Message treatment method and deviceTechnical field
This application involves field of communication technology more particularly to message treatment methods and device.
Background technique
To protect privacy of user, contracted user's persistent identifier in 3GPP next generation wireless network (5G)Privacy relevant information in (Subscriber Permanent Identifier, SUPI) will be encrypted.It is encrypted wrap in informationInformation containing operator for internal route registration request (Registration Request) causes to have inside operatorMultiple authentication server functions (Authentication Server Function, AUSF) and/or uniform data managementWhen (Unified Data Management, UDM), registration request cannot be routed to target AUSF and/or UDM.
Summary of the invention
The embodiment of the present application provides message treatment method and device, accurately to route the registration request from UETo target network element.
A kind of message treatment method provided by the embodiments of the present application, comprising:
User equipment (UE) determines registration request, and signing hidden identifiers SUCI, the SUCI are carried in the registration requestContaining be not belonging to mobile contracted user's identification number MSIN for the selection target in Home Public Land Mobile Network network HPLMNThe network element of network element selects information;
The registration request is sent to network side by the UE.
In this way, UE determines registration request, signing hidden identifiers SUCI is carried in the registration request, it is describedSUCI contain be not belonging to mobile contracted user's identification number MSIN for being selected in Home Public Land Mobile Network network HPLMNThe network element of target network element selects information;The registration request is sent to network side by the UE, so that network side canThe registration request from UE is accurately routed to target network element using network element selection information.
Optionally, the network element selects information to select information ciphertext for network element;
If there is network element to select information master key in the USIM in the UE, the USIM in the UE uses network element selection letterBreath master key, the random value for exporting network element selection information encryption key utilize key exported algorithm export network element selection letterEncryption for information key;The UE encrypts network element selection information using network element selection information encryption key, described in acquisitionNetwork element selects information ciphertext.
To can be further improved the safety of information by the encryption for selecting network element information.
It optionally, further include network element selection information master key mark in the SUCI.
Optionally, the network element selection information master key, network element selection information and network element selection information master are closeKey mark, is stored in USIM.
Optionally, if there is no network element to select information master key in USIM in the UE, the network element is not selected to believeBreath is encrypted, and network element selection information is set up directly in SUCI by the UE.
Optionally, the registration request is sent to visited Public Land mobile network VPLMN by the UE, by describedVPLMN is transmitted to HPLMN.
Correspondingly, in network side, a kind of message treatment method provided by the embodiments of the present application, comprising:
The registration request from user equipment (UE) is received, SUCI is obtained from the registration request, and obtain from the SUCINetwork element is taken to select information;The network element selects information, for be not belonging to mobile contracted user's identification number MSIN for belonging toThe network element of selection target network element selects information in public land mobile network HPLMN;
Network element selection is carried out using network element selection information or message routes.
Optionally, the network element selects information to select information ciphertext for network element;
SUCI is obtained from the registration request, and obtains network element from the SUCI and selects information, is specifically included by network elementInformation decryption functional entity is selected to execute following operation:
Network element is obtained using the network element selection information master key mark in SUCI and selects information master key, if SUCI is not carriedThe network element selects information master key mark, then selects default master key, or use empty decryption scheme according to the configuration of system;
Use the random value for selecting information encryption key in network element selection information master key, SUCI for exporting network element, benefitInformation decryption key is selected with key exported algorithm export network element;
Information ciphertext is selected using network element selection information decryption key decryption network element, network element is obtained and selects information;
The network element for needing to carry out network element selection or message routing network element selection information being supplied in HPLMN.
Optionally, network element selection is carried out using network element selection information or message routes, specifically include:
The network element for needing to carry out network element selection or message routing in HPLMN selects information to turn registration request according to network elementIssue target network element.
Optionally, the network element for needing to carry out network element selection or message routing in the HPLMN, also selects the network element of acquisitionInformation is attached in the message for being transmitted to the target network element.
In the side UE, a kind of message processing apparatus provided by the embodiments of the present application, comprising:
Memory, for storing program instruction;
Processor is executed for calling the program instruction stored in the memory according to the program of acquisition:
It determines registration request, signing hidden identifiers SUCI is carried in the registration request, the SUCI, which contains, to be not belonging toThe network element for the selection target network element in Home Public Land Mobile Network network HPLMN of mobile contracted user's identification number MSINSelect information;
The registration request is sent to network side.
Optionally, described device further includes Global Subscriber identification card USIM;The network element selects information to select to believe for network elementCease ciphertext;
If there is network element to select information master key in the USIM, the USIM uses network element selection information master key, useIn the random value of export network element selection information encryption key, information encryption key is selected using key exported algorithm export network element;
The processor encrypts network element selection information using network element selection information encryption key, described in acquisitionNetwork element selects information ciphertext.
It optionally, further include network element selection information master key mark in the SUCI.
Optionally, the network element selection information master key, network element selection information and network element selection information master are closeKey mark, is stored in the USIM.
Optionally, if not having network element to select information master key in the USIM, the processor is not selected the network elementIt selects information to be encrypted, network element selection information is set up directly in SUCI.
