[go: up one dir, main page]

WO2018120150A1 - Method and apparatus for connection between network entities - Google Patents

Method and apparatus for connection between network entities Download PDF

Info

Publication number
WO2018120150A1
WO2018120150A1 PCT/CN2016/113796 CN2016113796W WO2018120150A1 WO 2018120150 A1 WO2018120150 A1 WO 2018120150A1 CN 2016113796 W CN2016113796 W CN 2016113796W WO 2018120150 A1 WO2018120150 A1 WO 2018120150A1
Authority
WO
WIPO (PCT)
Prior art keywords
entity
identifier
security information
communication connection
storage function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2016/113796
Other languages
French (fr)
Chinese (zh)
Inventor
马景旺
陈璟
王江胜
李�赫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to PCT/CN2016/113796 priority Critical patent/WO2018120150A1/en
Publication of WO2018120150A1 publication Critical patent/WO2018120150A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application relates to the field of wireless communications, and in particular, to a method and apparatus for connecting between network functional entities.
  • a network element (NE) architecture is adopted in an evolved packet core (EPC).
  • the typical NE included in the architecture includes: a mobility management entity (MME) and a service.
  • Current EPC network functions eg, mobility management, bearer management, location management, etc.
  • PCRF policy and charging rules function
  • HSS home subscriber server
  • NF network function
  • the NF service provided by the EPC is solidified and distributed among the various NEs. Therefore, if a new NF needs to be introduced to support the user's needs, the EPC needs to redefine and design the NE's processing logic and process interaction. Such redesign means that the development cycle is long and costly for the equipment manufacturer, which means that the network operator cannot release the new network service in time.
  • the general NF management method is as follows: the core network part can adopt a service oriented architecture.
  • the NE for example, MME or S-GW
  • the NE in the original network architecture is defined as different NF components according to the functional category, for example: Authentication and security functions (AuF), session management function (SM NF), mobility management and mobility management function (MM NF), policy control function (PCF) And so on, these functions are implemented by the corresponding NF components, each of which provides services to other NF components or functions through a defined service interface.
  • AuF Authentication and security functions
  • SM NF session management function
  • MM NF mobility management and mobility management function
  • PCF policy control function
  • the MM NF sends the SM message to the SMNF after receiving the message of the SM category sent by the user equipment (UE), and is performed by the SMNF. The processing of the session.
  • UE user equipment
  • the NF When establishing communication between the NFs, the NF first obtains the network address of the peer NF, and then establishes a communication connection with the peer NF, and further sends a message such as a service request to the peer NF for processing.
  • a security problem exists: due to an exception or NF itself, it will send an incorrect service request message to other NFs. For example, the authentication and security functions do not need to send the user's session request message to the packet data session management function according to the business logic.
  • the session request message includes the establishment, update, and deletion of the session, but when an abnormality or an attack occurs between the authentication and security functions, the request message for deleting the data session connection of the user is sent to the packet data session management function, and the packet data is After the session management function agrees to the service request and performs the corresponding session connection deletion operation, the affected user terminal cannot receive and send data, which causes the service to be abnormal. Therefore, communication security issues between NFs need to be addressed to avoid unauthorized access between NFs.
  • the embodiments of the present application provide a connection method and device between network function entities to solve the communication security problem between network function entities.
  • the application provides a network function entity connection method, which is applied to a network function NF entity that receives a communication connection request, the method includes: the second network function NF entity receives a communication connection request from the first network function NF entity, The communication connection request includes an identifier of the first NF entity and a security information identifier; obtaining security information corresponding to the security information identifier from the NF storage function entity; if the security information includes an identifier of the first NF entity And the second NF entity establishes a communication connection with the first NF entity.
  • the NF storage function module pre-stores the identifiers of the respective NF entities, and when accessing one of the NF entities, for example, the second NF entity, the NF storage function entity controls the NF connection access to obtain security information, and Providing the security information to the second NF entity, so that the second NF entity can verify the authenticity and security of the requesting connection identity according to the security information, thereby implementing a secure connection between the NFs and avoiding the NF between the NFs. Authorized access.
  • the security information includes the identifier of the first NF entity
  • establishing a communication connection with the first NF entity includes: the security information includes at least one NF entity And the identifier, if the at least one identifier of the security information is the same as the identifier of the first NF entity in the communication connection request, the second NF entity establishes a communication connection with the first NF entity.
  • the communication connection request further includes a first challenge random number
  • the second NF entity establishing a communication connection with the first NF entity includes: the second NF entity Obtaining a first key from the NF storage function entity, and a first encrypted ciphertext from the first NF entity, using the first key to decrypt the first encrypted ciphertext to generate a second Challenge a random number; if at least one of the security information is the same as an identifier of the first NF entity in the communication connection request, and the first challenge random number is the same as the second challenge random number, then The first NF entity establishes a communication connection.
  • the method further includes: if the second NF entity establishes a communication connection with the first NF entity, the second NF entity generates a third challenge random number, where The third challenge random number and the first key generate a second encrypted ciphertext, and send the second encrypted ciphertext and the third challenge random number to the first NF entity.
  • the security information further includes an effective time of the security information, and is used to check whether the security information is valid.
  • the present application provides a network function entity connection method, which is applied to an NF entity that initiates a communication connection request, where the method includes: the first NF entity sends the identifier of the first NF entity and the requested NF to the NF storage function entity. Type information; receiving a security information identifier from the NF storage function entity and an identifier of a second NF entity corresponding to the NF type; sending a communication connection request to the second NF entity, where the communication connection request includes An identifier of the NF entity and the security information identifier.
  • the method further includes: the first NF entity receiving a communication connection response from the second NF entity, the communication connection response being used to indicate the second NF Whether the entity allows a communication connection to be established with the first NF entity.
  • the method further includes: the first NF entity receiving a first key from the NF storage function entity; and the first NF entity acquiring a first challenge random number Generating a first encrypted ciphertext according to the first challenge random number and the first key, and sending the first encrypted ciphertext and the first challenge random number to the second NF entity.
  • the method further includes: if the communication connection response indicates that a communication connection is allowed to be established, the first NF entity receives a second encryption key from the second NF entity And a third challenge random number; the first NF entity decrypts the second encrypted ciphertext using the first key, and generates a fourth challenge random number, if the fourth challenge random number and the The third challenge random number is the same, and a session connection is established with the second NF entity.
  • the method further includes: receiving, by the first NF entity At least one piece of security information sent from the NF storage function entity, wherein each of the security information includes an identifier of the first NF entity and an identifier of an NF entity that satisfies the NF type condition; the first The NF entity selects one of the at least one security information as the second NF entity.
  • the present application provides a security information sending method, where the method is applied to an NF storage function entity, the method comprising: the NF storage function entity receiving an identifier of a first NF entity from a first NF entity and a requested NF type Obtaining, according to the identifier of the first NF entity and the NF type information, a security information identifier and an identifier of a second NF entity corresponding to the NF type; and the security information identifier and the second NF entity The identity is sent to the first NF entity. Further, the step of obtaining includes internally generating the NF storage function entity or acquiring from other entities.
  • the NF storage function entity obtains the security information identifier and the identifier of the second NF entity corresponding to the NF type, including: the NF storage function entity according to the first Determining, by the identifier of the NF entity and the NF type information, at least one NF entity that satisfies the NF type condition, and generating at least one security information, wherein the security information includes an identifier of the first NF entity and satisfies the NF The identity of an NF entity of the type condition.
  • the NF storage function entity receives the identifier of the first NF entity from the first NF entity and the requested NF type information, including: the NF storage function entity receives the first NF storage The identity of the first NF entity from the first NF entity forwarded by the functional entity and the requested NF type information.
  • the NF storage function entity acquires a security information identifier and a second NF entity corresponding to the NF type.
  • the first NF storage function entity determines the second NF storage function entity according to the identifier of the deployed PLMN, and sends the identifier of the first NF entity and the requested NF type information to the a second NF storage function entity; receiving at least one security information returned from the second NF storage function entity, where the security information includes an identifier of the first NF entity and an NF entity that satisfies an NF type condition Logo.
  • the second NF entity is configured to obtain, according to the identifier of the first NF entity and the NF type information, a security information identifier and an identifier of a second NF entity corresponding to the NF type, and the security
  • the information identifier and the identifier of the second NF entity are sent to the first NF storage function entity.
  • the first NF storage function entity and the first NF entity belong to the first PLMN
  • the second NF storage function entity and the second NF entity belong to the second PLMN.
  • the first NF storage function entity in the first PLMN interacts with the second NF storage function entity in the second PLMN, and the second NF storage function entity in the second PLMN performs the second NF entity
  • the information and corresponding security information and keys are provided to the second NF entity, thereby enabling control of communication between NF entities located in different PLMNs, and secure communication connections between NF entities.
  • the method further includes: sending, by the NF storage function entity, the security information and the identifier of the second NF entity to the second NF by using any one of the following manners: Entity; the NF storage function entity actively sends the security information and the identifier of the second NF entity; or, after the NF storage function entity receives the security information identifier from the second NF entity, to the The second NF entity sends.
  • the method further includes: the NF storage function entity to the first NF entity and The second NF entity sends a first key, where the first key is used to decrypt the first encrypted ciphertext obtained by the second NF entity from the first NF entity.
  • the method further includes: the NF storage function entity detecting whether The first NF entity is allowed to initiate a communication connection request to the second NF entity.
  • the NF storage function entity stores an NF type list of the first NF entity, and the NF storage function entity detects whether to allow a communication connection request to be initiated, including: determining a location Whether the NF type corresponding to the identifier of the second NF entity is in the NF type list of the first NF entity; if yes, the communication connection request is allowed to be initiated; otherwise, the communication connection request is not allowed to be sent.
  • the method provided by the present invention controls the NF entity discovery by the NF storage function module, and provides the security information and the key information to the peer NF entity discovered by the NF, so that the NF entity can verify the other party according to the security information and the key.
  • the authenticity of the identity and the establishment of a communication connection thereby achieving the security and reliability of inter-NF access and avoiding unauthorized access between NFs.
  • the present application further provides a network function NF entity, configured to receive a request for a communication connection initiated by a requester, for example, applied to a second network function NF entity, including: a transceiver unit, configured to receive from the first network a communication connection request of the function NF entity, where the communication connection request includes an identifier of the first NF entity and a security information identifier; and is further configured to acquire security information corresponding to the security information identifier from the NF storage function entity; Used to determine that if the security information includes an identifier of the first NF entity, The second NF entity establishes a communication connection with the first NF entity.
  • the transceiver unit and the processing unit are also used to implement the method steps of the various implementations of the aforementioned first aspect.
  • the present application further provides another network function NF entity, configured to initiate a communication connection request, for example, applied to a first network function NF entity, and a transceiver unit, configured to send a first NF entity to the NF storage function entity.
  • the identifier and the requested NF type information and is further configured to receive the security information identifier from the NF storage function entity and the identifier of the second NF entity corresponding to the NF type; and is further configured to send to the second NF entity
  • a communication connection request where the communication connection request includes an identifier of the first NF entity and the security information identifier.
  • the NF entity may further comprise a processing unit, the transceiver unit and the processing unit being further for implementing the method steps of the various implementations of the aforementioned second aspect.
  • the application further provides a security information sending apparatus, configured to control the discovery of the NF, for example, to the NF storage function entity, including: a transceiver unit, configured to receive the first from the first NF entity An identifier of the NF entity and the requested NF type information; the processing unit, configured to acquire, according to the identifier of the first NF entity and the NF type information, a security information identifier and an identifier of a second NF entity corresponding to the NF type The transceiver unit is further configured to send the security information identifier and the identifier of the second NF entity to the first NF entity. Furthermore, the transceiver unit and the processing unit are also used to implement the method steps of the various implementations of the aforementioned third aspect.
  • the present application further provides an NF entity device, including a transceiver and a processor for performing the method steps in the implementations of the first aspect or the fourth aspect.
  • the transceiver may be implemented by a transceiver unit in the NF entity device, or may be implemented by the processor to control the transceiver.
  • the present application further provides an NF entity device, including a transceiver and a processor for performing the method steps in the implementations of the second aspect or the fifth aspect.
  • the transceiver may be implemented by a transceiver unit in the NF entity device, or may be implemented by the processor to control the transceiver.
  • the present application further provides an NF storage function entity device, including a transceiver and a processor for performing the method steps in the implementation manners of the third aspect or the sixth aspect.
  • the transceiver may be implemented by a transceiver unit in the NF storage function module device, or may be implemented by the processor to control the transceiver.
  • the present application further provides an NF entity connection system, including the NF entity device described in the foregoing seventh aspect and the eighth aspect implementation manner, and the NF storage function entity device described in the ninth aspect implementation manner.
  • the present application further provides a computer storage medium, wherein the computer storage medium can store a program, and when the program is executed, the present application can provide a network function entity connection method and a security information transmission method. Some or all of the steps in the way.
  • FIG. 1 is a schematic structural diagram of a network including an EPC network element provided by the present application.
  • FIG. 2 is a schematic structural diagram of a network including NF provided by the present application.
  • FIG. 3 is a schematic flowchart of a method for connecting an NF entity according to an embodiment of the present application
  • FIG. 4 is a schematic flowchart of another NF entity connection method according to an embodiment of the present disclosure.
  • FIG. 5 is a schematic flowchart of still another NF entity connection method according to an embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of a second NF entity according to an embodiment of the present application.
  • FIG. 7 is a schematic structural diagram of a first NF entity according to an embodiment of the present application.
  • FIG. 8 is a schematic structural diagram of an NF storage function entity according to an embodiment of the present disclosure.
  • FIG. 9 is a schematic structural diagram of an NF entity according to an embodiment of the present disclosure.
  • FIG. 10 is a schematic structural diagram of an NF storage function entity according to an embodiment of the present disclosure.
  • FIG. 11 is a schematic structural diagram of another NF storage function entity according to an embodiment of the present disclosure.
  • the method provided by each embodiment of the present application splits N network slices on a common network infrastructure of the core network, and the network slice may also be referred to as a private network, a dedicated network.
  • a service oriented architecture may be adopted in the network slice.
  • the NE for example, MME or S-GW
  • the NE in the original network architecture is defined as different NF according to the type of the function, for example, authentication and security.
  • Functions, packet data session management functions, mobility management functions and access control functions, policy control functions, etc. are implemented by corresponding NF components, each of which provides services to other NF components or functions through a defined service interface.
  • Multiple network slices (sliceA, sliceB, and sliceC) of the same carrier use the same public land mobile network (PLMN) and can be deployed in the carrier's infrastructure through cloud technologies and virtualization technologies.
  • PLMN public land mobile network
  • the operator's technical facilities include the operator's cloud computing and transmission infrastructure.
  • the NF entities in various embodiments of the present application include, but are not limited to, an authentication and security function entity, a packet data session management function entity, a mobility management function entity, an access control function entity, a policy control function entity, etc., and the NF entities are corresponding NF component implementations, each NF component serving other NF components or functions through a defined service interface.
  • the NFs need to interact with each other to complete related network services. For example, the MM NF sends the SM message to the SM NF for processing by the SM NF.
  • NF should verify whether the communication connection between NFs is permitted, and verify the authenticity of the other party's identity, and avoid unauthorized access between NFs.
