming policy information including information about networks where the terminal device cannot use AKMA services, and the information about networks where the terminal device cannot use AKMA services including information about the first network; and the processing unit 1410 is used to determine whether to release the application session based on the AKMA service closure notification message and the information about the network corresponding to the application session.
  • the processing unit 1410 is configured to determine whether to release the application session based on the AKMA service shutdown notification message and the information of the network corresponding to the application session, including: releasing the application session when the network corresponding to the application session is the first network.
  • the processing unit 1410 is configured to determine whether to release the application session based on the AKMA service shutdown notification message and the network information corresponding to the application session, including: not releasing the application session when the network corresponding to the application session is a second network, wherein the second network is different from the first network and is a network in which the terminal device can use the AKMA service.
  • the processing unit 1410 is used to determine that the terminal device cannot use AKMA service in the first network; the transceiver unit 1420 is used to send an AKMA service shutdown notification message to the terminal device, the AKMA service shutdown notification message including information of the first network or roaming policy information, the roaming policy information including information of the network where the terminal device cannot use AKMA service, and the information of the network where the terminal device cannot use AKMA service including information of the first network.
  • the transceiver unit 1420 is used to receive an application session establishment request message from the terminal device, the application session establishment request message requesting the establishment of an application session for transmitting AKMA services between the terminal device and the application function network element, the application session establishment request message including an AKMA key identifier, the application session being carried on a first session; sending an application key request message to the AKMA anchor function network element, the application key request message including the AKMA key identifier; receiving an application key response message from the AKMA anchor function network element, the application key response message including an application key corresponding to the AKMA key identifier, the application key response message being used to indicate that the terminal device is not allowed to use AKMA services in the first network and/or is allowed to use AKMA services in the second network; the processing unit 1410 is used to obtain information about the current network corresponding to the first session; and determine whether to allow the application session based on the information about the current network corresponding to the first
  • the processing unit 1410 is configured to obtain information about the current network corresponding to the first session, including: obtaining information about the current network corresponding to the first session based on the application key response message.
  • the processing unit 1410 is configured to obtain information about the current network corresponding to the first session, including: sending a subscription request message to the session management function network element through the transceiver unit 1420, the subscription request message being used to subscribe to the network information corresponding to the first session; and receiving a notification message from the session management function network element, the notification message including information about the current network corresponding to the first session.
  • the subscription request message includes one or more of the information of the first session, the identifier of the terminal device, or an event identifier, wherein the event identifier is used to indicate a network change event.
  • the processing unit 1410 is configured to determine whether to allow the application session based on the information of the current network corresponding to the first session and the application key response message, including: rejecting the application session if the current network corresponding to the first session is the first network.
  • the processing unit 1410 is configured to determine whether to allow the application session based on the information of the current network corresponding to the first session and the application key response message, including: allowing the application session if the current network corresponding to the first session is the second network.
  • the transceiver unit 1420 receives an application key request message from the application function network element, the application key request message including an AKMA key identifier; the processing unit 1410 is used to send an application key response message to the application function network element through the transceiver unit 1420 according to whether the terminal device is allowed to use AKMA services in the first network and the second network, the application key response message including an application key, the application key being generated based on the AKMA key corresponding to the AKMA key identifier, the application key response message being used to indicate whether the terminal device is allowed to use AKMA services in the first network and/or the second network.
  • the processing unit 1410 is configured to send an application key response message to the application function network element via the transceiver unit 1420, depending on whether the terminal device is allowed to use the AKMA service in the first network and the second network. This includes: sending the application key response message to the application function network element via the transceiver unit 1420 when it is determined that the terminal device is not allowed to use the AKMA service in the first network but is allowed to use the AKMA service in the second network.
  • the application key response message further includes information from the first network and/or the second network; wherein the information from the first network indicates that the terminal device is not allowed to use the AKMA service in the first network; and the information from the second network indicates that the terminal device is allowed to use the AKMA service in the second network.
  • the processing unit 1410 is configured to send an application key response message to the application function network element via the transceiver unit 1420, depending on whether the terminal device is allowed to use the AKMA service in the first network and the second network. This includes: if it is determined that the terminal device is allowed to use the AKMA service in the first network and the second network, sending the application key response message to the application function network element via the transceiver unit 1420, wherein the application key response message indicates that the terminal device is allowed to use the AKMA service in the first network and the second network.
  • the application key response message further includes information about the first network and information about the second network; wherein the information about the first network indicates that the terminal device is allowed to use the AKMA service in the first network; and the information about the second network indicates that the terminal device is allowed to use the AKMA service in the second network.
  • processing unit 1410 and the transceiver unit 1420 can be obtained directly from the relevant descriptions in the above method embodiments, and will not be repeated here.
  • the communication device 1500 shown in Figure 15 includes a processor 1510 and an interface circuit 1520.
  • the processor 1510 and the interface circuit 1520 are coupled to each other.
  • the interface circuit 1520 can be a transceiver or an input/output interface.
  • the communication device 1500 may also include a memory 1530 for storing instructions executed by the processor 1510, or storing input data required by the processor 1510 to execute instructions, or storing data generated after the processor 1510 executes instructions.
  • the processor 1510 is used to implement the function of the processing unit 1410
  • the interface circuit 1520 is used to implement the function of the transceiver unit 1420.
  • processors in the embodiments of this application may be a Central Processing Unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof.
  • CPU Central Processing Unit
  • DSP digital signal processors
  • ASIC application-specific integrated circuits
  • FPGA field-programmable gate arrays
  • a general-purpose processor may be a microprocessor or any conventional processor.
  • the method steps in the embodiments of this application can be implemented in hardware or by a processor executing software instructions.
  • the software instructions can consist of corresponding software modules, which can be stored in random access memory, flash memory, read-only memory, programmable read-only memory, erasable programmable read-only memory, electrically erasable programmable read-only memory, registers, hard disks, portable hard disks, CD-ROMs, or any other form of storage medium known in the art.
  • An exemplary storage medium is coupled to a processor, enabling the processor to read information from and write information to the storage medium.
  • the storage medium can also be a component of the processor.
  • the processor and storage medium can reside in an ASIC.
  • the ASIC can reside in an AF, ANFO, or UE.
  • the processor and storage medium can exist as discrete components in a base station or terminal device.
  • implementation can be achieved entirely or partially through software, hardware, firmware, or any combination thereof.
  • software When implemented using software, it can be implemented entirely or partially in the form of a computer program product.
  • the computer program product includes one or more computer programs or instructions. When the computer program or instructions are loaded and executed on a computer, the processes or functions described in the embodiments of this application are performed entirely or partially.
  • the computer can be a general-purpose computer, a special-purpose computer, a computer network, a base station, a user equipment, or other programmable device.
  • the computer program or instructions can be stored in a computer-readable storage medium or transferred from one computer-readable storage medium to another.
  • the computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that integrates one or more available media.
  • the available medium can be a magnetic medium, such as a floppy disk, hard disk, or magnetic tape; it can also be an optical medium, such as a digital video optical disc; or it can be a semiconductor medium, such as a solid-state drive.
  • the computer-readable storage medium may be a volatile or non-volatile storage medium, or may include both types of storage media.
  • “at least one” means one or more, and “more than one” means two or more.
  • “And/or” describes the relationship between related objects, indicating that three relationships can exist.
  • a and/or B can represent: A alone, A and B simultaneously, or B alone, where A and B can be singular or plural.
  • the character “/” generally indicates an “or” relationship between the preceding and following related objects; in the formulas of this application, the character “/” indicates a "division” relationship between the preceding and following related objects.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente demande concerne un procédé de gestion de service AKMA et un appareil de communication. Dans le procédé, un premier appareil peut apprendre des informations concernant un réseau sur lequel un équipement terminal n'est pas autorisé à effectuer un service AKMA, et apprendre des informations concernant un réseau actuel correspondant à une session pour prendre en charge un service AKMA entre l'équipement terminal et un élément de réseau à fonction d'application, de façon à déterminer avec précision si le service AKMA peut être effectué entre l'équipement terminal et l'élément de réseau à fonction d'application, et décider s'il faut désactiver le service AKMA, ce qui permet d'obtenir une gestion de la granularité de réseau du service AKMA et d'aider à améliorer l'expérience de l'utilisateur. Par comparaison avec la solution dans laquelle le service AKMA de l'équipement terminal sur tous les réseaux enregistrés est toujours désactivé tant que l'équipement terminal n'est pas autorisé à effectuer le service AKMA sur un certain réseau, la présente demande peut réaliser la désactivation du service AKMA sur la base de la granularité de réseau, et peut éviter autant que possible l'interruption du service AKMA.
PCT/CN2025/094965 2024-05-20 2025-05-14 Procédé de gestion de service akma et appareil de communication Pending WO2025241968A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202410628753.0A CN121001081A (zh) 2024-05-20 2024-05-20 一种akma业务的管理方法及通信装置
CN202410628753.0 2024-05-20