Optionally, the registration request is sent to visited Public Land mobile network by transceiver by the processorVPLMN is transmitted to HPLMN by the VPLMN.
Correspondingly, in network side, a kind of message processing apparatus provided by the embodiments of the present application, comprising:
Memory, for storing program instruction;
Processor is executed for calling the program instruction stored in the memory according to the program of acquisition:
The registration request from user equipment (UE) is received, SUCI is obtained from the registration request, and obtain from the SUCINetwork element is taken to select information;The network element selects information, for be not belonging to mobile contracted user's identification number MSIN for belonging toThe network element of selection target network element selects information in public land mobile network HPLMN;
Network element selection is carried out using network element selection information or message routes.
Optionally, the network element selects information to select information ciphertext for network element;
SUCI is obtained from the registration request, and obtains network element from the SUCI and selects information, is specifically included by network elementInformation decryption functional entity is selected to execute following operation:
Network element is obtained using the network element selection information master key mark in SUCI and selects information master key, if SUCI is not carriedThe network element selects information master key mark, then selects default master key, or use empty decryption scheme according to the configuration of system;
Use the random value for selecting information encryption key in network element selection information master key, SUCI for exporting network element, benefitInformation decryption key is selected with key exported algorithm export network element;
Information ciphertext is selected using network element selection information decryption key decryption network element, network element is obtained and selects information;
The network element for needing to carry out network element selection or message routing network element selection information being supplied in HPLMN.
Optionally, described device is the network element for needing to carry out network element selection or message routing in HPLMN;Utilize the network elementIt selects information to carry out network element selection or message routing, specifically includes:
Select information that registration request is transmitted to target network element according to network element.
Optionally, the processor, which is also used to for the network element selection information of acquisition being attached to, is transmitted to the target network elementIn message.
In the side UE, another kind message processing apparatus provided by the embodiments of the present application, comprising:
Determination unit carries signing hidden identifiers SUCI for determining registration request in the registration request, describedSUCI contain be not belonging to mobile contracted user's identification number MSIN for being selected in Home Public Land Mobile Network network HPLMNThe network element of target network element selects information;
Transmission unit, for the registration request to be sent to network side.
In network side, another kind message processing apparatus provided by the embodiments of the present application, comprising:
First unit obtains SUCI for receiving the registration request from user equipment (UE) from the registration request, and fromNetwork element is obtained in the SUCI selects information;The network element selects information, to be not belonging to mobile contracted user's identification number MSINFor in Home Public Land Mobile Network network HPLMN selection target network element network element select information;
Second unit, for carrying out network element selection or message routing using network element selection information.
A kind of Global Subscriber identification card USIM provided by the embodiments of the present application, comprising:
Memory, for storing program instruction, and storage network element selection information;
Processor is executed for calling the program instruction stored in the memory according to the program of acquisition:
If the memory is also stored with network element selection information master key, using network element selection information master key, for leadingThe random value of network element selection information encryption key out selects information encryption key using key exported algorithm export network element.
Optionally, the memory is also stored with network element selection information master key and network element selection information master key mark.
Another embodiment of the application provides a kind of calculating equipment comprising memory and processor, wherein the storageDevice is for storing program instruction, and the processor is for calling the program instruction stored in the memory, according to the journey of acquisitionSequence executes any of the above-described kind of method.
Another embodiment of the application provides a kind of computer storage medium, and the computer storage medium is stored with calculatingMachine executable instruction, the computer executable instructions are for making the computer execute any of the above-described kind of method.
Detailed description of the invention
In order to more clearly explain the technical solutions in the embodiments of the present application, make required in being described below to embodimentAttached drawing is briefly introduced, it should be apparent that, the drawings in the following description are only some examples of the present application, for thisFor the those of ordinary skill in field, without creative efforts, it can also be obtained according to these attached drawings otherAttached drawing.
Fig. 1 is 5G system authentication functional entity provided by the embodiments of the present application and verification process schematic diagram;
Fig. 2 is the secret protection that network element selects information in 5G communication system initial registration procedure provided by the embodiments of the present applicationSchematic diagram;
Fig. 3 is the basic procedure schematic diagram under one scene of embodiment provided by the embodiments of the present application;
Fig. 4 is the basic procedure schematic diagram under two scene of embodiment provided by the embodiments of the present application;
Fig. 5 is a kind of flow diagram of message treatment method of the side UE provided by the embodiments of the present application;
Fig. 6 is a kind of flow diagram of message treatment method of network side provided by the embodiments of the present application;
Fig. 7 is a kind of structural schematic diagram of message processing apparatus of the side UE provided by the embodiments of the present application;
Fig. 8 is a kind of structural schematic diagram of message processing apparatus of network side provided by the embodiments of the present application;
Fig. 9 is the structural schematic diagram of another message processing apparatus of the side UE provided by the embodiments of the present application;
Figure 10 is the structural schematic diagram of another message processing apparatus of network side provided by the embodiments of the present application.