  • identity verification and secure connection between NFs The embodiment of the application provides a network function entity connection method and device, and the method provided by the present application is described in detail below:
  • the two NF entities are respectively a first NF entity and a second NF entity, wherein the first NF entity sends a communication connection request to the second NF entity to make it and the second NF.
  • the entity establishes a communication connection.
  • the NF storage function (English: NF repository function) entity is configured to store an identifier of the NF entity in the network, and provide information such as security information and a key to the communication connection request sender. .
  • the network function entity connection method includes the following steps:
  • Step 301 When the first NF entity needs to access the second NF entity, the first NF entity sends the identifier of the first NF entity and the requested NF type information to the NF storage function entity.
  • the identifier of the first NF entity and the requested NF type information may be sent by using an NF discovery request, where the NF type information is used to indicate that the first NF entity requests the NF type that needs to provide the service.
  • the NF type includes an authentication and security function (AuF), a packet data management function (SM NF), a mobility management, and a mobility management function (MM NF), a policy. Control function (PCF), etc.
  • AuF authentication and security function
  • SM NF packet data management function
  • MM NF mobility management function
  • PCF policy. Control function
  • the identifier of the NF entity is used to identify an NF entity, for example, may include a PLMN ID, a combination of an NF type and a sequence number, a network address of the NF entity, or any other form of information that can identify the NF entity.
  • Step 302 After receiving the NF discovery request from the first NF entity, the NF storage function entity determines at least one NF entity that satisfies the condition according to the identifier of the first NF entity and the NF type, and generates at least one security information and An identifier of the second NF entity corresponding to the NF type; the corresponding information in the security information includes A security information identifier for an NF entity.
  • the security information may be a security token or a security evidence.
  • the security information identifier may be a security token ID or a security evidence identifier.
  • the NF storage function entity searches for the NF entity having the NF type according to the request, and the NF storage function entity searches for the NF with the PCF type in the pre-stored NF entity.
  • An entity may find an NF entity or multiple NF entities with PCF functionality. For example, suppose the first NF entity is a session management function (SMF NF) entity, the SMF NF entity needs to discover the PCF NF entity, and if the NF storage function entity finds that two PCF NF entities meet the requirements, the NF storage The functional entity generates two pieces of security information.
  • the first security information includes the SMF NF entity identifier and the PCF_1 NF entity identifier.
  • the second security information includes the SMF NF entity identifier and the PCF_2 NF entity identifier, and the two security information are sent.
  • the SMF NF entity is sent, and the first security information is sent to the PCF_1 NF entity, and the second security information is sent to the PCF_2 NF entity.
  • the security information is used to verify the authenticity of the identity of the first NF entity and the NF entity to be connected, and each security information further includes an identifier of the NF entity to be connected.
  • the security information includes: an identifier of the first NF entity, and an identifier of the (second) NF entity to be connected, for example, the NF type of the first NF entity located in a certain PLMN network is a packet data session management function.
  • the SM NF, the identifier of the first NF entity may be a combination of a PLMN ID, an NF type, and a sequence number: PLMN ID.SMF.001, so that the NF entity may be uniquely identified, and optionally, a network of the NF entity may also be used.
  • the address is the identifier of the NF entity.
  • the NF storage function entity also generates an NF discovery response.
  • Step 303 The NF storage function entity sends the identifier of the at least one security information that meets the NF type and the identifier of the second NF entity that is corresponding to the NF type to the first NF entity by using the NF discovery response.
  • the method further includes:
  • the NF storage function entity detects whether the first NF entity is allowed to initiate a communication connection request, or detects whether the NF discovery request allows access. By setting a detection mechanism, the NF function entity may be discovered as early as possible to achieve access.
  • the access between the NF entities is controlled to reduce the load of the accessed NF entity and enhance the security of access between the NF entities.
  • the process of the NF storage function entity detecting whether the communication connection request is allowed to be established includes: storing, by the NF storage function entity, a list of NF types accessible by the first NF entity, and the NF storage function entity may determine, according to the service logic, for example, It is determined whether the NF type corresponding to the NF entity to be connected is in the NF type list accessible by the first NF entity. If it is determined that the NF type corresponding to the NF entity to be connected is in the first NF In the list of NF types that the entity can access, access is allowed; if not in the list of NF types, the access connection is denied.
  • Step 304 The first NF entity receives the security information identifier (or security information) sent by the NF storage function entity and the identifier of the second NF entity corresponding to the NF type.
  • the first NF entity sends the response through the NF discovery.
  • the first NF entity selects one of the security information identifiers, and identifies the selected NF entity as the second NF entity, and establishes a session connection.
  • the NF storage function module can send the security information (partial or all) satisfying the NF type condition to the first NF entity, so that the first NF entity can select a preferred NF entity as the second NF entity, and the second
  • the NF entity establishes a communication connection, thereby providing multiple possibilities for the first NF entity to select a good quality second NF entity, further improving the reliability and security of the communication connection; of course, the NF storage function module is also the first NF.
  • the entity selects a preferred NF entity as the second NF entity, and sends the security information of the second NF entity to the first NF entity.
  • Step 305 The first NF entity generates a communication connection request, and sends the identifier of the first NF entity and the security information identifier to the second NF entity by using the communication connection request.
  • the security information identifies a piece of security information that can uniquely correspond.
  • Step 306 The second NF entity receives a communication connection request from the first NF entity, where the communication connection request includes an identifier of the first NF entity and a security information identifier, and sends the verification that carries the security information identifier to the NF storage function entity. request.
  • Step 307 The NF storage function entity receives the verification request sent by the second NF entity, and determines the corresponding security information according to the security information identifier of the first NF entity, where the security information includes the identifier of the first NF entity.
  • Step 308 The NF storage function entity sends the security information to the second NF entity by using a verification response.
  • Step 309 The second NF entity acquires security information sent by the NF storage function entity, and determines, according to the security information, whether a communication connection is established with the first NF entity.
  • the second NF entity determines whether the identifier of the first NF entity in the security information is the same as the identifier of the first NF entity in the communication connection request, or determines the first of the converted security information. Whether the identifier of the NF entity is the same as the identifier of the first NF entity in the communication connection request, for example, determining whether the information such as the PLMN ID, SMF.001, etc. sent by the NF storage function entity is converted into an IP address, etc., is sent with the first NF. The IP address is the same. If the same, the first NF entity is allowed to access the second NF entity, ie The second NF entity establishes a communication connection with the first NF entity; if not, the access is denied.
  • the communication connection request of step 305 further includes a first challenge random number (English: challenge) and a first encrypted ciphertext (English: encrypted text).
  • the NF storage function entity generates at least one piece of security information, and also generates a first key (English: key) and a valid time of each of the security information, the first key being used to decrypt the
  • the first encrypted ciphertext obtained by the second NF entity from the first NF entity, and the valid time of the security information is a set period of time for checking whether the security information is valid. If the time when the second NF entity verifies the identity of the first NF entity exceeds the valid time of the security information, the security information is invalid, and the connection access is denied; if it is valid, access is allowed.
  • the method further includes, in step 308, the NF storage function entity transmitting the first key and the valid time of the security information to the second NF entity.
  • the second NF entity determines whether to establish a communication connection with the first NF entity according to the security information, and further includes: the second NF entity acquiring the first key from the NF storage function entity, And a first encrypted ciphertext from the first NF entity; the second NF entity decrypting the first encrypted ciphertext using the first key to generate the second challenge random number.
  • the second NF entity establishes a communication connection with the first NF entity; if at least one of them is different, the connection is refused.
  • the NF storage function entity further includes the first key in an NF discovery response sent by the first NF entity.
  • the method further includes:
  • Step 310 The second NF entity generates a third challenge random number, generates a second encrypted ciphertext by using the third challenge random number and the first key, and uses the second encrypted ciphertext and the third A challenge random number is sent to the first NF entity.
  • the second encrypted ciphertext and the third challenge random number may or may not be carried in the communication connection response.
  • the second NF entity may further send the second encrypted ciphertext and the third challenge random number by using a data packet.
  • Step 311 If the communication connection response indicates that the communication connection is allowed to be established, the first NF entity obtains the second encrypted ciphertext and the third challenge random number sent by the second NF entity by using the communication connection response; The NF entity decrypts the second encrypted ciphertext to generate a fourth challenge random number. And judge the fourth pick Whether the battle random number is the same as the third challenge random number, and if they are the same, establish a session connection with the second NF entity.
  • the second key for decrypting the second encrypted ciphertext may be obtained by the NF storage function entity.
  • the NF storage function entity sends the first key by using the NF discovery response. Give the first NF entity. If the second key decrypting the second encrypted ciphertext is the same as the first key, the generated fourth challenge random number is the same as the third challenge random number if the second key is not from the And the first NF entity refuses to establish a connection with the second NF entity, if the NF storage function entity is different from the first key, and the first NF entity cannot decrypt the second encrypted ciphertext.
  • the first NF entity initiates a communication connection request to the second NF entity
  • the NF storage function entity performs NF discovery control, and identifies the security information corresponding to the security information of the first NF entity.
  • the second NF entity Provided to the second NF entity to be connected, so that the second NF entity can verify the authenticity and security of the access requester, the identity of the first NF entity according to the security information, and avoid unauthorized access between the NFs.
  • the NF storage function entity stores the identity of the NF entity in the network, generates security information, and sends a key to both ends of the NF entity requesting the communication connection, providing a basis and credentials for the access connection between the NF entities.
  • the second NF entity verifies the first NF entity identity security of the sending the communication connection request, sending the second encrypted ciphertext and the third challenge random number to the first NF entity, so that the first NF entity can be based on the NF
  • the key provided by the storage function entity verifies the security of the second NF entity, further enhancing the security of the communication data between the NF entities.
  • This embodiment is the same as the application scenario of the first embodiment, and is a process for describing the first NF entity to discover and access the second NF entity.
  • the difference from the first embodiment is that the NF storage function entity detects that the first NF entity is allowed to be the second. After the NF entity accesses, at least one security information and a key are actively sent to the second NF entity. Specifically, as shown in FIG.
  • steps 401 to 404 reference may be made to steps 301 to 304 in the first embodiment, and details are not described herein.
  • Step 405 The NF storage function module actively sends the generated at least one security information to an NF entity that satisfies the NF type condition, where the security information includes an identifier of the first NF entity.
  • the NF storage function entity finds that two PCF NF entities meet the connection requirement, the NF storage function entity generates two security information, where the first security information includes the SMF NF entity identifier and the PCF_1 NF entity identifier, and the second The security information includes the SMF NF entity identifier and the PCF_2 NF entity identifier, and The first security information is sent to the PCF_1 NF entity, and the second security information is sent to the PCF_2 NF entity.
  • the first NF entity receives the SMF NF entity identifier sent by the NF storage function entity, the PCF_1 NF entity identifier and the PCF_2 NF entity identifier, and selects one of the PCF_NF entities as the second NF entity, for example, selecting the PCF_1 NF entity as the connection object, A communication connection request is sent to the PCF_1 NF entity.
  • Step 406 The first NF entity sends a communication connection request to the selected second NF entity, where the communication connection request includes a security information identifier and an identifier of the first NF entity.
  • the communication connection request further includes The first challenge random number and the first encrypted ciphertext.
  • the execution order of the step 405 and the step 406 is not in a sequential relationship, that is, the second NF entity may first obtain the communication connection request sent by the first NF entity, and then obtain the security information sent by the NF storage function entity. Alternatively, the second NF entity simultaneously acquires the security information and the communication connection request.
  • Step 407 Receive an NF entity (second NF entity) of the communication connection request sent by the first NF entity, and determine, according to the security information and the identifier of the first NF entity, whether the first NF entity is Establish a communication connection.
  • the steps 407 to 409 are the same as the steps 309 to 311 of the embodiment, and are not described again.
  • the NF storage function module sends the security information, the key, and the like to the second NF entity, thereby preventing the second NF entity from sending a separate request to the NF storage function module to obtain the corresponding security.
  • Information saves the verification process and improves the efficiency of verification between NFs.
  • a connection method between NF entities provided in this embodiment is applied to a system of two or more PLMNs, where the system includes: a first NF entity, a second NF entity, and a first NF storage function entity, and a second The NF storage function entity, wherein the first NF entity and the first NF storage function entity are deployed in a first mobile network, configured as a first PLMN or a local PLMN (local PLMN), and the second NF entity and the second NF storage The function entity is deployed in the second mobile network, and is configured as a second PLMN or a remote PLMN.
  • the process of establishing a communication connection specifically includes the following steps:
  • step 501 The first NF entity sends an NF discovery request to the first NF storage function entity, where the NF discovery request includes an identifier of the first NF entity, and an NF type of the NF entity to be accessed (NF type , the type of network function) and the information such as the deployed PLMN identity.
  • the NF discovery request includes an identifier of the first NF entity, and an NF type of the NF entity to be accessed (NF type , the type of network function) and the information such as the deployed PLMN identity.
  • Step 502 The first NF storage function entity receives the NF discovery request, determines a second NF storage function entity in the second PLMN according to the PLMN identifier in the NF discovery request, and stores the functional entity to the second NF. Send the NF request.
  • Step 503 The second NF storage function entity receives the NF discovery request, and determines at least one NF entity that satisfies the condition according to the identifier of the first NF entity and the NF type, and generates at least one security information, where each One of the security information corresponds to an identifier of an NF entity.
  • the second NF storage function entity detects whether to allow access to the first NF entity to access other NF entities, and the process of detecting is the same as that in Embodiment 1, and is no longer Narration. If access is allowed, security information and keys with at least one NF entity are generated.
  • Step 504 The second NF storage function entity sends the generated at least one security information and the key to the first NF storage function entity by using the NF discovery response.
  • Step 505 The first NF storage function entity receives the NF discovery response sent by the second NF storage function entity, and sends the NF discovery response to the first NF entity, where the NF discovery response includes at least one NF to be connected.
  • the security information of the entity or it may also include the key. Some or all of the security information includes: an identifier of the first NF entity, an identifier of the NF entity to be connected to the second, and a valid time of the security information.
  • the first NF entity receives the NF discovery response sent by the first NF storage function entity, and selects an NF entity as the second NF entity according to the content in the NF discovery response.
  • the first NF storage function entity determines the second NF storage function entity according to the identifier of the deployed PLMN in the NF discovery request, and sends the NF discovery request to the second NF storage function entity.
  • Step 507 The first NF entity sends a communication connection request to the determined second NF entity, where the communication connection request includes an identifier of the first NF entity, a first challenge random number, and a first encrypted ciphertext encrypted by the key.
  • Step 508 The second NF entity receives the communication connection request sent by the first NF entity, and sends the security information identifier in the communication connection request to the second NF storage function entity.
  • Step 509 The second NF storage function entity receives the security information identifier, searches for the security information corresponding thereto, and the key, and sends the security information and the key to the second NF entity, or the second NF storage function entity. After receiving the NF discovery request forwarded by the first NF storage function entity, the security information and the key are actively sent to the second NF entity.
  • Step 510 The second NF entity receives the communication connection request sent by the first NF entity and the security information and the key sent by the second NF storage function entity, and determines the identifier and the communication connection request of the first NF entity in the security information. Whether the identifiers of the first NF entities are the same, and whether the first challenge random number is the same as the second challenge random number generated after decrypting the first encrypted ciphertext, and if the identifiers are the same and the challenge random numbers are also the same, Determine the identity is true, establish a communication connection with the first NF entity.
  • step 511 if the first NF entity is allowed to establish a communication connection, the second NF entity sends a communication connection response to the first NF entity, where the communication connection response includes a third challenge random number and a second encrypted ciphertext. .