Publications (1)

Publication Number Publication Date
WO2025241968A1 true WO2025241968A1 (fr) 2025-11-27

Family

ID=97692007

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2025/094965 Pending WO2025241968A1 (fr) 2024-05-20 2025-05-14 Procédé de gestion de service akma et appareil de communication

Country Status (2)

Country Link
CN (1) CN121001081A (fr)
WO (1) WO2025241968A1 (fr)

Also Published As

Publication number Publication date
CN121001081A (zh) 2025-11-21

Similar Documents

Publication Publication Date Title
US11818608B2 (en) Third party charging in a wireless network
CN108574969B (zh) 多接入场景中的连接处理方法和装置
US12363193B2 (en) Multimedia priority service
WO2020224622A1 (fr) Procédé et dispositif de configuration d'informations
CN112954768B (zh) 通信方法、装置及系统
WO2023213177A1 (fr) Procédé et appareil de communication
WO2021051420A1 (fr) Procédé et appareil de détermination d'un enregistrement de cache dns
WO2023231450A1 (fr) Procédé de synchronisation temporelle et appareil de communication
CN115915196A (zh) 一种链路状态检测方法、通信装置及通信系统
CN117082527A (zh) 通信方法、通信装置及通信系统
WO2024208017A1 (fr) Procédé de communication, appareil de communication et système de communication
WO2023213181A1 (fr) Procédé et appareil de communication
WO2025241968A1 (fr) Procédé de gestion de service akma et appareil de communication
WO2023216274A1 (fr) Procédé et appareil de gestion de clé, dispositif et support de stockage
GB2621184A (en) Apparatus, method and computer program
WO2025237114A1 (fr) Procédé de communication, appareil de communication et système de communication
CN118338408B (zh) 通信方法、通信装置及通信系统
US20250267612A1 (en) Communication method, communication apparatus, and communication system
WO2023082858A1 (fr) Procédé de détermination de politique de gestion de mobilité, appareil de communication et système de communication
WO2025161525A1 (fr) Procédé de communication et appareil de communication
CN118042558A (zh) 通信方法、通信装置及通信系统
WO2023246649A1 (fr) Procédé de communication, appareil de communication et système de communication
WO2025086786A1 (fr) Procédé de communication, appareil de communication et système de communication
WO2024212793A1 (fr) Procédé de communication et appareil de communication
WO2025050676A1 (fr) Procédé de communication, appareil de communication et système de communication