Specific embodiment
The embodiment of the present application provides message treatment method and device, accurately to route the registration request from UETo target network element.
In 5G system, user's signatory mark will be protected by SUPI protection scheme (protection scheme).SUPIProtection scheme can be divided into two classes:
Short side case (null-scheme): short side case does not encrypt SUPI, namely by empty schemes generation output with it is defeatedEnter identical.
Public key protection scheme (public key protection scheme): using public key to needing to encrypt in SUPIContent encrypts.
SUPI is consisted of three parts:
Mobile country code (Mobile Country Code, MCC): the country one belongs to of unique identification mobile subscriber.
Mobile network code, MNC (Mobile Network Code, MNC): the Home PLMN of unique identification mobile subscriber, namelyMobile Network Operator.
Mobile contracted user's identification number (Mobile Subscriber Identification Number, MSIN): knowThe mobile identification number (MSIN) of mobile subscriber in other PLMN.
When using public key protection scheme protection SUPI, the MSIN relevant to user identity in SUPI will be encrypted, fromAnd achieve the purpose that protect privacy of user.
In 5G system, SUPI will could be transmitted by the protection of protection scheme (protection scheme), namelySUPI always passes through short side case (null-scheme) or public key protection scheme (public key protectionscheme).Through protection scheme treated SUPI is saved in referred to as signing hidden identifiers (SUBScriptionConcealed Identifier, SUCI) data structure in.SUCI includes following information:
Protection scheme mark (protection scheme identifier): mark SUCI is protected using which protection schemeShield, such as null-scheme or public key protection scheme.
Public key identifier (public key identifier): which defined by local network operation business mark SUCI useA public key (public key) encryption.If the field is sky using null-scheme.
Home network identifier (home network identifier): mobile country code (MCC)+mobile network's generationCode (MNC).Under roaming scence, VPLMN (Visited PLMN, access PLMN (Public Land Mobile Network,Public land mobile network)) using MCC and MNC registration request is routed into HPLMN (Home PLMN, Home PLMN).
Protection scheme exports (protection scheme-output): by protection scheme (protection scheme)It is generating as a result, namely the output result that is generated by short side case or public key protection scheme.
Referring to Fig. 1, in 5G Verification System, UE and safe anchor point function (SEcurity Anchor Function,SEAF) it is located in VPLMN, authentication server functions (Authentication Server Function, AUSF), uniform dataIt manages (Unified Data Management, UDM), authentication voucher library and processing function (AuthenticationCredential Repository and Processing Function, ARPF) and signatory mark symbol remove hidden function(Subscription Identifier De-concealing Function, SIDF) is located at HPLMN.In 4G network, whenWhen having multiple AUSF or UDM in HPLMN, registration request is routed to target using the routing iinformation for including in MSIN and returned by HPLMNBelong to assigned user server (Home Subscriber Server, HSS).In 5G network, due to being responsible for the function of decryption SUCIIt can be located in UDM, so HPLMN is possible in the case that working as in HPLMN has multiple AUSF or UDM, and SUPI is by public key encryptionThe registration request of user cannot be routed in target AUSF or UDM.It makes a concrete analysis of as follows:
UPI encryption uses asymmetric encryption techniques.Asymmetric encryption techniques requirement decryption side must use and encrypted public keyEncryption information could be decrypted in corresponding private key.Asymmetric encryption techniques allow unlimited public and private of each UDM generation quantityKey pair, and private key is managed respectively.The management of private key can be based on HPLMN, be also possible to based on UDM's.Work as Private key managementWhen being based on HPLMN, it can permit a UDM and possess all private keys, SUCI is decrypted so as to concentrate, at this time notIt needs in SUCI comprising routing iinformation.When the management of private key is based on UDM, that is to say, that a UDM cannot possess otherThe private key of UDM will cannot use the SUCI of centralization to decrypt scheme at this time.The case where management for private key is based on UDM needsSUCI is wanted to provide additional routing iinformation to support message in such a scenario to route, to include to encrypt disappearing for SUPIBreath is routed to target UDM.
It can learn as described above and be used to find that the information of AUSF or UDM is in SUPI or SUCI in specification at presentMNC and/or MCC.It include that MSIN in SUPI will be encrypted, and be responsible for the function SIDF of decryption to protect privacy of userIn UDM.This has been resulted in when encryption key is based on UDM management (UDM does not provide decruption key to other UDM), formerIt cannot be obtained come the information for being routed in HPLMN for NRF or AUSF, and causing can not selection target UDM.
And it there is no in the safe TS of current 5G (3GPP TS 33.501V15.0.0) and relevant carry out net in HPLMNThe technical solution of member selection or routing, does not also provide the technical solution of secret protection to routing iinformation.
Based on the above analysis, it is considered as providing additional routing iinformation in SUCI for initially being recognized in HPLMNMessage routing is demonstrate,proved, and further provides necessary Privacy Preservation Mechanism to the routing iinformation.