  • Step 512 The first NF entity receives the communication connection response, and a second key from the second NF storage function entity, and decrypts the second encrypted ciphertext by using the second key to generate a fourth challenge random number. And determining, if the fourth challenge random number is the same as the acquired third challenge random number, establishing a communication connection with the second NF entity.
  • the embodiment provides a connection method and system, where a first NF storage function entity in a first PLMN interacts with a second NF storage function entity in a second PLMN, and a second NF storage function entity in the second PLMN
  • the two NF entity information and the corresponding security information and the key are provided to the second NF entity, thereby implementing control of communication between the NF entities located in different PLMNs, and secure communication connections between the NF entities.
  • the embodiment of the present application further provides a second NF entity, a first NF entity, and an NF storage function entity device.
  • a schematic structural diagram of an NF entity is applied to a second NF entity for receiving a communication connection request from a transmitting end. Further, the entity includes: a transceiver unit 601 and a processing unit 602.
  • the transceiver unit 601 is configured to receive a communication connection request from the first network function NF entity, where the communication connection request includes an identifier of the first NF entity and a security information identifier, and the security information identifier is obtained from the NF storage function entity. Corresponding security information;
  • the processing unit 602 is configured to determine, if the security information includes the identifier of the first NF entity, establish a communication connection with the first NF entity.
  • the security information includes an identifier of the first NF entity
  • the processing unit 602 is further configured to determine, if the at least one identifier in the security information is the first NF entity in the communication connection request. If the identifiers are the same, a communication connection is established with the first NF entity.
  • the communication connection request further includes a first challenge random number
  • the transceiver unit 601 is further configured to acquire a first key from the NF storage function entity, and a first from the first NF entity.
  • the processing unit 602 is further configured to: decrypt the first encrypted ciphertext by using the first key to generate a second challenge random number, and further configured to determine, if the at least one identifier in the security information is connected to the communication The identifier of the first NF entity in the request is the same, and the first challenge random number is the same as the second challenge random number, and a communication connection is established with the first NF entity.
  • the processing unit 602 is further configured to: if a communication connection is established with the first NF entity, generate a third challenge random number, and generate a second using the third challenge random number and the first key Encrypting the ciphertext; the transceiver unit 601 is further configured to send the second encrypted ciphertext and the third challenge random number to the first NF entity.
  • the security information further includes an effective time of the security information, and the effective time of the security information is used to check whether the security information is valid.
  • transceiver unit 601 and the processor 602 are further configured to perform the steps of performing part or all of the functions of the first NF entity in steps 301 to 311 in FIG. 3; and executing the first NF in steps 401 to 409 in FIG. The steps of some or all of the functions of the entity; and the steps of some or all of the functions of the first NF entity in steps 501 through 512 of FIG.
  • FIG. 7 a schematic structural diagram of another NF entity is applied to a first NF entity for a communication connection request initiated by a second NF entity, the entity including: a transceiver unit 701 and a processing unit 702.
  • the transceiver unit 701 is configured to send, to the NF storage function entity, the identifier of the first NF entity and the requested NF type information, and receive the security information identifier from the NF storage function entity and the second NF corresponding to the NF type. The identity of the entity.
  • the transceiver unit 701 is further configured to send a communication connection request to the second NF entity, where the communication connection request includes an identifier of the first NF entity and the security information identifier.
  • the transceiver unit 701 is further configured to receive a communication connection response from the second NF entity, where the communication connection response is used to indicate whether the second NF entity is allowed to establish a communication connection with the second NF entity.
  • the entity further includes a processing unit 702, the transceiver unit 701 is further configured to receive a first key from the NF storage function entity, and obtain a first challenge random number, and a processing unit 702, configured to The first challenge random number and the first key generate a first encrypted ciphertext; the transceiver unit 701 is further configured to send the first encrypted ciphertext and the first challenge random number to the second NF entity.
  • a processing unit 702 the transceiver unit 701 is further configured to receive a first key from the NF storage function entity, and obtain a first challenge random number, and a processing unit 702, configured to The first challenge random number and the first key generate a first encrypted ciphertext; the transceiver unit 701 is further configured to send the first encrypted ciphertext and the first challenge random number to the second NF entity.
  • the transceiver unit 701 is further configured to: if the communication connection response indication indicates that the communication connection is allowed to be established, receive the second encrypted ciphertext and the third challenge random number from the second NF entity; and the processing unit 702, And is further configured to decrypt the second encrypted ciphertext by using the first key, and generate a fourth challenge random number, and determine that if the fourth challenge random number is the same as the third challenge random number, The second NF entity establishes a session connection.
  • transceiver unit 701 and the processor 702 are further configured to perform the steps of performing part or all of the functions of the second NF entity in steps 301 to 311 in FIG. 3; and performing the second step 401 to 409 in FIG. The steps of some or all of the functions of the NF entity, and the steps of some or all of the functions of the second NF entity in steps 501 through 512 of FIG.
  • the NF entity in this embodiment can serve as a transmitting end, for example, a first NF entity, and has a request for initiating a communication connection and a function, and can also serve as a receiving end, for example, a second NF entity, and receive a communication connection from the sending end. Request and verify the identity of the sender.
  • FIG. 8 a schematic structural diagram of an NF storage function entity for controlling discovery of an NF entity and generating security information and a key is shown.
  • the entity includes: a transceiver unit 801 and a processing unit 802.
  • the transceiver unit 801 is configured to receive the identifier of the first NF entity from the first NF entity and the requested NF type information.
  • the processing unit 802 is configured to obtain, according to the identifier of the first NF entity and the NF type information, a security information identifier and an identifier of a second NF entity corresponding to the NF type.
  • the transceiver unit 801 is further configured to send the security information identifier and the identifier of the second NF entity to the first NF entity.
  • the processing unit 802 is further configured to determine, according to the identifier of the first NF entity and the NF type information, at least one NF entity that satisfies an NF type condition, and generate at least one security information, where the security The information includes an identifier of the first NF entity and an identifier of an NF entity that satisfies the NF type condition.
  • the transceiver unit 801 is further configured to receive the identifier of the first NF entity from the first NF entity forwarded by the first NF storage function entity and the requested NF type information.
  • the transceiver unit 801 is further configured to: send the security information and the identifier of the second NF entity to the second NF entity, and actively send the security information and the second The identifier of the NF entity, or sent after receiving the security information identifier from the second NF entity.
  • the transceiver unit 801 is further configured to send, to the first NF entity and the second NF entity, a first key, where the first key is used to decrypt the second NF entity from the first The first encrypted ciphertext obtained by an NF entity.
  • the processing unit 802 is further configured to detect whether the first NF entity is allowed to initiate a communication connection request to the second NF entity. Further, the processing unit 802 is further configured to determine whether the NF type corresponding to the identifier of the second NF entity is in the NF type list of the first NF entity, and if yes, allow the communication connection request to be initiated, Otherwise, the communication connection request is not allowed to be sent.
  • transceiver unit 801 and the processor 802 are further configured to perform the steps of performing part or all of the functions of the NF storage function entity in steps 301 to 311 in FIG. 3; and performing the NF storage function in steps 401 to 409 in FIG. The steps of some or all of the functions of the entity.
  • the first NF storage function entity and the second NF storage function entity are included, and the first NF storage function entity and the first NF entity belong to the first mobile network,
  • the second NF storage function entity and the second NF entity belong to the second mobile network
  • the transceiver unit 801 includes a first transceiver unit 8011 and a second transceiver unit 8012
  • the processing unit 802 includes a first processing unit 8021 and a second processing unit. 8022.
  • the first transceiver unit 8011 and the first processing unit 8021 are both located in the first NF storage function entity
  • the second transceiver unit 8012 and the second processing unit 8022 are both located in the second NF storage function entity.
  • the first transceiver unit 8011 is configured to receive an NF discovery request sent by the first NF entity, where the NF discovery request includes an identifier of the deployed PLMN.
  • the first processing unit 8021 is configured to receive the identifier of the deployed PLMN sent by the first transceiver unit 8011, determine the second NF storage function entity according to the identifier of the deployed PLMN, and pass the NF discovery request
  • the first transceiver unit 8011 is sent to the second transceiver unit 8012;
  • the second transceiver unit 8012 is configured to receive the NF discovery request sent by the first transceiver unit 8011.
  • the second processing unit 8022 is configured to determine, according to the identifier of the first NF entity and the NF type in the NF discovery request, at least one NF entity that satisfies the condition, and generate at least one security information;
  • the second transceiver unit 8012 is further configured to send the at least one security information to the first transceiver unit 8011;
  • the first transceiver unit 8011 is further configured to receive the at least one security information, and send the at least one security information to the first NF entity.
  • first NF storage function entity and the second NF storage function entity are configured to perform the steps of performing some or all of the functions of the NF storage function entity in steps 301 to 311 of FIG. 3; and performing steps 401 to 141 in FIG.
  • the step of 409 storing some or all of the functions of the functional entity in 409.
  • the NF storage function entity controls the discovery of the NF entity, and provides the security information and the key information to the peer NF entity discovered by the NF, so that the NF entity can verify the other party according to the security information and the key.
  • the authenticity of the identity and the establishment of a secure connection enable secure authentication of inter-NF access and avoid unauthorized access to the NF entity.
  • the present application further provides a network function NF entity and an NF storage function entity.
  • the NF entity and the NF storage function entity may be software deployed on a general-purpose computing platform or may be separate hardware devices.
  • the NF entity may be an NF entity in any of the foregoing embodiments for implementing the method steps in the foregoing embodiments.
  • the NF entity device includes a transceiver 901, a processor 902, and a memory 903.
  • the transceiver 901 includes at least one communication interface and an I/O interface for implementing data transmission and reception with different NF entities and NF storage function entities.
  • the transceiver 901 can include components such as a receiver, a transmitter, and an antenna.
  • the NF entity may also include more or fewer components, or a combination of certain components, or different component arrangements, which is not limited in this application.
  • the processor 902 is a control center of the NF entity for implementing the various method step functions in the foregoing embodiments, connecting various parts of the entire device by using various interfaces and lines, by running or executing a software program stored in the memory 903 and/or Or module, and recalling data stored in the memory to perform various functions of the terminal device and/or process data.
  • the processor 903 may be composed of an integrated circuit (IC), for example, may be composed of a single packaged IC, or may be composed of a plurality of packaged ICs that have the same function or different functions.
  • IC integrated circuit
  • the processor 903 may include only a central processing unit (CPU), or may be a GPU, a digital signal processor (DSP), and a control chip (for example, a baseband chip) in the transceiver module. combination.
  • the CPU may be a single operation core, and may also include a multi-operation core.
  • various transceiver modules in the transceiver 901 are generally in the form of integrated circuit chips, and can be selectively combined without including all transceiver modules and corresponding antenna groups.
  • the transceiver module can include only a baseband chip, a radio frequency chip, and a corresponding antenna to provide communication functionality in a cellular communication system.
  • the terminal device can be connected to a cellular network or the internet via a wireless communication connection established by the transceiver module, such as wireless local area network access or WCDMA access.
  • a communication module such as a baseband module, in the transceiver module may be integrated into the processor, typically an APQ+MDM series platform such as that provided by Qualcomm.
  • the radio frequency circuit is used for receiving and transmitting signals during information transmission and reception or during a call.
  • the radio frequency circuit includes well-known circuits for performing these functions, including but not limited to an antenna system, a radio frequency transceiver, one or more amplifiers, a tuner, one or more oscillators, a digital signal processor, a codec. (codec) chipset, Subscriber Identity Module (SIM) card, memory, etc.
  • the RF circuit can communicate with the network and other devices through wireless communication.
  • the wireless communication may use any communication standard or protocol, including but not limited to global system of mobile communication (GSM), general packet radio service (gprs), code division multiple access (code) Division multiple Access, CDMA), wideband code division multiple access (WCDMA), high speed uplink packet access (HSUPA), long term evolution (LTE), electronic Mail, short message service (SMS), etc.
  • GSM global system of mobile communication
  • gprs general packet radio service
  • code division multiple access code division multiple Access
  • CDMA code division multiple Access
  • WCDMA wideband code division multiple access
  • HSUPA high speed uplink packet access
  • LTE long term evolution
  • SMS short message service
  • Processor 902 also performs the processes of FIGS. 3 through 5 relating to the first NF entity and second NF entity processing and/or for the techniques described herein.
  • the processor/controller 902 is configured to support the first NF entity and/or the second NF entity to perform step 301 to step 311 in FIG. 3, step 401 to step 409 in FIG. 4, step 501 in FIG. Step 512, and/or other processes for the techniques described herein.
  • the function to be implemented by the transceiver 901 may be implemented by the transceiver unit 601 or the transceiver unit 701, or may be implemented by the processor 902 to control the transceiver 901; the function to be implemented by the processor 902 may be performed by the processing unit. 602 or processing unit 702 is implemented.
  • FIG. 10 it is a schematic structural diagram of an NF storage function entity according to the present application.
  • the NF storage function entity may be the security information generating device in any of the foregoing embodiments for implementing the method steps in the foregoing embodiments.
  • the NF storage function entity may be composed of a transceiver 1001, a processor 1002, a memory 1003, and the like.
  • the transceiver 1001 includes at least one communication interface and an I/O interface.
  • the processor 1002 is a control center of the NF storage function entity, which connects various parts of the entire device by using various interfaces and lines, by running or executing software programs and/or modules stored in the memory, and calling data stored in the memory, To perform various functions and/or process data of the NF storage function module.
  • the processor may be a central processing unit (CPU), a network processor (NP) or a combination of a CPU and an NP.
  • the processor may further include a hardware chip.
  • the hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD), or a combination thereof.
  • the PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (GAL), or any combination thereof.
  • the processor 1002 also performs other processes in FIG. 3 through FIG. 5 that relate to the NF storage functional entity process and/or for the techniques described herein.
  • the processor/controller 1002 is configured to support the NF storage function entity to perform step 301 to step 311 in FIG. 3, step 401 to step 409 in FIG. 4, step 501 to step 512 in FIG. 5, and/or Other processes of the techniques described herein.
  • the memory 1003 may include a volatile memory, such as a random access memory (RAM), and may also include a non-volatile memory, such as a flash memory.
  • RAM random access memory
  • non-volatile memory such as a flash memory.
  • HDD hard disk drive
  • SSD solid state drive
  • a program or code may be stored in the memory, and the processor in the network element may implement the function of the NF storage function module by executing the program or code.
  • the transceiver 1001 can be configured to receive or transmit data, and the transceiver can transmit data to the first NF physical device or other NF physical device under the control of the processor.
  • the transceiver may be used to implement the method steps of receiving the discovery request, sending the discovery response, and receiving the security information identifier and the feedback security information sent by the second NF entity in the foregoing embodiment.
  • the functions to be implemented by the receiver 1001 may be implemented by the transceiver unit of the NF storage function entity, or by the processor 1002 to control the transceiver 1001; the functions to be implemented by the processor 1002 may be implemented by the processing unit 802.
  • the present application further provides a computer storage medium, wherein the computer storage medium may store a program, where the program may include a part of each embodiment of a connection method between network function entities provided by the application. Or all steps.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
  • the technology in the embodiments of the present application can be implemented by means of software plus a necessary general hardware platform.
  • the technical solution in the embodiments of the present application may be embodied in the form of a software product in essence or in the form of a software product, and the computer software product may be stored in a storage medium such as a ROM/RAM. , a diskette, an optical disk, etc., including instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform the methods described in various embodiments of the present application or portions of the embodiments.
  • a computer device which may be a personal computer, server, or network device, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed are a method and device for connection between network entities. The method comprises: a second network function (NF) entity receives a communication connection request from a first network function (NF) entity, the communication connection request comprising an identifier of the first NF entity and a security information identifier; obtain security information corresponding to the security information identifier from an NF storage entity; and if the security information comprises the identifier of the first NF entity, the second NF entity establishes a communication connection with the first NF entity. In the method, the NF storage entity controls the discovery of an NF entity and provides security information to a peer-end NF entity discovered by the NF, so that the NF entity can verify the authenticity of the identity of the opposite end party and establishes a secure connection, and accordingly, the security and reliability of access between the NFs are achieved, and unauthorized access between the NFs is avoided.