Basic principle:
Increase the network element used for HPLMN in SUCI and select information, network element selection information can only be understood by HPLMNWith use, avoid privacy leakage, for example, certification special user group caused by due to network element selects information and the UDM meeting that setsThe identity of exposure sensitive users or the application of special Internet of Things etc., thus the privacy for the user that adequately protects.
The network element selection letter dedicated for HPLMN selection network function (Network Function) is stored in USIMBreath, such as selecting the network element of AUSF or UDM to select information.
The symmetric key that information is selected for encrypting network element provided by operator is provided in USIM.Using symmetrical closeThe reason of key is not will cause information processing bottleneck because encryption/decryption speed is fast.
If user includes firstly the need of to SUCI in registration request using encryption SUPI, HPLMN in the registration requestEncryption network element selection information is decrypted, the message Route Selection after then being carried out using the network element selection information after decryption.
Term or entity function description:
Privacy described in the embodiment of the present application for network element selection information in 5G communication system initial registration procedure is protectedMaintaining method is as shown in Figure 2.
Network element selects information (Network Element Selection Information, NESI): certain in HPLMNThe network element for participating in verification process can choose the target network element of messaging using the information.For example, network storage library facilityThe INFORMATION DISCOVERY target AUSF or UDM can be used in (Network Repository Function, NRF).
Network element selects information ciphertext (NESI Cipher text): selecting the encrypted network element of information encryption key by network elementSelect information.
Network element selection information master key (NESI Master Key): for generating network element selection information encryption keyGrade key.
Network element selects information encryption main key mark (NESI Master Key Identify): being used in HPLMN onlyOne mark network element selects information encryption main key.
Network element selection information encryption key (NESI Encryption Key): it is actually used in encryption network element selection informationEncryption key, the key are exported by network element selection information encryption main key.
Network element selects information encryption key export function (NESI Encryption Key DerivationFunction): being located in Global Subscriber identification card (Universal Subscriber Identity Module, USIM), bearDuty selects information encryption key using network element selection information encryption main key export network element.
Network element selects information encryption function (NESI Encryption Function): user equipment (UserEquipment, UE) function, it is responsible for generating network element selection information ciphertext using network element selection information encryption key.
Network element selects information decryption function (NESI Decryption Function, NESIDF): being located at HPLMN core netIn (Core Network, CN), it is responsible for decryption network element and selects information ciphertext, obtains network element selection information in plain text.
Basic process:
Basic premise: operator is written into USIM: network element selects information, network element selection information master key, network element selectionInformation master key mark.Wherein, network element selection information master key and network element selection information master key are identified as option.Work as network elementWhen to select information master key be empty, network element selection information master key mark also should be empty.Network element selects information encipherment scheme at this timeFor null-encryption scheme, namely do not execute cryptographic operation.Selecting information master key not when network element is sky, but network element selection information master is closeWhen key is identified as sky, default uses default key (preset key can specifically be set according to actual needs).
When UE needs to use non-empty scheme (non null- during initial registration (Initial Registration)When scheme) protecting SUPI, for the privacy of user in protection network element selection course, technical solution provided by the embodiments of the present application is heldThe following operation of row:
Network element selection information, network element selection information master key, network element can be previously stored in USIM selects information master closeKey mark.
UE requests USIM to provide: network element selects information encryption key, network element selection information master key mark and network element selectionInformation.Also, UE needs to provide the random value (nonce) for exporting network element selection information encryption key to USIM.This is randomValue is a part of SUCI, such as the ciphertext of MSIN.
USIM (specifically can root using network element selection information master key, the UE nonce provided and other possible parametersDepending on actual needs, in the embodiment of the present application without limitation, naturally it is also possible to without the parameter described in these), key is utilizedExported algorithm (specific algorithm can be decided according to the actual requirements, without limiting) export network element selects information encryption key.SoAfterwards, information encryption key, network element selection information master key mark (optional), network element selection information is selected to be supplied to UE network element.Wherein network element selection information master key is identified as optional content.
If not having network element to select information master key in USIM, system default uses null-encryption scheme processing net element selection letterBreath.USIM will only return to network element and select information at this time.
UE (specifically information encryption function module can be selected to realize by network element) selects information encryption key using network elementNetwork element selection information is encrypted, network element is obtained and selects information ciphertext.
If system uses null-encryption scheme, UE is not encrypted network element selection information, and net is used directly in SUCIMember selection information.
Network element is selected information ciphertext, network element to select information master by UE (can specifically be realized by SUCI systematic function module)In (optional) the addition SUCI of key identification.If USIM does not provide network element selection information master key mark, not including in SUCI shouldInformation.
SUCI is included in the registration request, and to be sent to visit by UE (specifically can be by registration request Implement of Function Module)Network (VPLMN).Further, which is sent to home network (HPLMN) by VPLMN.The registration request, such asIt can be initial registration request, but it is not limited to this.
When the network element in HPLMN needs to carry out network element selection or message routing using the network element selection information provided by SUCIWhen, which needs to call network element selection information decryption function that the network element selection information ciphertext for including in SUCI is decrypted.The network element needs to select information decryption function to provide to network element:
SUCI, alternatively,
Network element selects information ciphertext, nonce and/or network element selection information master key mark (if in SUCI including the letterBreath).
Network element selects information decryption function, and the following operations need to be performed:
One, corresponding network element is obtained using the network element selection information master key mark in SUCI select information master key.IfSUCI does not carry the key identification, then selects default master key, or use empty decryption scheme, Ye Jizhi according to the configuration of systemIt connects and selects information ciphertext to select information as network element network element.
Two, select information master key using network element, in SUCI as the value (such as MSIN ciphertext) of nonce and other canThe parameter of energy selects information decryption key using key exported algorithm export network element.
Three, information ciphertext is selected using network element selection information decryption key decryption network element, obtains network element and selects information.
Four, the request network element that network element selection information is supplied in HPLMN (is needed to carry out network element selection or message routesNetwork element).
The network element for needing to carry out network element selection or message routing in HPLMN selects information that registration request disappears according to network elementBreath is transmitted to target network element, and selectively the network element selection information of acquisition is attached in the message of forwarding, so as to subsequent netMember directly can carry out subsequent network element selection and routing using network element selection information.
Embodiment one:
The network element in SUCI is selected in network element AUSF direct request network element selection information decryption function (NESIDF) in HPLMNInformation ciphertext is selected to be decrypted.AUSF parses network element and selects information, obtains target UDM.Detailed process is as shown in Figure 3, comprising:
Step 1, UE send initial registration request to network, wherein including SUCI.Route the request to VPLMN'sSEAF。
The initial registration request (wherein carrying SUCI) is sent to the AUSF in HPLMN by step 2, SEAF.
Step 3, AUSF select information decoding request by network element, and the SUCI in the initial registration request of UE is sent toThe network element selection ciphertext in SUCI is decrypted in NESIDF, request the latter.
Step 4, NESIDF obtain corresponding key using the network element selection information master key mark carried in SUCI;It utilizesKey export is carried out as the value of nonce and other parameters in SUCI, obtains network element selection information decryption key;It is selected using network elementIt selects information decryption key network element selection information ciphertext is decrypted, obtains network element and select information;Then it selects to believe by network elementNetwork element selection information is returned to AUSF by breath decryption response.
Step 5, AUSF parsing network element select information, the address of target UDM are obtained, then by the initial registration request of UE(wherein carrying SUCI) is sent to target UDM.
Embodiment two:
Network element AUSF request NRF in HPLMN provides the address of target UDM.NRF calls NESIDF to obtain network element selection letterBreath is in plain text.NRF parses network element and selects information, obtains the address of target UDM, and is supplied to AUSF.Detailed process as shown in figure 4,Include:
Step 11, UE send initial registration request to network, wherein including SUCI.Route the request to VPLMN'sSEAF。
Initial registration request (wherein including SUCI) is sent to the AUSF in HPLMN by step 12, SEAF.
SUCI is sent to NRF by network element selection request by step 13, AUSF, and request the latter provides the address of target UDM.
After step 14, NRF receive network element selection request, network element selection is obtained from the SUCI that network element selects request to carryValue and network element in information master key mark, SUCI as nonce select information ciphertext, then select information decryption by network elementThese information (ciphertext) are sent to NESIDF by request, and the network element selection ciphertext in SUCI is decrypted in request the latter.
Step 15, NESIDF obtain corresponding key using network element selection information master key mark;Using nonce and otherParameter carries out key export, obtains network element selection information decryption key;Network element is selected using network element selection information decryption keyInformation ciphertext is decrypted, and obtains network element and selects information;Then select information decryption response that network element is selected information by network element(plaintext) returns to NRF.
Step 16, NRF receive network element selection information decryption response, therefrom obtain and parse network element selection information, obtain meshThe address for marking UDM (target network element), then returns to AUSF for the address of target UDM.
Initial registration request (wherein including SUCI) is sent to target UDM (e.g. UDM1) by step 17, AUSF.
To sum up, referring to Fig. 5, a kind of message treatment method provided by the embodiments of the present application, comprising:
S101, user equipment (UE) determine registration request, and signing hidden identifiers SUCI is carried in the registration request, describedSUCI contain be not belonging to mobile contracted user's identification number MSIN for being selected in Home Public Land Mobile Network network HPLMNThe network element of target network element selects information;
The registration request is sent to network side by S102, the UE.
In this way, UE determines registration request, signing hidden identifiers SUCI is carried in the registration request, it is describedSUCI contain be not belonging to mobile contracted user's identification number MSIN for being selected in Home Public Land Mobile Network network HPLMNThe network element of target network element selects information;The registration request is sent to network side by the UE, so that network side canThe registration request from UE is accurately routed to target network element using network element selection information.
Optionally, the network element selects information to select information ciphertext for network element;
If there is network element to select information master key in the USIM in the UE, the USIM in the UE uses network element selection letterBreath master key, the random value for exporting network element selection information encryption key utilize key exported algorithm export network element selection letterEncryption for information key;The UE encrypts network element selection information using network element selection information encryption key, described in acquisitionNetwork element selects information ciphertext.