Description

网络功能实体之间的连接方法及装置Connection method and device between network functional entities 技术领域Technical field

本申请涉及无线通信领域,尤其涉及一种网络功能实体之间的连接方法及装置。The present application relates to the field of wireless communications, and in particular, to a method and apparatus for connecting between network functional entities.

背景技术Background technique

目前,在演进分组核心网络(evolved packet core,EPC)中采用了网元(network element,NE)的架构方式,该架构包含的典型NE包括:移动性管理实体(mobility management entity,MME)、服务网关(serving gateway,S-GW)及分组数据网络网关(packet data network gateway,P-GW)等。当前EPC的网络功能(例如,移动性管理、承载管理和位置管理等)是通过NE中固化的服务特性和处理逻辑以及NE之间的流程消息来实现的。举例来说,用户的接入服务需要MME、S-GW、P-GW以及网络中其他NE,例如图1所示,策略与计费规则功能单元(policy and charging rules function,PCRF)和归属用户服务器(home subscriber server,HSS)等,共同协作并且通过标准化定义的业务流程逻辑来完成的,因此当前EPC所能提供的网络功能(network function,NF)服务的特性是固化的。Currently, a network element (NE) architecture is adopted in an evolved packet core (EPC). The typical NE included in the architecture includes: a mobility management entity (MME) and a service. A gateway (S-GW) and a packet data network gateway (P-GW). Current EPC network functions (eg, mobility management, bearer management, location management, etc.) are implemented through service features and processing logic solidified in the NE and flow messages between the NEs. For example, the access service of the user needs the MME, the S-GW, the P-GW, and other NEs in the network, for example, the policy and charging rules function (PCRF) and the home subscriber, as shown in FIG. The home subscriber server (HSS), etc. work together and are standardized by the defined business process logic, so the characteristics of the network function (NF) service that the current EPC can provide are solidified.

而随着商业模式的不断拓展以及技术的不断发展,用户对于业务需求也会随之发生变化。用户的业务会需求更多的服务模式和更优的服务特性,例如,超低时延通信的需求及高可靠性通信的需求等,并由此带来对新的NF的需求。而EPC所提供的NF服务是固化并分散在各个NE中的,因此如果需要引入新的NF来支持用户的需求,则EPC需要重新定义和设计NE的处理逻辑和流程交互。这样的重新设计对于设备商来说意味着开发周期长和成本高,对于网络运营商来说意味着不能及时发布新的网络服务。With the continuous expansion of business models and the continuous development of technology, users' business needs will also change. The user's business will require more service modes and better service features, such as the demand for ultra-low latency communication and the need for high-reliability communication, and thus the demand for new NF. The NF service provided by the EPC is solidified and distributed among the various NEs. Therefore, if a new NF needs to be introduced to support the user's needs, the EPC needs to redefine and design the NE's processing logic and process interaction. Such redesign means that the development cycle is long and costly for the equipment manufacturer, which means that the network operator cannot release the new network service in time.

一般的NF管理方法为:核心网络部分可采用服务化架构(service oriented architecture),原来网络架构中的NE(例如MME或S-GW)按照功能的类别拆分定义为不同的NF组件,例如:认证和安全功能(uthentication function,AuF)、分组数据会话管理功能(session management function,SM NF)、移动管理及接入控制功能(mobility management function,MM NF)、策略控制功能(policy control function,PCF)等,这些功能由对应的NF组件实现,每个NF组件通过定义的服务接口对其他NF组件或功能提供服务。 The general NF management method is as follows: the core network part can adopt a service oriented architecture. The NE (for example, MME or S-GW) in the original network architecture is defined as different NF components according to the functional category, for example: Authentication and security functions (AuF), session management function (SM NF), mobility management and mobility management function (MM NF), policy control function (PCF) And so on, these functions are implemented by the corresponding NF components, each of which provides services to other NF components or functions through a defined service interface.

在网络业务执行过程中,网络功能之间需要交互完成相关网络业务,例如,MM NF接收到用户设备(user equipment,UE)发送的SM类别的消息后将SM消息发送给SMNF,并由SMNF进行会话的处理。During the execution of the network service, the network functions need to be exchanged to complete the related network service. For example, the MM NF sends the SM message to the SMNF after receiving the message of the SM category sent by the user equipment (UE), and is performed by the SMNF. The processing of the session.

在NF之间建立通信时,NF先获取对端NF的网络地址,然后再与对端NF建立通信连接,并进一步将服务请求等类别的消息发送给对端NF处理。存在的一个安全问题是:由于异常或者NF自己受到攻击后,会向其它NF发送错误的服务请求消息,例如,认证和安全功能按照业务逻辑不需要发送用户的会话请求消息给分组数据会话管理功能,所述会话请求消息包括会话的建立、更新和删除,但在认证和安全功能之间出现异常或受到攻击时,会向分组数据会话管理功能发送用户的数据会话连接删除的请求消息,分组数据会话管理功能同意该服务请求并进行相应的会话连接删除操作后,会导致受影响的用户终端不能接收和发送数据,从而导致业务出现异常。因此,需要解决NF间的通信安全问题,以避免NF之间的未授权访问。When establishing communication between the NFs, the NF first obtains the network address of the peer NF, and then establishes a communication connection with the peer NF, and further sends a message such as a service request to the peer NF for processing. A security problem exists: due to an exception or NF itself, it will send an incorrect service request message to other NFs. For example, the authentication and security functions do not need to send the user's session request message to the packet data session management function according to the business logic. The session request message includes the establishment, update, and deletion of the session, but when an abnormality or an attack occurs between the authentication and security functions, the request message for deleting the data session connection of the user is sent to the packet data session management function, and the packet data is After the session management function agrees to the service request and performs the corresponding session connection deletion operation, the affected user terminal cannot receive and send data, which causes the service to be abnormal. Therefore, communication security issues between NFs need to be addressed to avoid unauthorized access between NFs.

发明内容Summary of the invention

本申请实施例提供了一种网络功能实体之间的连接方法及设备,以解决网络功能实体间的通信安全问题。The embodiments of the present application provide a connection method and device between network function entities to solve the communication security problem between network function entities.

第一方面,本申请提供一种网络功能实体连接方法,应用于接收通信连接请求的网络功能NF实体,该方法包括:第二网络功能NF实体接收来自第一网络功能NF实体的通信连接请求,所述通信连接请求中包括第一NF实体的标识和安全信息标识;从NF存储功能实体中获取与所述安全信息标识对应的安全信息;如果所述安全信息包含所述第一NF实体的标识,则所述第二NF实体与所述第一NF实体建立通信连接。In a first aspect, the application provides a network function entity connection method, which is applied to a network function NF entity that receives a communication connection request, the method includes: the second network function NF entity receives a communication connection request from the first network function NF entity, The communication connection request includes an identifier of the first NF entity and a security information identifier; obtaining security information corresponding to the security information identifier from the NF storage function entity; if the security information includes an identifier of the first NF entity And the second NF entity establishes a communication connection with the first NF entity.

本方面提供的方法,由NF存储功能模块预先存储各个NF实体的标识,当需要访问其中一个NF实体,例如第二NF实体时,NF存储功能实体对NF连接访问进行控制,获取安全信息,并将该安全信息提供给第二NF实体,使得第二NF实体可以根据该安全信息验证请求连接端身份的真实性和安全性,从而实现了NF之间访问的安全连接,避免NF之间的未授权访问。The method provided by the present aspect, the NF storage function module pre-stores the identifiers of the respective NF entities, and when accessing one of the NF entities, for example, the second NF entity, the NF storage function entity controls the NF connection access to obtain security information, and Providing the security information to the second NF entity, so that the second NF entity can verify the authenticity and security of the requesting connection identity according to the security information, thereby implementing a secure connection between the NFs and avoiding the NF between the NFs. Authorized access.

结合第一方面,在一种实现方式中,如果所述安全信息包含所述第一NF实体的标识,则与所述第一NF实体建立通信连接包括:所述安全信息中包括至少一个NF实体的标识,如果所述安全信息中的至少一个标识与所述通信连接请求中的第一NF实体的标识相同,则所述第二NF实体与所述第一NF实体建立通信连接。 With reference to the first aspect, in an implementation manner, if the security information includes the identifier of the first NF entity, establishing a communication connection with the first NF entity includes: the security information includes at least one NF entity And the identifier, if the at least one identifier of the security information is the same as the identifier of the first NF entity in the communication connection request, the second NF entity establishes a communication connection with the first NF entity.

结合第一方面,在一种实现方式中,所述通信连接请求中还包括第一挑战随机数,所述第二NF实体与所述第一NF实体建立通信连接包括:所述第二NF实体获取来自所述NF存储功能实体的第一密钥,以及来自所述第一NF实体的第一加密密文,使用所述第一密钥对所述第一加密密文进行解密,生成第二挑战随机数;如果所述安全信息中的至少一个标识与所述通信连接请求中的第一NF实体的标识相同,并且所述第一挑战随机数与所述第二挑战随机数相同,则与所述第一NF实体建立通信连接。With reference to the first aspect, in an implementation manner, the communication connection request further includes a first challenge random number, and the second NF entity establishing a communication connection with the first NF entity includes: the second NF entity Obtaining a first key from the NF storage function entity, and a first encrypted ciphertext from the first NF entity, using the first key to decrypt the first encrypted ciphertext to generate a second Challenge a random number; if at least one of the security information is the same as an identifier of the first NF entity in the communication connection request, and the first challenge random number is the same as the second challenge random number, then The first NF entity establishes a communication connection.

结合第一方面,在一种实现方式中,方法还包括:如果所述第二NF实体与所述第一NF实体建立通信连接,则所述第二NF实体生成第三挑战随机数,使用所述第三挑战随机数和所述第一密钥生成第二加密密文,并将所述第二加密密文和所述第三挑战随机数发送给所述第一NF实体。With reference to the first aspect, in an implementation, the method further includes: if the second NF entity establishes a communication connection with the first NF entity, the second NF entity generates a third challenge random number, where The third challenge random number and the first key generate a second encrypted ciphertext, and send the second encrypted ciphertext and the third challenge random number to the first NF entity.

结合第一方面,在一种实现方式中,所述安全信息中还包括所述安全信息的有效时间,用于检查所述安全信息是否有效。In combination with the first aspect, in an implementation manner, the security information further includes an effective time of the security information, and is used to check whether the security information is valid.

第二方面,本申请提供一种网络功能实体连接方法,应用于发起通信连接请求的NF实体,所述方法包括:第一NF实体向NF存储功能实体发送第一NF实体的标识和请求的NF类型信息;接收来自所述NF存储功能实体的安全信息标识和与所述NF类型对应的第二NF实体的标识;向所述第二NF实体发送通信连接请求,所述通信连接请求中包括第一NF实体的标识和所述安全信息标识。In a second aspect, the present application provides a network function entity connection method, which is applied to an NF entity that initiates a communication connection request, where the method includes: the first NF entity sends the identifier of the first NF entity and the requested NF to the NF storage function entity. Type information; receiving a security information identifier from the NF storage function entity and an identifier of a second NF entity corresponding to the NF type; sending a communication connection request to the second NF entity, where the communication connection request includes An identifier of the NF entity and the security information identifier.

结合第二方面,在一种实现方式中,所述方法还包括:所述第一NF实体接收来自所述第二NF实体的通信连接响应,所述通信连接响应用于指示所述第二NF实体是否允许与所述第一NF实体建立通信连接。With reference to the second aspect, in an implementation, the method further includes: the first NF entity receiving a communication connection response from the second NF entity, the communication connection response being used to indicate the second NF Whether the entity allows a communication connection to be established with the first NF entity.

结合第二方面,在一种实现方式中,所述方法还包括:所述第一NF实体接收来自所述NF存储功能实体的第一密钥;所述第一NF实体获取第一挑战随机数,根据所述第一挑战随机数和所述第一密钥生成第一加密密文,并将所述第一加密密文和第一挑战随机数发送给所述第二NF实体。With reference to the second aspect, in an implementation manner, the method further includes: the first NF entity receiving a first key from the NF storage function entity; and the first NF entity acquiring a first challenge random number Generating a first encrypted ciphertext according to the first challenge random number and the first key, and sending the first encrypted ciphertext and the first challenge random number to the second NF entity.

结合第二方面,在一种实现方式中,所述方法还包括:如果所述通信连接响应指示允许建立通信连接,则所述第一NF实体接收来自所述第二NF实体的第二加密密文和第三挑战随机数;所述第一NF实体使用所述第一密钥对所述第二加密密文进行解密,并生成第四挑战随机数,如果所述第四挑战随机数与所述第三挑战随机数相同,则与所述第二NF实体建立会话连接。With reference to the second aspect, in an implementation, the method further includes: if the communication connection response indicates that a communication connection is allowed to be established, the first NF entity receives a second encryption key from the second NF entity And a third challenge random number; the first NF entity decrypts the second encrypted ciphertext using the first key, and generates a fourth challenge random number, if the fourth challenge random number and the The third challenge random number is the same, and a session connection is established with the second NF entity.

结合第二方面,在一种实现方式中,所述方法还包括:所述第一NF实体接收来 自所述NF存储功能实体发送的至少一个安全信息,其中,每个所述安全信息中包括所述第一NF实体的标识和满足所述NF类型条件的一个NF实体的标识;所述第一NF实体在所述至少一个安全信息中选择一个作为所述第二NF实体。With reference to the second aspect, in an implementation manner, the method further includes: receiving, by the first NF entity At least one piece of security information sent from the NF storage function entity, wherein each of the security information includes an identifier of the first NF entity and an identifier of an NF entity that satisfies the NF type condition; the first The NF entity selects one of the at least one security information as the second NF entity.