To can be further improved the safety of information by the encryption for selecting network element information.
It optionally, further include network element selection information master key mark in the SUCI.
Optionally, the network element selection information master key, network element selection information and network element selection information master are closeKey mark, is stored in USIM.
Optionally, if there is no network element to select information master key in USIM in the UE, the network element is not selected to believeBreath is encrypted, and network element selection information is set up directly in SUCI by the UE.
Optionally, the registration request is sent to visited Public Land mobile network VPLMN by the UE, by describedVPLMN is transmitted to HPLMN.
Correspondingly, in network side, referring to Fig. 6, a kind of message treatment method provided by the embodiments of the present application, comprising:
S201, the registration request from user equipment (UE) is received, obtains SUCI from the registration request, and from the SUCIMiddle acquisition network element selects information;The network element selects information, to be not belonging to being used for for mobile contracted user's identification number MSINThe network element of selection target network element selects information in Home Public Land Mobile Network network HPLMN;
S202, network element selection or message routing are carried out using network element selection information.
Optionally, the network element selects information to select information ciphertext for network element;
SUCI is obtained from the registration request, and obtains network element from the SUCI and selects information, is specifically included by network elementInformation decryption functional entity is selected to execute following operation:
Network element is obtained using the network element selection information master key mark in SUCI and selects information master key, if SUCI is not carriedThe network element selects information master key mark, then selects default master key, or use empty decryption scheme according to the configuration of system;
Use the random value for selecting information encryption key in network element selection information master key, SUCI for exporting network element, benefitInformation decryption key is selected with key exported algorithm export network element;
Information ciphertext is selected using network element selection information decryption key decryption network element, network element is obtained and selects information;
The network element for needing to carry out network element selection or message routing network element selection information being supplied in HPLMN.
Optionally, network element selection is carried out using network element selection information or message routes, specifically include:
The network element for needing to carry out network element selection or message routing in HPLMN selects information to turn registration request according to network elementIssue target network element.
Optionally, the network element for needing to carry out network element selection or message routing in the HPLMN, also selects the network element of acquisitionInformation is attached in the message for being transmitted to the target network element.
In the side UE, referring to Fig. 7, a kind of message processing apparatus provided by the embodiments of the present application, comprising:
Memory 620, for storing program instruction;
Processor 600 is executed for calling the program instruction stored in the memory according to the program of acquisition:
It determines registration request, signing hidden identifiers SUCI is carried in the registration request, the SUCI, which contains, to be not belonging toThe network element for the selection target network element in Home Public Land Mobile Network network HPLMN of mobile contracted user's identification number MSINSelect information;
The registration request is sent to network side.
Optionally, described device further includes Global Subscriber identification card USIM (being not shown in Fig. 7, may refer to Fig. 2);It is describedNetwork element selects information to select information ciphertext for network element;
If there is network element to select information master key in the USIM, the USIM uses network element selection information master key, useIn the random value of export network element selection information encryption key, information encryption key is selected using key exported algorithm export network element;
The processor encrypts network element selection information using network element selection information encryption key, described in acquisitionNetwork element selects information ciphertext.
It optionally, further include network element selection information master key mark in the SUCI.
Optionally, the network element selection information master key, network element selection information and network element selection information master are closeKey mark, is stored in the USIM.
Optionally, if not having network element to select information master key in the USIM, the processor is not selected the network elementIt selects information to be encrypted, network element selection information is set up directly in SUCI.
Optionally, the registration request is sent to visited Public Land mobile network by transceiver by the processorVPLMN is transmitted to HPLMN by the VPLMN.
Transceiver 610, for sending and receiving data under the control of processor 600.
Wherein, in Fig. 7, bus architecture may include the bus and bridge of any number of interconnection, specifically by processor 600The various circuits for the memory that the one or more processors and memory 620 of representative represent link together.Bus architecture is alsoVarious other circuits of such as peripheral equipment, voltage-stablizer and management circuit or the like can be linked together, these are allIt is it is known in the art, therefore, it will not be further described herein.Bus interface provides interface.Transceiver 610 canTo be multiple element, that is, includes transmitter and receiver, the list for communicating over a transmission medium with various other devices is providedMember.For different user equipmenies, user interface 630, which can also be, external the interface for needing equipment is inscribed, and connection is setStandby including but not limited to keypad, display, loudspeaker, microphone, control stick etc..
Processor 600, which is responsible for management bus architecture and common processing, memory 620, can store processor 600 and is holdingUsed data when row operation.
Optionally, processor 600 can be CPU (centre buries device), ASIC (Application SpecificIntegrated Circuit, specific integrated circuit), (Field-Programmable Gate Array, scene can compile FPGAJourney gate array) or CPLD (Complex Programmable Logic Device, Complex Programmable Logic Devices).