第三方面,本申请提供一种安全信息发送方法,该方法应用于NF存储功能实体,所述方法包括:NF存储功能实体接收来自第一NF实体的第一NF实体的标识和请求的NF类型信息;根据所述第一NF实体的标识和所述NF类型信息,获取安全信息标识和与所述NF类型对应的第二NF实体的标识;将所述安全信息标识和所述第二NF实体的标识发送给所述第一NF实体。进一步地,所述获取的步骤包括所述NF存储功能实体内部生成,或者从其它实体中获取。In a third aspect, the present application provides a security information sending method, where the method is applied to an NF storage function entity, the method comprising: the NF storage function entity receiving an identifier of a first NF entity from a first NF entity and a requested NF type Obtaining, according to the identifier of the first NF entity and the NF type information, a security information identifier and an identifier of a second NF entity corresponding to the NF type; and the security information identifier and the second NF entity The identity is sent to the first NF entity. Further, the step of obtaining includes internally generating the NF storage function entity or acquiring from other entities.

结合第三方面,在一种实现方式中,所述NF存储功能实体获取安全信息标识和与所述NF类型对应的第二NF实体的标识,包括:所述NF存储功能实体根据所述第一NF实体的标识和所述NF类型信息,确定满足NF类型条件的至少一个NF实体,并生成至少一个安全信息,其中,所述安全信息中包括所述第一NF实体的标识和满足所述NF类型条件的一个NF实体的标识。With reference to the third aspect, in an implementation manner, the NF storage function entity obtains the security information identifier and the identifier of the second NF entity corresponding to the NF type, including: the NF storage function entity according to the first Determining, by the identifier of the NF entity and the NF type information, at least one NF entity that satisfies the NF type condition, and generating at least one security information, wherein the security information includes an identifier of the first NF entity and satisfies the NF The identity of an NF entity of the type condition.

结合第三方面,在一种实现方式中,所述NF存储功能实体接收来自第一NF实体的第一NF实体的标识和请求的NF类型信息包括:所述NF存储功能实体接收第一NF存储功能实体转发的来自第一NF实体的第一NF实体的标识和请求的NF类型信息。With reference to the third aspect, in an implementation manner, the NF storage function entity receives the identifier of the first NF entity from the first NF entity and the requested NF type information, including: the NF storage function entity receives the first NF storage The identity of the first NF entity from the first NF entity forwarded by the functional entity and the requested NF type information.

结合第三方面,在一种实现方式中,如果所述NF发现请求中还包括部署的PLMN的标识,则所述NF存储功能实体获取安全信息标识和与所述NF类型对应的第二NF实体的标识,包括:所述第一NF存储功能实体根据所述部署的PLMN的标识确定所述第二NF存储功能实体,并将所述第一NF实体的标识和请求的NF类型信息发送给所述第二NF存储功能实体;接收来自所述第二NF存储功能实体返回的至少一个安全信息,所述安全信息中对应包括所述第一NF实体的标识和满足NF类型条件的一个NF实体的标识。With reference to the third aspect, in an implementation manner, if the NF discovery request further includes an identifier of the deployed PLMN, the NF storage function entity acquires a security information identifier and a second NF entity corresponding to the NF type. And the first NF storage function entity determines the second NF storage function entity according to the identifier of the deployed PLMN, and sends the identifier of the first NF entity and the requested NF type information to the a second NF storage function entity; receiving at least one security information returned from the second NF storage function entity, where the security information includes an identifier of the first NF entity and an NF entity that satisfies an NF type condition Logo.

其中,所述第二NF实体用于根据所述第一NF实体的标识和所述NF类型信息,获取安全信息标识和与所述NF类型对应的第二NF实体的标识,并将所述安全信息标识和所述第二NF实体的标识发送给所述第一NF存储功能实体。并且,第一NF存储功能实体与所述第一NF实体属于第一PLMN,第二NF存储功能实体与所述第二NF实体属于第二PLMN。 The second NF entity is configured to obtain, according to the identifier of the first NF entity and the NF type information, a security information identifier and an identifier of a second NF entity corresponding to the NF type, and the security The information identifier and the identifier of the second NF entity are sent to the first NF storage function entity. And, the first NF storage function entity and the first NF entity belong to the first PLMN, and the second NF storage function entity and the second NF entity belong to the second PLMN.

本方面提供的方法,通过第一PLMN中的第一NF存储功能实体和第二PLMN中的第二NF存储功能实体交互,并且由第二PLMN中的第二NF存储功能实体将第二NF实体信息和对应的安全信息以及密钥提供给第二NF实体,从而实现了对位于不同PLMN中的NF实体间的通信的控制,以及NF实体间的安全通信连接。The method provided by the present aspect, the first NF storage function entity in the first PLMN interacts with the second NF storage function entity in the second PLMN, and the second NF storage function entity in the second PLMN performs the second NF entity The information and corresponding security information and keys are provided to the second NF entity, thereby enabling control of communication between NF entities located in different PLMNs, and secure communication connections between NF entities.

结合第三方面,在一种实现方式中,所述方法还包括:所述NF存储功能实体采用如下任意一种方式,将安全信息和所述第二NF实体的标识发送给所述第二NF实体;所述NF存储功能实体主动地发送所述安全信息和所述第二NF实体的标识;或者,当所述NF存储功能实体接收到来自第二NF实体的安全信息标识之后,向所述第二NF实体发送。With reference to the third aspect, in an implementation manner, the method further includes: sending, by the NF storage function entity, the security information and the identifier of the second NF entity to the second NF by using any one of the following manners: Entity; the NF storage function entity actively sends the security information and the identifier of the second NF entity; or, after the NF storage function entity receives the security information identifier from the second NF entity, to the The second NF entity sends.

结合第三方面,在一种实现方式中,当所述NF存储功能实体接收到来自第二NF实体发送的安全信息标识之后,还包括:所述NF存储功能实体向所述第一NF实体和所述第二NF实体发送第一密钥,所述第一密钥用于解密所述第二NF实体从所述第一NF实体获取的第一加密密文。With reference to the third aspect, in an implementation manner, after the NF storage function entity receives the security information identifier sent by the second NF entity, the method further includes: the NF storage function entity to the first NF entity and The second NF entity sends a first key, where the first key is used to decrypt the first encrypted ciphertext obtained by the second NF entity from the first NF entity.

结合第三方面,在一种实现方式中,所述NF存储功能实体接收来自第一NF实体的第一NF实体的标识和请求的NF类型信息之后,还包括:所述NF存储功能实体检测是否允许所述第一NF实体向所述第二NF实体发起通信连接请求。With reference to the third aspect, in an implementation manner, after the NF storage function entity receives the identifier of the first NF entity from the first NF entity and the requested NF type information, the method further includes: the NF storage function entity detecting whether The first NF entity is allowed to initiate a communication connection request to the second NF entity.

结合第三方面,在一种实现方式中,所述NF存储功能实体中存储有所述第一NF实体的NF类型清单,所述NF存储功能实体检测是否允许发起通信连接请求,包括:判断所述第二NF实体的标识所对应的NF类型是否在所述第一NF实体的NF类型清单中;如果是,则允许发起所述通信连接请求,否则,不允许发送所述通信连接请求。With reference to the third aspect, in an implementation manner, the NF storage function entity stores an NF type list of the first NF entity, and the NF storage function entity detects whether to allow a communication connection request to be initiated, including: determining a location Whether the NF type corresponding to the identifier of the second NF entity is in the NF type list of the first NF entity; if yes, the communication connection request is allowed to be initiated; otherwise, the communication connection request is not allowed to be sent.

本方面提供的方法,由NF存储功能模块对NF实体发现进行控制,并将该安全信息和密钥等信息提供给NF发现的对端NF实体,使NF实体可以根据安全信息和密钥验证对方身份的真实性并建立通信连接,从而实现了NF间访问的安全性和可靠性,避免NF之间的未授权访问。The method provided by the present invention controls the NF entity discovery by the NF storage function module, and provides the security information and the key information to the peer NF entity discovered by the NF, so that the NF entity can verify the other party according to the security information and the key. The authenticity of the identity and the establishment of a communication connection, thereby achieving the security and reliability of inter-NF access and avoiding unauthorized access between NFs.

第四方面,本申请还提供了一种网络功能NF实体,用于接收请求方发起的通信连接请求,例如,应用于第二网络功能NF实体,包括:收发单元,用于接收来自第一网络功能NF实体的通信连接请求,所述通信连接请求中包括第一NF实体的标识和安全信息标识;还用于从NF存储功能实体中获取与所述安全信息标识对应的安全信息;处理单元,用于判断如果所述安全信息包含所述第一NF实体的标识,则所述 第二NF实体与所述第一NF实体建立通信连接。此外,所述收发单元和处理单元还用于实现前述第一方面各种实现的方法步骤。In a fourth aspect, the present application further provides a network function NF entity, configured to receive a request for a communication connection initiated by a requester, for example, applied to a second network function NF entity, including: a transceiver unit, configured to receive from the first network a communication connection request of the function NF entity, where the communication connection request includes an identifier of the first NF entity and a security information identifier; and is further configured to acquire security information corresponding to the security information identifier from the NF storage function entity; Used to determine that if the security information includes an identifier of the first NF entity, The second NF entity establishes a communication connection with the first NF entity. Furthermore, the transceiver unit and the processing unit are also used to implement the method steps of the various implementations of the aforementioned first aspect.

第五方面,本申请还提供了另一种网络功能NF实体,用于发起通信连接请求,例如,应用于第一网络功能NF实体,收发单元,用于向NF存储功能实体发送第一NF实体的标识和请求的NF类型信息;还用于接收来自所述NF存储功能实体的安全信息标识和与所述NF类型对应的第二NF实体的标识;还用于向所述第二NF实体发送通信连接请求,所述通信连接请求中包括第一NF实体的标识和所述安全信息标识。此外,所述NF实体还可以包括处理单元,所述收发单元和处理单元还用于实现前述第二方面各种实现的方法步骤。In a fifth aspect, the present application further provides another network function NF entity, configured to initiate a communication connection request, for example, applied to a first network function NF entity, and a transceiver unit, configured to send a first NF entity to the NF storage function entity. The identifier and the requested NF type information; and is further configured to receive the security information identifier from the NF storage function entity and the identifier of the second NF entity corresponding to the NF type; and is further configured to send to the second NF entity And a communication connection request, where the communication connection request includes an identifier of the first NF entity and the security information identifier. Furthermore, the NF entity may further comprise a processing unit, the transceiver unit and the processing unit being further for implementing the method steps of the various implementations of the aforementioned second aspect.

第六方面,本申请还提供了一种安全信息发送装置,用于对NF的发现进行控制,例如,应用于NF存储功能实体,包括:收发单元,用于接收来自第一NF实体的第一NF实体的标识和请求的NF类型信息;处理单元,用于根据所述第一NF实体的标识和所述NF类型信息,获取安全信息标识和与所述NF类型对应的第二NF实体的标识;所述收发单元,还用于将所述安全信息标识和所述第二NF实体的标识发送给所述第一NF实体。此外,所述收发单元和处理单元还用于实现前述第三方面各种实现的方法步骤。In a sixth aspect, the application further provides a security information sending apparatus, configured to control the discovery of the NF, for example, to the NF storage function entity, including: a transceiver unit, configured to receive the first from the first NF entity An identifier of the NF entity and the requested NF type information; the processing unit, configured to acquire, according to the identifier of the first NF entity and the NF type information, a security information identifier and an identifier of a second NF entity corresponding to the NF type The transceiver unit is further configured to send the security information identifier and the identifier of the second NF entity to the first NF entity. Furthermore, the transceiver unit and the processing unit are also used to implement the method steps of the various implementations of the aforementioned third aspect.

第七方面,本申请还提供了一种NF实体设备,包括用于执行第一方面或第四方面各实现方式中方法步骤的收发器和处理器。其中,所述收发器可以由所述NF实体装置中的收发单元实现,或者由所述处理器控制所述收发器实现。In a seventh aspect, the present application further provides an NF entity device, including a transceiver and a processor for performing the method steps in the implementations of the first aspect or the fourth aspect. The transceiver may be implemented by a transceiver unit in the NF entity device, or may be implemented by the processor to control the transceiver.

第八方面,本申请还提供了一种NF实体设备,包括用于执行第二方面或第五方面各实现方式中方法步骤的收发器和处理器。其中,所述收发器,可以由所述NF实体装置中的收发单元实现,或者由所述处理器控制所述收发器实现。In an eighth aspect, the present application further provides an NF entity device, including a transceiver and a processor for performing the method steps in the implementations of the second aspect or the fifth aspect. The transceiver may be implemented by a transceiver unit in the NF entity device, or may be implemented by the processor to control the transceiver.

第九方面,本申请还提供了一种NF存储功能实体设备,包括用于执行第三方面或第六方面各实现方式中方法步骤的收发器和处理器。其中,所述收发器,可以由所述NF存储功能模块设备中的收发单元实现,或者由所述处理器控制所述收发器实现。In a ninth aspect, the present application further provides an NF storage function entity device, including a transceiver and a processor for performing the method steps in the implementation manners of the third aspect or the sixth aspect. The transceiver may be implemented by a transceiver unit in the NF storage function module device, or may be implemented by the processor to control the transceiver.

第十方面,本申请还提供了一种NF实体连接系统,包括前述第七方面和第八方面实现方式所述的NF实体设备,以及第九方面实现方式所述的NF存储功能实体设备。 In a tenth aspect, the present application further provides an NF entity connection system, including the NF entity device described in the foregoing seventh aspect and the eighth aspect implementation manner, and the NF storage function entity device described in the ninth aspect implementation manner.

第十一方面,本申请还提供一种计算机存储介质,其中,该计算机存储介质可存储有程序,该程序执行时可实现本申请提供一种网络功能实体连接方法、安全信息发送方法的各实现方式中的部分或全部步骤。In an eleventh aspect, the present application further provides a computer storage medium, wherein the computer storage medium can store a program, and when the program is executed, the present application can provide a network function entity connection method and a security information transmission method. Some or all of the steps in the way.

附图说明DRAWINGS

为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍。In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings to be used in the embodiments or the prior art description will be briefly described below.