Correspondingly, in network side, referring to Fig. 8, a kind of message processing apparatus provided by the embodiments of the present application, comprising:
Memory 520, for storing program instruction;
Processor 500 is executed for calling the program instruction stored in the memory according to the program of acquisition:
The registration request from user equipment (UE) is received, SUCI is obtained from the registration request, and obtain from the SUCINetwork element is taken to select information;The network element selects information, for be not belonging to mobile contracted user's identification number MSIN for belonging toThe network element of selection target network element selects information in public land mobile network HPLMN;
Network element selection is carried out using network element selection information or message routes.
Optionally, the network element selects information to select information ciphertext for network element;
SUCI is obtained from the registration request, and obtains network element from the SUCI and selects information, is specifically included by network elementInformation decryption functional entity is selected to execute following operation:
Network element is obtained using the network element selection information master key mark in SUCI and selects information master key, if SUCI is not carriedThe network element selects information master key mark, then selects default master key, or use empty decryption scheme according to the configuration of system;
Use the random value for selecting information encryption key in network element selection information master key, SUCI for exporting network element, benefitInformation decryption key is selected with key exported algorithm export network element;
Information ciphertext is selected using network element selection information decryption key decryption network element, network element is obtained and selects information;
The network element for needing to carry out network element selection or message routing network element selection information being supplied in HPLMN.
Optionally, described device is the network element for needing to carry out network element selection or message routing in HPLMN;Utilize the network elementIt selects information to carry out network element selection or message routing, specifically includes:
Select information that registration request is transmitted to target network element according to network element.
Optionally, the processor, which is also used to for the network element selection information of acquisition being attached to, is transmitted to the target network elementIn message.
Transceiver 510, for sending and receiving data under control of the processor 500.
Wherein, in fig. 8, bus architecture may include the bus and bridge of any number of interconnection, specifically by processor 500The various circuits for the memory that the one or more processors and memory 520 of representative represent link together.Bus architecture is alsoVarious other circuits of such as peripheral equipment, voltage-stablizer and management circuit or the like can be linked together, these are allIt is it is known in the art, therefore, it will not be further described herein.Bus interface provides interface.Transceiver 510 canTo be multiple element, that is, includes transmitter and transceiver, the list for communicating over a transmission medium with various other devices is providedMember.Processor 500, which is responsible for management bus architecture and common processing, memory 520, can store processor 500 and is executing operationWhen used data.
Processor 500 can be centre and bury device (CPU), specific integrated circuit (Application SpecificIntegrated Circuit, ASIC), field programmable gate array (Field-Programmable Gate Array,) or Complex Programmable Logic Devices (Complex Programmable Logic Device, CPLD) FPGA.
In the side UE, referring to Fig. 9, another kind message processing apparatus provided by the embodiments of the present application, comprising:
Determination unit 303 carries signing hidden identifiers SUCI, institute for determining registration request in the registration requestState SUCI contain be not belonging to mobile contracted user's identification number MSIN for being selected in Home Public Land Mobile Network network HPLMNSelect the network element selection information of target network element;
Transmission unit 304, for the registration request to be sent to network side.
In network side, referring to Figure 10, another kind message processing apparatus provided by the embodiments of the present application, comprising:
First unit 301 obtains SUCI from the registration request for receiving the registration request from user equipment (UE),And network element is obtained from the SUCI and selects information;The network element selects information, to be not belonging to mobile contracted user's identification numberThe network element for the selection target network element in Home Public Land Mobile Network network HPLMN of MSIN selects information;
Second unit 302, for carrying out network element selection or message routing using network element selection information.
A kind of Global Subscriber identification card USIM provided by the embodiments of the present application, comprising:
Memory, for storing program instruction, and storage network element selection information;
Processor is executed for calling the program instruction stored in the memory according to the program of acquisition:
If the memory is also stored with network element selection information master key, using network element selection information master key, for leadingThe random value of network element selection information encryption key out selects information encryption key using key exported algorithm export network element.
Optionally, the memory is also stored with network element selection information master key and network element selection information master key mark.
The embodiment of the present application provides a kind of calculating equipment, which is specifically as follows desktop computer, portableComputer, smart phone, tablet computer, personal digital assistant (Personal Digital Assistant, PDA) etc., the meterCalculating equipment may include central processing unit (Center Processing Unit, CPU), memory, input-output apparatus etc.,Input equipment may include keyboard, mouse, touch screen etc., and output equipment may include display equipment, such as liquid crystal display(Liquid Crystal Display, LCD), cathode-ray tube (Cathode Ray Tube, CRT) etc..
Memory may include read-only memory (ROM) and random access memory (RAM), and provide storage to processorThe program instruction and data stored in device.In the embodiment of the present application, memory can be used for storing the embodiment of the present application offerAny the method program.
Processor is by the program instruction for calling memory to store, and processor is for executing sheet according to the program instruction of acquisitionApply for any the method that embodiment provides.
The embodiment of the present application provides a kind of computer storage medium, above-mentioned provided by the embodiments of the present application for being stored asComputer program instructions used in device, it includes the programs for executing above-mentioned either method provided by the embodiments of the present application.