图1为本申请提供的一种包括EPC网元的网络结构示意图;1 is a schematic structural diagram of a network including an EPC network element provided by the present application;

图2为本申请提供的一种包括NF的网络结构示意图;2 is a schematic structural diagram of a network including NF provided by the present application;

图3为本申请实施例提供的一种NF实体连接方法的流程示意图;FIG. 3 is a schematic flowchart of a method for connecting an NF entity according to an embodiment of the present application;

图4为本申请实施例提供的另一种NF实体连接方法的流程示意图;FIG. 4 is a schematic flowchart of another NF entity connection method according to an embodiment of the present disclosure;

图5为本申请实施例提供的又一种NF实体连接方法的流程示意图;FIG. 5 is a schematic flowchart of still another NF entity connection method according to an embodiment of the present application;

图6为本申请实施例提供的一种第二NF实体的结构示意图;FIG. 6 is a schematic structural diagram of a second NF entity according to an embodiment of the present application;

图7为本申请实施例提供的一种第一NF实体的结构示意图;FIG. 7 is a schematic structural diagram of a first NF entity according to an embodiment of the present application;

图8为本申请实施例提供的一种NF存储功能实体的结构示意图;FIG. 8 is a schematic structural diagram of an NF storage function entity according to an embodiment of the present disclosure;

图9为本申请实施例提供的一种NF实体的结构示意图;FIG. 9 is a schematic structural diagram of an NF entity according to an embodiment of the present disclosure;

图10为本申请实施例提供的一种NF存储功能实体的结构示意图;FIG. 10 is a schematic structural diagram of an NF storage function entity according to an embodiment of the present disclosure;

图11为本申请实施例提供的另一种NF存储功能实体的结构示意图。FIG. 11 is a schematic structural diagram of another NF storage function entity according to an embodiment of the present disclosure.

具体实施方式detailed description

本申请各个实施例提供的方法,基于虚拟化等技术,在核心网络的一个共同的网络基础设施上切分出N个网络切片(slice),所述网络切片也可以称为专用网络,专用网络用于实现某个或某些业务需要的网络服务。The method provided by each embodiment of the present application, based on virtualization and the like, splits N network slices on a common network infrastructure of the core network, and the network slice may also be referred to as a private network, a dedicated network. A network service used to implement one or some business needs.

如图2所示,在网络切片中可采用服务化架构(service oriented architecture),原来网络架构中的NE(例如MME或S-GW)按照功能的类别定义为不同的NF,例如:认证和安全功能、分组数据会话管理功能、移动管理功能及接入控制功能、策略控制功能等,这些功能由对应的NF组件实现,每个NF组件通过定义的服务接口对其他NF组件或功能提供服务。同一个运营商的多个网络切片(sliceA、sliceB和sliceC)使用同一个公共陆地移动网络(public land mobile network,PLMN),并可以通过云技术和虚拟化技术等部署在运营商的基础设施中,运营商的技术设施包括运营商的云计算和传输基础设施。 As shown in FIG. 2, a service oriented architecture may be adopted in the network slice. The NE (for example, MME or S-GW) in the original network architecture is defined as different NF according to the type of the function, for example, authentication and security. Functions, packet data session management functions, mobility management functions and access control functions, policy control functions, etc., are implemented by corresponding NF components, each of which provides services to other NF components or functions through a defined service interface. Multiple network slices (sliceA, sliceB, and sliceC) of the same carrier use the same public land mobile network (PLMN) and can be deployed in the carrier's infrastructure through cloud technologies and virtualization technologies. The operator's technical facilities include the operator's cloud computing and transmission infrastructure.

本申请各个实施例中的NF实体包括但不限于:认证和安全功能实体、分组数据会话管理功能实体、移动管理功能实体及接入控制功能实体、策略控制功能实体等,这些NF实体由对应的NF组件实现,每个NF组件通过定义的服务接口对其他NF组件或功能提供服务。The NF entities in various embodiments of the present application include, but are not limited to, an authentication and security function entity, a packet data session management function entity, a mobility management function entity, an access control function entity, a policy control function entity, etc., and the NF entities are corresponding NF component implementations, each NF component serving other NF components or functions through a defined service interface.

在网络业务执行过程中,NF之间需要交互完成相关网络业务,例如MM NF将SM消息发送给SM NF由SM NF进行任务的处理。NF之间建立通信时,NF之间应该验证NF间的通信连接是否许可,以及验证对方身份的真实性,避免NF之间的未授权访问,为实现NF之间的身份验证和安全连接,本申请的实施例提供了一种网络功能实体连接方法及设备,下面对本申请提供的方法做详细说明:During the execution of the network service, the NFs need to interact with each other to complete related network services. For example, the MM NF sends the SM message to the SM NF for processing by the SM NF. When establishing communication between NFs, NF should verify whether the communication connection between NFs is permitted, and verify the authenticity of the other party's identity, and avoid unauthorized access between NFs. To achieve identity verification and secure connection between NFs, The embodiment of the application provides a network function entity connection method and device, and the method provided by the present application is described in detail below:

实施例一Embodiment 1

以两个网络功能实体连接为例,设两个NF实体分别为第一NF实体和第二NF实体,其中,第一NF实体向第二NF实体发送通信连接请求,以使其与第二NF实体建立通信连接。Taking two network function entity connections as an example, the two NF entities are respectively a first NF entity and a second NF entity, wherein the first NF entity sends a communication connection request to the second NF entity to make it and the second NF. The entity establishes a communication connection.

在本实施例中,还包括NF存储功能(英文:NF repository function)实体,该NF存储功能实体用于存储网络中NF实体的标识,以及向通信连接请求发送端提供安全信息和密钥等信息。In this embodiment, the NF storage function (English: NF repository function) entity is configured to store an identifier of the NF entity in the network, and provide information such as security information and a key to the communication connection request sender. .

具体地,如图3所示,该网络功能实体连接方法包括如下步骤:Specifically, as shown in FIG. 3, the network function entity connection method includes the following steps:

步骤301:当第一NF实体需要访问第二NF实体时,第一NF实体向NF存储功能实体发送第一NF实体的标识和请求的NF类型信息。Step 301: When the first NF entity needs to access the second NF entity, the first NF entity sends the identifier of the first NF entity and the requested NF type information to the NF storage function entity.

其中,所述第一NF实体的标识和请求的NF类型信息可以通过NF发现请求发送,该NF类型信息用于指示第一NF实体请求需要提供服务的NF类型。具体地,所述NF类型包括认证和安全功能(uthentication function,AuF)、分组数据会话管理功能(session management function,SM NF)、移动管理及接入控制功能(mobility management function,MM NF)、策略控制功能(policy control function,PCF)等。The identifier of the first NF entity and the requested NF type information may be sent by using an NF discovery request, where the NF type information is used to indicate that the first NF entity requests the NF type that needs to provide the service. Specifically, the NF type includes an authentication and security function (AuF), a packet data management function (SM NF), a mobility management, and a mobility management function (MM NF), a policy. Control function (PCF), etc.

具体地,所述NF实体的标识用于识别NF实体,例如,可以包括PLMN ID、NF type和序列号的组合,NF实体的网络地址,或者其他任何形式能识别NF实体的信息。Specifically, the identifier of the NF entity is used to identify an NF entity, for example, may include a PLMN ID, a combination of an NF type and a sequence number, a network address of the NF entity, or any other form of information that can identify the NF entity.

步骤302:NF存储功能实体接收来自第一NF实体的NF发现请求后,根据所述第一NF实体的标识和所述NF类型确定满足条件的至少一个NF实体,并生成至少一个安全信息和与所述NF类型对应的第二NF实体的标识;该安全信息中对应包括 一个NF实体的安全信息标识。Step 302: After receiving the NF discovery request from the first NF entity, the NF storage function entity determines at least one NF entity that satisfies the condition according to the identifier of the first NF entity and the NF type, and generates at least one security information and An identifier of the second NF entity corresponding to the NF type; the corresponding information in the security information includes A security information identifier for an NF entity.

所述安全信息可以是安全凭证(英文:security token),或者安全证据,对应地,所述安全信息标识可以是安全凭证标识(英文:security token ID),或者安全证据标识。The security information may be a security token or a security evidence. Correspondingly, the security information identifier may be a security token ID or a security evidence identifier.

NF存储功能实体根据请求提供服务的NF类型,查找具备所述NF类型的NF实体,例如,所述NF类型是PCF类型,则NF存储功能实体在预先存储的NF实体中查找具备PCF类型的NF实体,可能查找出一个NF实体,也可能多个NF实体具备PCF功能。例如,假设第一NF实体是话会管理功能(session management function,SMF NF)实体,该SMF NF实体要发现PCF NF实体,如果NF存储功能实体发现有两个PCF NF实体满足要求,则NF存储功能实体生成两个安全信息,第一个安全信息中包括SMF NF实体标识和PCF_1 NF实体标识,第二个安全信息中包括SMF NF实体标识和PCF_2 NF实体标识,并将这两个安全信息发送给该SMF NF实体,以及,将第一个安全信息发送给PCF_1 NF实体,将第二个安全信息发送给PCF_2 NF实体。The NF storage function entity searches for the NF entity having the NF type according to the request, and the NF storage function entity searches for the NF with the PCF type in the pre-stored NF entity. An entity may find an NF entity or multiple NF entities with PCF functionality. For example, suppose the first NF entity is a session management function (SMF NF) entity, the SMF NF entity needs to discover the PCF NF entity, and if the NF storage function entity finds that two PCF NF entities meet the requirements, the NF storage The functional entity generates two pieces of security information. The first security information includes the SMF NF entity identifier and the PCF_1 NF entity identifier. The second security information includes the SMF NF entity identifier and the PCF_2 NF entity identifier, and the two security information are sent. The SMF NF entity is sent, and the first security information is sent to the PCF_1 NF entity, and the second security information is sent to the PCF_2 NF entity.

其中,所述安全信息用于验证第一NF实体和待连接的NF实体身份的真实性,每个安全信息中还包括待连接的NF实体的标识。具体地,该安全信息包括:第一NF实体的标识,待连接的(第二)NF实体的标识,例如,在位于某个PLMN网络中的第一NF实体的NF类型为分组数据会话管理功能SM NF,该第一NF实体的标识可以为PLMN ID、NF type和序列号的组合:PLMN ID.SMF.001,从而可以唯一标识该NF实体,另外可选的,也可以采用NF实体的网络地址作为该NF实体的标识。The security information is used to verify the authenticity of the identity of the first NF entity and the NF entity to be connected, and each security information further includes an identifier of the NF entity to be connected. Specifically, the security information includes: an identifier of the first NF entity, and an identifier of the (second) NF entity to be connected, for example, the NF type of the first NF entity located in a certain PLMN network is a packet data session management function. The SM NF, the identifier of the first NF entity may be a combination of a PLMN ID, an NF type, and a sequence number: PLMN ID.SMF.001, so that the NF entity may be uniquely identified, and optionally, a network of the NF entity may also be used. The address is the identifier of the NF entity.

其中,所述NF存储功能实体还生成NF发现响应。The NF storage function entity also generates an NF discovery response.

步骤303:NF存储功能实体将满足所述NF类型的至少一个安全信息标识和与所述NF类型对应的第二NF实体的标识通过所述NF发现响应发送给第一NF实体。Step 303: The NF storage function entity sends the identifier of the at least one security information that meets the NF type and the identifier of the second NF entity that is corresponding to the NF type to the first NF entity by using the NF discovery response.

可选的,在步骤303,NF存储功能实体发送NF发现响应之前,方法还包括:Optionally, before the NF storage function entity sends the NF discovery response, the method further includes:

NF存储功能实体检测是否允许所述第一NF实体向发起通信连接请求,或者,检测该NF发现请求是否允许访问,通过设置检测机制,能够尽早发现没有必要的NF功能实体间的访问,实现对NF实体之间的访问进行控制,减少被访问的NF实体的负荷,增强NF实体间访问的安全性。The NF storage function entity detects whether the first NF entity is allowed to initiate a communication connection request, or detects whether the NF discovery request allows access. By setting a detection mechanism, the NF function entity may be discovered as early as possible to achieve access. The access between the NF entities is controlled to reduce the load of the accessed NF entity and enhance the security of access between the NF entities.

具体的,NF存储功能实体检测是否允许建立通信连接请求的过程包括:所述NF存储功能实体中存储有第一NF实体可以访问的NF类型清单,NF存储功能实体可以根据业务逻辑判断,例如,判断待连接的NF实体对应的NF类型是否在第一NF实体可以访问的NF类型清单中。如果判断待连接NF实体对应的NF类型在第一NF 实体可以访问的NF类型清单中,则允许访问;如果不在所述NF类型清单中,则拒绝建立访问连接。Specifically, the process of the NF storage function entity detecting whether the communication connection request is allowed to be established includes: storing, by the NF storage function entity, a list of NF types accessible by the first NF entity, and the NF storage function entity may determine, according to the service logic, for example, It is determined whether the NF type corresponding to the NF entity to be connected is in the NF type list accessible by the first NF entity. If it is determined that the NF type corresponding to the NF entity to be connected is in the first NF In the list of NF types that the entity can access, access is allowed; if not in the list of NF types, the access connection is denied.

步骤304:第一NF实体接收所述NF存储功能实体发送的安全信息标识(或安全信息)和与所述NF类型对应的第二NF实体的标识。Step 304: The first NF entity receives the security information identifier (or security information) sent by the NF storage function entity and the identifier of the second NF entity corresponding to the NF type.

可选的,第一NF实体通过NF发现响应发送。第一NF实体从这些安全信息标识选择一个,并将选择的安全信息标识所对应的NF实体所为第二NF实体,并建立会话连接。Optionally, the first NF entity sends the response through the NF discovery. The first NF entity selects one of the security information identifiers, and identifies the selected NF entity as the second NF entity, and establishes a session connection.

NF存储功能模块通过将满足NF类型条件的安全信息(部分或者所有)等发送给第一NF实体,使得第一NF实体能够选择一个较优的NF实体作为第二NF实体,并与该第二NF实体建立通信连接,从而为第一NF实体在选择优质的第二NF实体时提供多种可能,进一步提高了通信连接的可靠性和安全性;当然也可以由NF存储功能模块为第一NF实体选择一个较优的NF实体作为第二NF实体,将该第二NF实体的安全信息发送给第一NF实体。The NF storage function module can send the security information (partial or all) satisfying the NF type condition to the first NF entity, so that the first NF entity can select a preferred NF entity as the second NF entity, and the second The NF entity establishes a communication connection, thereby providing multiple possibilities for the first NF entity to select a good quality second NF entity, further improving the reliability and security of the communication connection; of course, the NF storage function module is also the first NF. The entity selects a preferred NF entity as the second NF entity, and sends the security information of the second NF entity to the first NF entity.

步骤305:第一NF实体生成通信连接请求,并且,将第一NF实体的标识和安全信息标识通过该通信连接请求发送给第二NF实体。其中,所述安全信息标识可以唯一地对应的一个安全信息。Step 305: The first NF entity generates a communication connection request, and sends the identifier of the first NF entity and the security information identifier to the second NF entity by using the communication connection request. The security information identifies a piece of security information that can uniquely correspond.

步骤306:第二NF实体接收来自第一NF实体的通信连接请求,该通信连接请求中包括第一NF实体的标识和安全信息标识,并向NF存储功能实体发送携带有该安全信息标识的验证请求。Step 306: The second NF entity receives a communication connection request from the first NF entity, where the communication connection request includes an identifier of the first NF entity and a security information identifier, and sends the verification that carries the security information identifier to the NF storage function entity. request.