The computer storage medium can be any usable medium or data storage device that computer can access, packetInclude but be not limited to magnetic storage (such as floppy disk, hard disk, tape, magneto-optic disk (MO) etc.), optical memory (such as CD, DVD,BD, HVD etc.) and semiconductor memory (such as it is ROM, EPROM, EEPROM, nonvolatile memory (NAND FLASH), solidState hard disk (SSD)) etc..
Method provided by the embodiments of the present application can be applied to terminal device, also can be applied to the network equipment.
Wherein, terminal device is also referred to as user equipment (User Equipment, referred to as " UE "), mobile station(Mobile Station, referred to as " MS "), mobile terminal (Mobile Terminal) etc., optionally, which can haveThe ability communicated through wireless access network (Radio Access Network, RAN) with one or more core nets, for example,Terminal can be mobile phone (or for " honeycomb " phone) or the computer etc. with mobile property, for example, terminal can be withIt is portable, pocket, hand-held, built-in computer or vehicle-mounted mobile device.
The network equipment can be equipment of the core network or access network equipment etc., such as can be base station (for example, access point), refer toPass through the equipment of one or more sectors and wireless terminal communications in access net on interface in the sky.What base station can be used for receiveAir frame is mutually converted with IP grouping, as the router between wireless terminal and the rest part of access net, wherein connecingThe rest part of networking may include Internet protocol (IP) network.Attribute management of the base station also tunable to air interface.For example, baseStation can be the base station (BTS, Base Transceiver Station) in GSM or CDMA, be also possible to the base station in WCDMA(NodeB), it can also be the evolved base station (NodeB or eNB or e-NodeB, evolutional Node B) in LTE, orPerson is also possible to the gNB etc. in 5G system.In the embodiment of the present application without limitation.
Above method process flow can realize that the software program can store in storage medium with software program, whenWhen the software program of storage is called, above method step is executed.
In conclusion in the embodiment of the present application, in SUCI containing be not belonging to MSIN for the selection target net in HPLMNThe network element selection information ciphertext of member and possible key relevant to the ciphertext indicate information.The network element selects information pairVPLMN is meaningless.Network element selection information may be protected by the security mechanism based on key, to avoid message in transmission processMiddle eavesdropped and cause leakage of private information.Only HPLMN could be decrypted the encryption information.
In the side UE, network element selects information, and network element selects information master key, and network element selection information master key mark should be stored inIn USIM.Network element selects information master key, and network element selection information master key is identified as option.
Network element selection information encryption key export executes in USIM, and USIM is using network element selection information master key to coming fromIt can be used as random value (nonce) and other possible input parameters execution key export operations in SUCI, and obtain network elementSelect information encryption key.
Information and network element selection information master key are selected when being stored with network element in USIM, but not stored network element selects information masterKey identification, then not including in SUCI has network element selection information master key mark.HPLMN default uses default master key at this timeCarry out key export and decryption.
When be stored in USIM network element selection information, but it is not stored have network element selection information master key and network element selection informationMaster key mark, then UE default is encrypted using null-encryption scheme, namely does not execute key export and cryptographic operation, directly willThe network element selection information stored in USIM is added in SUCI, and not including in SUCI has network element selection information master key to identify.
Need the network element for carrying out network element selection or routing using the network element selection information provided by SUCI that should call in HPLMNNetwork element selection information decryption function is decrypted or parses to the network element selection information ciphertext for including in SUCI, and needs to network elementIt selects information decryption function to provide network element and selects information ciphertext, network element selects information master key mark, in SUCInonce.Wherein network element selection information master key is identified as optional project.
Network element selects information decryption function to obtain corresponding network element using network element selection information master key mark and selects informationMaster key.If network element selection information master key is identified as sky, default using default master key, or used according to system configurationEmpty decryption scheme.Network element selects information decryption function to select information master key using network element, the value in SUCI as nonce, andOther possible parameters select information decryption key using key exported algorithm export network element.
Network element selects information decryption function to select information ciphertext using network element selection information decryption key decryption network element, obtainsNetwork element selects information.
The network element for needing to carry out network element selection or message routing in HPLMN selects information by login request message according to network elementIt is transmitted to target network element, and selectively the network element selection information of acquisition is attached in the message of forwarding, so as to subsequent network elementSubsequent network element selection directly can be carried out using network element selection information to route with message.
That is, the embodiment of the present application provide in HPLMN to needed in registration process network element selection orThe technical solution of routing iinformation progress secret protection.
It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer programProduct.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the applicationApply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more,The shape for the computer program product implemented in usable storage medium (including but not limited to magnetic disk storage and optical memory etc.)Formula.
The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present applicationFigure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructionsThe combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programsInstruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produceA raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for realThe device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spyDetermine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram orThe function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that countingSeries of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer orThe instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram oneThe step of function of being specified in a box or multiple boxes.
Obviously, those skilled in the art can carry out various modification and variations without departing from the essence of the application to the applicationMind and range.In this way, if these modifications and variations of the application belong to the range of the claim of this application and its equivalent technologiesWithin, then the application is also intended to include these modifications and variations.