步骤307:NF存储功能实体接收第二NF实体发送的验证请求,根据所述第一NF实体的安全信息标识确定对应的安全信息,其中,所述安全信息中包括第一NF实体的标识。Step 307: The NF storage function entity receives the verification request sent by the second NF entity, and determines the corresponding security information according to the security information identifier of the first NF entity, where the security information includes the identifier of the first NF entity.

步骤308:NF存储功能实体将所述安全信息通过验证响应发送给所述第二NF实体。Step 308: The NF storage function entity sends the security information to the second NF entity by using a verification response.

步骤309:第二NF实体获取所述NF存储功能实体发送的安全信息,并根据所述安全信息确定是否与所述第一NF实体之间建立通信连接。Step 309: The second NF entity acquires security information sent by the NF storage function entity, and determines, according to the security information, whether a communication connection is established with the first NF entity.

具体地包括:第二NF实体判断所述安全信息中的第一NF实体的标识与所述通信连接请求中第一NF实体的标识是否相同,或者,判断经过转换后的安全信息中的第一NF实体的标识是否与通信连接请求中的第一NF实体的标识相同,例如,判断NF存储功能实体发送的PLMN ID、SMF.001等信息转化为IP地址,等等,是否与第一NF发送的IP地址相同。如果相同,则允许第一NF实体访问第二NF实体,即 第二NF实体与所述第一NF实体建立通信连接;如果不相同,则拒绝访问。Specifically, the second NF entity determines whether the identifier of the first NF entity in the security information is the same as the identifier of the first NF entity in the communication connection request, or determines the first of the converted security information. Whether the identifier of the NF entity is the same as the identifier of the first NF entity in the communication connection request, for example, determining whether the information such as the PLMN ID, SMF.001, etc. sent by the NF storage function entity is converted into an IP address, etc., is sent with the first NF. The IP address is the same. If the same, the first NF entity is allowed to access the second NF entity, ie The second NF entity establishes a communication connection with the first NF entity; if not, the access is denied.

可选的,为了进一步提高通信连接的安全性,步骤305的通信连接请求中还包括第一挑战随机数(英文:challenge)和第一加密密文(英文:encrypted text)。Optionally, in order to further improve the security of the communication connection, the communication connection request of step 305 further includes a first challenge random number (English: challenge) and a first encrypted ciphertext (English: encrypted text).

在步骤302中,NF存储功能实体生成至少一个安全信息的同时,还生成第一密钥(英文:key)和每个所述安全信息的有效时间,所述第一密钥用于解密所述第二NF实体从所述第一NF实体获取的第一加密密文,所述安全信息的有效时间为设定的一个时间段,用于检查所述安全信息是否有效。如果第二NF实体验证第一NF实体的标识的时间超过了安全信息的有效时间,则该安全信息无效,拒绝建立连接访问;如果在有效时间呢,则允许访问。In step 302, the NF storage function entity generates at least one piece of security information, and also generates a first key (English: key) and a valid time of each of the security information, the first key being used to decrypt the The first encrypted ciphertext obtained by the second NF entity from the first NF entity, and the valid time of the security information is a set period of time for checking whether the security information is valid. If the time when the second NF entity verifies the identity of the first NF entity exceeds the valid time of the security information, the security information is invalid, and the connection access is denied; if it is valid, access is allowed.

在步骤308中还包括:NF存储功能实体将第一密钥和所述安全信息的有效时间发送给第二NF实体。The method further includes, in step 308, the NF storage function entity transmitting the first key and the valid time of the security information to the second NF entity.

在步骤309中,第二NF实体根据所述安全信息确定是否与所述第一NF实体之间建立通信连接,还包括:第二NF实体获取来自所述NF存储功能实体的第一密钥,以及来自所述第一NF实体的第一加密密文;所述第二NF实体使用所述第一密钥对所述第一加密密文进行解密,生成所述第二挑战随机数。In step 309, the second NF entity determines whether to establish a communication connection with the first NF entity according to the security information, and further includes: the second NF entity acquiring the first key from the NF storage function entity, And a first encrypted ciphertext from the first NF entity; the second NF entity decrypting the first encrypted ciphertext using the first key to generate the second challenge random number.

判断所述安全信息中的第一NF实体的标识与所述通信连接请求中的第一NF实体的标识是否相同,并且所述第一随机数与所述第二随机数是否也相同,如果都相同,则第二NF实体与所述第一NF实体建立通信连接;如果其中至少有一个不相同,拒绝建立连接。Determining whether the identifier of the first NF entity in the security information is the same as the identifier of the first NF entity in the communication connection request, and whether the first random number and the second random number are also the same, if both Similarly, the second NF entity establishes a communication connection with the first NF entity; if at least one of them is different, the connection is refused.

可选的,NF存储功能实体向所述第一NF实体发送的NF发现响应中还包括所述第一密钥。Optionally, the NF storage function entity further includes the first key in an NF discovery response sent by the first NF entity.

可选的,第二NF实体确定允许与第一NF实体建立通信连接之后,方法还包括:Optionally, after the second NF entity determines that the communication connection with the first NF entity is allowed, the method further includes:

步骤310:第二NF实体生成第三挑战随机数,利用所述第三挑战随机数和所述第一密钥生成第二加密密文,并将所述第二加密密文和所述第三挑战随机数发送给所述第一NF实体。可选的,所述通信连接响应中可以携带所述第二加密密文和第三挑战随机数,也可以不携带。如果所述通信连接响应中仅携带指示第一NF实体允许建立通信连接的信息,则第二NF实体还可以通过数据包发送所述第二加密密文和第三挑战随机数。Step 310: The second NF entity generates a third challenge random number, generates a second encrypted ciphertext by using the third challenge random number and the first key, and uses the second encrypted ciphertext and the third A challenge random number is sent to the first NF entity. Optionally, the second encrypted ciphertext and the third challenge random number may or may not be carried in the communication connection response. And if the communication connection response carries only information indicating that the first NF entity allows to establish a communication connection, the second NF entity may further send the second encrypted ciphertext and the third challenge random number by using a data packet.

步骤311:如果所述通信连接响应指示允许建立所述通信连接,则第一NF实体通过该通信连接响应获取第二NF实体发送的第二加密密文和第三挑战随机数;所述第一NF实体对所述第二加密密文进行解密,生成第四挑战随机数。,并判断第四挑 战随机数与第三挑战随机数是否相同,如果相同,则与第二NF实体建立会话连接。Step 311: If the communication connection response indicates that the communication connection is allowed to be established, the first NF entity obtains the second encrypted ciphertext and the third challenge random number sent by the second NF entity by using the communication connection response; The NF entity decrypts the second encrypted ciphertext to generate a fourth challenge random number. And judge the fourth pick Whether the battle random number is the same as the third challenge random number, and if they are the same, establish a session connection with the second NF entity.

其中,对所述第二加密密文解密的第二密钥可以通过NF存储功能实体获取,例如,在上述步骤303中,NF存储功能实体通过所述NF发现响应将所述第一密钥发送给第一NF实体。如果解密第二加密密文的第二密钥与所述第一密钥相同,则生成的第四挑战随机数与所述第三挑战随机数相同,如果所述第二密钥不是从所述NF存储功能实体中获取的,或者与所述第一密钥不同,则第一NF实体无法解密该第二加密密文,则第一NF实体拒绝与所述第二NF实体建立连接。The second key for decrypting the second encrypted ciphertext may be obtained by the NF storage function entity. For example, in step 303, the NF storage function entity sends the first key by using the NF discovery response. Give the first NF entity. If the second key decrypting the second encrypted ciphertext is the same as the first key, the generated fourth challenge random number is the same as the third challenge random number if the second key is not from the And the first NF entity refuses to establish a connection with the second NF entity, if the NF storage function entity is different from the first key, and the first NF entity cannot decrypt the second encrypted ciphertext.

本实施例提供的NF实体连接方法,第一NF实体向第二NF实体发起通信连接请求,由NF存储功能实体进行NF发现的控制,并将第一NF实体的安全信息标识所对应的安全信息提供给待连接的第二NF实体,使得第二NF实体能够根据该安全信息验证访问请求端,第一NF实体身份的真实性和安全性,避免NF之间的未授权访问。In the NF entity connection method provided by the embodiment, the first NF entity initiates a communication connection request to the second NF entity, and the NF storage function entity performs NF discovery control, and identifies the security information corresponding to the security information of the first NF entity. Provided to the second NF entity to be connected, so that the second NF entity can verify the authenticity and security of the access requester, the identity of the first NF entity according to the security information, and avoid unauthorized access between the NFs.

另外,NF存储功能实体存储网络中NF实体的标识,并生成安全信息,以及向请求通信连接的NF实体两端发送密钥,为NF实体之间的访问连接提供了依据和凭证。In addition, the NF storage function entity stores the identity of the NF entity in the network, generates security information, and sends a key to both ends of the NF entity requesting the communication connection, providing a basis and credentials for the access connection between the NF entities.

可选的,在第二NF实体验证发送通信连接请求的第一NF实体身份安全后,向第一NF实体发送第二加密密文和第三挑战随机数,以使第一NF实体能够根据NF存储功能实体提供的密钥对第二NF实体的安全性进行验证,进一步增强了NF实体间通信数据的安全性。Optionally, after the second NF entity verifies the first NF entity identity security of the sending the communication connection request, sending the second encrypted ciphertext and the third challenge random number to the first NF entity, so that the first NF entity can be based on the NF The key provided by the storage function entity verifies the security of the second NF entity, further enhancing the security of the communication data between the NF entities.

实施例二Embodiment 2

本实施例与实施例一的应用场景相同,也是描述第一NF实体发现和访问第二NF实体的过程,与实施例一的区别在于:NF存储功能实体在检测允许第一NF实体对第二NF实体进行访问后,主动将至少一个安全信息,以及密钥发送给第二NF实体。具体地,如图4所示。This embodiment is the same as the application scenario of the first embodiment, and is a process for describing the first NF entity to discover and access the second NF entity. The difference from the first embodiment is that the NF storage function entity detects that the first NF entity is allowed to be the second. After the NF entity accesses, at least one security information and a key are actively sent to the second NF entity. Specifically, as shown in FIG.

步骤401至步骤404可以参考实施例一中的步骤301至步骤304,不再赘述。For the steps 401 to 404, reference may be made to steps 301 to 304 in the first embodiment, and details are not described herein.

步骤405:NF存储功能模块主动地将生成的至少一个安全信息发送给满足NF类型条件的NF实体,所述安全信息中包括第一NF实体的标识。Step 405: The NF storage function module actively sends the generated at least one security information to an NF entity that satisfies the NF type condition, where the security information includes an identifier of the first NF entity.

可选的,如果NF存储功能实体发现有两个PCF NF实体满足连接要求,则NF存储功能实体生成两个安全信息,第一个安全信息中包括SMF NF实体标识和PCF_1 NF实体标识,第二个安全信息中包括SMF NF实体标识和PCF_2 NF实体标识,并 将第一个安全信息发送给PCF_1 NF实体,将第二个安全信息发送给PCF_2 NF实体。Optionally, if the NF storage function entity finds that two PCF NF entities meet the connection requirement, the NF storage function entity generates two security information, where the first security information includes the SMF NF entity identifier and the PCF_1 NF entity identifier, and the second The security information includes the SMF NF entity identifier and the PCF_2 NF entity identifier, and The first security information is sent to the PCF_1 NF entity, and the second security information is sent to the PCF_2 NF entity.

第一NF实体接收来自NF存储功能实体发送的SMF NF实体标识,PCF_1 NF实体标识和PCF_2 NF实体标识,选择其中的一个PCF_NF实体作为第二NF实体,例如,选择PCF_1 NF实体作为连接对象,则向该PCF_1 NF实体发送通信连接请求。The first NF entity receives the SMF NF entity identifier sent by the NF storage function entity, the PCF_1 NF entity identifier and the PCF_2 NF entity identifier, and selects one of the PCF_NF entities as the second NF entity, for example, selecting the PCF_1 NF entity as the connection object, A communication connection request is sent to the PCF_1 NF entity.

步骤406:第一NF实体向所述选择的第二NF实体发送通信连接请求,所述通信连接请求中包括安全信息标识和第一NF实体的标识,可选的,所述通信连接请求还包括第一挑战随机数和第一加密密文。Step 406: The first NF entity sends a communication connection request to the selected second NF entity, where the communication connection request includes a security information identifier and an identifier of the first NF entity. Optionally, the communication connection request further includes The first challenge random number and the first encrypted ciphertext.

需要说明的是,本实施例中步骤405和步骤406的执行顺序没有先后关系,即第二NF实体可以先获取第一NF实体发送的通信连接请求,再获取NF存储功能实体发送的安全信息,或者,第二NF实体同时获取安全信息和该通信连接请求。It should be noted that, in this embodiment, the execution order of the step 405 and the step 406 is not in a sequential relationship, that is, the second NF entity may first obtain the communication connection request sent by the first NF entity, and then obtain the security information sent by the NF storage function entity. Alternatively, the second NF entity simultaneously acquires the security information and the communication connection request.

步骤407:接收到所述第一NF实体发送的通信连接请求的NF实体(第二NF实体),根据所述安全信息和所述第一NF实体的标识确定是否与所述第一NF实体之间建立通信连接。Step 407: Receive an NF entity (second NF entity) of the communication connection request sent by the first NF entity, and determine, according to the security information and the identifier of the first NF entity, whether the first NF entity is Establish a communication connection.

具体地,步骤407至步骤409与实施例一种的步骤309至步骤311相同,不再赘述。Specifically, the steps 407 to 409 are the same as the steps 309 to 311 of the embodiment, and are not described again.

本实施例提供的方法,NF存储功能模块通过主动向第二NF实体发送安全信息,以及密钥等信息,因此,避免了第二NF实体向NF存储功能模块发送单独的请求以获取对应的安全信息,节约了验证流程,提高NF间验证的效率。In the method provided by the embodiment, the NF storage function module sends the security information, the key, and the like to the second NF entity, thereby preventing the second NF entity from sending a separate request to the NF storage function module to obtain the corresponding security. Information saves the verification process and improves the efficiency of verification between NFs.

实施例三Embodiment 3

本实施例提供的一种NF实体之间的连接方法,应用于两个或者两个以上PLMN的系统,该系统包括:第一NF实体,第二NF实体和第一NF存储功能实体,第二NF存储功能实体,其中,第一NF实体与第一NF存储功能实体部署在一个第一移动网络,设为第一PLMN或称为本地PLMN(local PLMN),第二NF实体与第二NF存储功能实体部署在第二移动网络,设为第二PLMN或称为远端PLMN(remote PLMN),具体地建立通信连接的过程包括如下步骤:A connection method between NF entities provided in this embodiment is applied to a system of two or more PLMNs, where the system includes: a first NF entity, a second NF entity, and a first NF storage function entity, and a second The NF storage function entity, wherein the first NF entity and the first NF storage function entity are deployed in a first mobile network, configured as a first PLMN or a local PLMN (local PLMN), and the second NF entity and the second NF storage The function entity is deployed in the second mobile network, and is configured as a second PLMN or a remote PLMN. The process of establishing a communication connection specifically includes the following steps:

如图5所示,步骤501:第一NF实体向第一NF存储功能实体发送NF发现请求,所述NF发现请求中包括第一NF实体的标识,待访问的NF实体的NF类型(NF type,网络功能的类型)和部署的PLMN标识等信息。As shown in FIG. 5, step 501: The first NF entity sends an NF discovery request to the first NF storage function entity, where the NF discovery request includes an identifier of the first NF entity, and an NF type of the NF entity to be accessed (NF type , the type of network function) and the information such as the deployed PLMN identity.

步骤502:第一NF存储功能实体接收所述NF发现请求,根据NF发现请求中的PLMN标识确定第二PLMN中的第二NF存储功能实体,并向第二NF存储功能实体 发送所述NF请求。Step 502: The first NF storage function entity receives the NF discovery request, determines a second NF storage function entity in the second PLMN according to the PLMN identifier in the NF discovery request, and stores the functional entity to the second NF. Send the NF request.

步骤503:第二NF存储功能实体接收所述NF发现请求,并根据所述第一NF实体的标识和所述NF类型确定满足条件的至少一个NF实体,并生成至少一个安全信息,其中,每个所述安全信息中对应一个NF实体的标识。Step 503: The second NF storage function entity receives the NF discovery request, and determines at least one NF entity that satisfies the condition according to the identifier of the first NF entity and the NF type, and generates at least one security information, where each One of the security information corresponds to an identifier of an NF entity.

可选的,第二NF存储功能实体接收到第一NF存储功能发送的NF发现请求之后,检测是否允许访问第一NF实体访问其它NF实体,所述检测的过程与实施例一相同,不再赘述。如果允许访问,则生成与至少一个NF实体的安全信息和密钥。Optionally, after receiving the NF discovery request sent by the first NF storage function, the second NF storage function entity detects whether to allow access to the first NF entity to access other NF entities, and the process of detecting is the same as that in Embodiment 1, and is no longer Narration. If access is allowed, security information and keys with at least one NF entity are generated.

步骤504:第二NF存储功能实体将生成的至少一个安全信息和密钥通过NF发现响应发送给第一NF存储功能实体。Step 504: The second NF storage function entity sends the generated at least one security information and the key to the first NF storage function entity by using the NF discovery response.

步骤505:第一NF存储功能实体接收第二NF存储功能实体发送的所述NF发现响应,并将该NF发现响应发送给第一NF实体,所述NF发现响应中包括至少一个待连接的NF实体的安全信息,或者还可以包括与密钥。部分或者全部安全信息还包括:第一NF实体的标识,待连接第二的NF实体的标识以及安全信息的有效时间等信息。Step 505: The first NF storage function entity receives the NF discovery response sent by the second NF storage function entity, and sends the NF discovery response to the first NF entity, where the NF discovery response includes at least one NF to be connected. The security information of the entity, or it may also include the key. Some or all of the security information includes: an identifier of the first NF entity, an identifier of the NF entity to be connected to the second, and a valid time of the security information.

可选的,步骤506:第一NF实体接收第一NF存储功能实体发送的NF发现响应,并根据该NF发现响应中的内容选择一个NF实体作为第二NF实体。Optionally, in step 506, the first NF entity receives the NF discovery response sent by the first NF storage function entity, and selects an NF entity as the second NF entity according to the content in the NF discovery response.

具体地,第一NF存储功能实体根据所述NF发现请求中的部署的PLMN的标识确定第二NF存储功能实体,并将所述NF发现请求发送给第二NF存储功能实体。Specifically, the first NF storage function entity determines the second NF storage function entity according to the identifier of the deployed PLMN in the NF discovery request, and sends the NF discovery request to the second NF storage function entity.

步骤507:第一NF实体向确定的第二NF实体发送通信连接请求,该通信连接请求中包括第一NF实体的标识,第一挑战随机数和经过密钥加密的第一加密密文。Step 507: The first NF entity sends a communication connection request to the determined second NF entity, where the communication connection request includes an identifier of the first NF entity, a first challenge random number, and a first encrypted ciphertext encrypted by the key.

步骤508:第二NF实体接收第一NF实体发送的通信连接请求,并将该通信连接请求中的安全信息标识发送给第二NF存储功能实体。Step 508: The second NF entity receives the communication connection request sent by the first NF entity, and sends the security information identifier in the communication connection request to the second NF storage function entity.

步骤509:第二NF存储功能实体接收该安全信息标识后查找与其对应的安全信息,以及密钥等,并将该安全信息和密钥等发送给第二NF实体,或者第二NF存储功能实体在接收到第一NF存储功能实体转发的NF发现请求之后,主动地将该安全信息和密钥等发送给第二NF实体。Step 509: The second NF storage function entity receives the security information identifier, searches for the security information corresponding thereto, and the key, and sends the security information and the key to the second NF entity, or the second NF storage function entity. After receiving the NF discovery request forwarded by the first NF storage function entity, the security information and the key are actively sent to the second NF entity.

步骤510:第二NF实体接收第一NF实体发送的通信连接请求和第二NF存储功能实体发送的安全信息和密钥,判断该所述安全信息中的第一NF实体的标识与通信连接请求中的第一NF实体的标识是否相同,并且,所述第一挑战随机数与解密第一加密密文后生成的第二挑战随机数是否相同,如果标识相同,并且挑战随机数也相同,则确定身份真实,与第一NF实体建立通信连接。 Step 510: The second NF entity receives the communication connection request sent by the first NF entity and the security information and the key sent by the second NF storage function entity, and determines the identifier and the communication connection request of the first NF entity in the security information. Whether the identifiers of the first NF entities are the same, and whether the first challenge random number is the same as the second challenge random number generated after decrypting the first encrypted ciphertext, and if the identifiers are the same and the challenge random numbers are also the same, Determine the identity is true, establish a communication connection with the first NF entity.

可选的,步骤511:如果验证第一NF实体允许建立通信连接,则第二NF实体向第一NF实体发送通信连接响应,该通信连接响应中包括第三挑战随机数和第二加密密文。Optionally, in step 511, if the first NF entity is allowed to establish a communication connection, the second NF entity sends a communication connection response to the first NF entity, where the communication connection response includes a third challenge random number and a second encrypted ciphertext. .

步骤512:第一NF实体接收所述通信连接响应,以及来自所述第二NF存储功能实体的第二密钥,使用第二密钥对第二加密密文进行解密,生成第四挑战随机数,判断如果第四挑战随机数与获取的第三挑战随机数相同,则与第二NF实体建立通信连接。Step 512: The first NF entity receives the communication connection response, and a second key from the second NF storage function entity, and decrypts the second encrypted ciphertext by using the second key to generate a fourth challenge random number. And determining, if the fourth challenge random number is the same as the acquired third challenge random number, establishing a communication connection with the second NF entity.

本实施例提供连接方法及系统,通过第一PLMN中的第一NF存储功能实体和第二PLMN中的第二NF存储功能实体交互,并且由第二PLMN中的第二NF存储功能实体将第二NF实体信息和对应的安全信息以及密钥提供给第二NF实体,从而实现了对位于不同PLMN中的NF实体间的通信的控制,以及NF实体间的安全通信连接。The embodiment provides a connection method and system, where a first NF storage function entity in a first PLMN interacts with a second NF storage function entity in a second PLMN, and a second NF storage function entity in the second PLMN The two NF entity information and the corresponding security information and the key are provided to the second NF entity, thereby implementing control of communication between the NF entities located in different PLMNs, and secure communication connections between the NF entities.

如图6至图8所示,本申请实施例还提供了一种第二NF实体、第一NF实体和NF存储功能实体装置。As shown in FIG. 6 to FIG. 8 , the embodiment of the present application further provides a second NF entity, a first NF entity, and an NF storage function entity device.

参考图6,表示一种NF实体的结构示意图,应用于第二NF实体,用于接收来自发送端的通信连接请求,进一步地,该实体包括:收发单元601和处理单元602。Referring to FIG. 6, a schematic structural diagram of an NF entity is applied to a second NF entity for receiving a communication connection request from a transmitting end. Further, the entity includes: a transceiver unit 601 and a processing unit 602.

收发单元601,用于接收来自第一网络功能NF实体的通信连接请求,所述通信连接请求中包括第一NF实体的标识和安全信息标识,从NF存储功能实体中获取与所述安全信息标识对应的安全信息;。The transceiver unit 601 is configured to receive a communication connection request from the first network function NF entity, where the communication connection request includes an identifier of the first NF entity and a security information identifier, and the security information identifier is obtained from the NF storage function entity. Corresponding security information;

处理单元602,用于判断如果所述安全信息包含所述第一NF实体的标识,则与第一NF实体建立通信连接。The processing unit 602 is configured to determine, if the security information includes the identifier of the first NF entity, establish a communication connection with the first NF entity.

可选的,所述安全信息中包括所述第一NF实体的标识,处理单元602,还用于判断判断如果所述安全信息中的至少一个标识与所述通信连接请求中的第一NF实体的标识相同,则与所述第一NF实体建立通信连接。Optionally, the security information includes an identifier of the first NF entity, and the processing unit 602 is further configured to determine, if the at least one identifier in the security information is the first NF entity in the communication connection request. If the identifiers are the same, a communication connection is established with the first NF entity.

可选的,所述通信连接请求中还包括第一挑战随机数,收发单元601,还用于获取来自所述NF存储功能实体的第一密钥,以及来自所述第一NF实体的第一加密密文,处理单元602,还用于使用第一密钥对第一加密密文进行解密生成第二挑战随机数,还用于判断如果所述安全信息中的至少一个标识与所述通信连接请求中的第一NF实体的标识相同,并且所述第一挑战随机数与所述第二挑战随机数相同,则与所述第一NF实体建立通信连接。 Optionally, the communication connection request further includes a first challenge random number, and the transceiver unit 601 is further configured to acquire a first key from the NF storage function entity, and a first from the first NF entity. Encrypting the ciphertext, the processing unit 602 is further configured to: decrypt the first encrypted ciphertext by using the first key to generate a second challenge random number, and further configured to determine, if the at least one identifier in the security information is connected to the communication The identifier of the first NF entity in the request is the same, and the first challenge random number is the same as the second challenge random number, and a communication connection is established with the first NF entity.

可选的,处理单元602,还用于判断如果与所述第一NF实体建立通信连接,则生成第三挑战随机数,使用所述第三挑战随机数和所述第一密钥生成第二加密密文;收发单元601,还用于将所述第二加密密文和所述第三挑战随机数发送给所述第一NF实体。Optionally, the processing unit 602 is further configured to: if a communication connection is established with the first NF entity, generate a third challenge random number, and generate a second using the third challenge random number and the first key Encrypting the ciphertext; the transceiver unit 601 is further configured to send the second encrypted ciphertext and the third challenge random number to the first NF entity.

其中,所述安全信息中还包括所述安全信息的有效时间,所述安全信息的有效时间用于检查所述安全信息是否有效。The security information further includes an effective time of the security information, and the effective time of the security information is used to check whether the security information is valid.

此外,收发单元601和处理器602还用于执行附图3中步骤301至步骤311中第一NF实体的部分或全部功能的步骤;以及执行附图4中步骤401至步骤409中第一NF实体的部分或全部功能的步骤;和附图5中步骤501至步骤512中第一NF实体的部分或全部功能的步骤。Further, the transceiver unit 601 and the processor 602 are further configured to perform the steps of performing part or all of the functions of the first NF entity in steps 301 to 311 in FIG. 3; and executing the first NF in steps 401 to 409 in FIG. The steps of some or all of the functions of the entity; and the steps of some or all of the functions of the first NF entity in steps 501 through 512 of FIG.

参考图7,表示另一种NF实体的结构示意图,应用于第一NF实体,用于向第二NF实体发起的通信连接请求,该实体包括:收发单元701和处理单元702。Referring to FIG. 7, a schematic structural diagram of another NF entity is applied to a first NF entity for a communication connection request initiated by a second NF entity, the entity including: a transceiver unit 701 and a processing unit 702.

收发单元701,用于向NF存储功能实体发送第一NF实体的标识和请求的NF类型信息,以及,接收来自所述NF存储功能实体的安全信息标识和与所述NF类型对应的第二NF实体的标识。The transceiver unit 701 is configured to send, to the NF storage function entity, the identifier of the first NF entity and the requested NF type information, and receive the security information identifier from the NF storage function entity and the second NF corresponding to the NF type. The identity of the entity.

收发单元701,还用于向所述第二NF实体发送通信连接请求,所述通信连接请求中包括第一NF实体的标识和所述安全信息标识。The transceiver unit 701 is further configured to send a communication connection request to the second NF entity, where the communication connection request includes an identifier of the first NF entity and the security information identifier.

可选的,收发单元701,还用于接收来自所述第二NF实体的通信连接响应,所述通信连接响应用于指示所述第二NF实体是否允许与其建立通信连接。Optionally, the transceiver unit 701 is further configured to receive a communication connection response from the second NF entity, where the communication connection response is used to indicate whether the second NF entity is allowed to establish a communication connection with the second NF entity.

可选的,所述实体还包括处理单元702,收发单元701,还用于接收来自所述NF存储功能实体的第一密钥,以及获取第一挑战随机数;处理单元702,用于根据所述第一挑战随机数和所述第一密钥生成第一加密密文;收发单元701,还用于将所述第一加密密文和第一挑战随机数发送给所述第二NF实体。Optionally, the entity further includes a processing unit 702, the transceiver unit 701 is further configured to receive a first key from the NF storage function entity, and obtain a first challenge random number, and a processing unit 702, configured to The first challenge random number and the first key generate a first encrypted ciphertext; the transceiver unit 701 is further configured to send the first encrypted ciphertext and the first challenge random number to the second NF entity.

可选的,收发单元701,还用于判断如果所述通信连接响应指示允许建立通信连接,则接收来自所述第二NF实体的第二加密密文和第三挑战随机数;处理单元702,还用于使用所述第一密钥对所述第二加密密文进行解密,并生成第四挑战随机数,判断如果所述第四挑战随机数与所述第三挑战随机数相同,则与所述第二NF实体建立会话连接。Optionally, the transceiver unit 701 is further configured to: if the communication connection response indication indicates that the communication connection is allowed to be established, receive the second encrypted ciphertext and the third challenge random number from the second NF entity; and the processing unit 702, And is further configured to decrypt the second encrypted ciphertext by using the first key, and generate a fourth challenge random number, and determine that if the fourth challenge random number is the same as the third challenge random number, The second NF entity establishes a session connection.

此外,收发单元701和处理器702还用于执行附图3中步骤301至步骤311中第二NF实体的部分或全部功能的步骤;以及执行附图4中步骤401至步骤409中第二 NF实体的部分或全部功能的步骤,和附图5中步骤501至步骤512中第二NF实体的部分或全部功能的步骤。Further, the transceiver unit 701 and the processor 702 are further configured to perform the steps of performing part or all of the functions of the second NF entity in steps 301 to 311 in FIG. 3; and performing the second step 401 to 409 in FIG. The steps of some or all of the functions of the NF entity, and the steps of some or all of the functions of the second NF entity in steps 501 through 512 of FIG.

需要说明的是,本实施例中的NF实体既可以作为发送端,例如第一NF实体,具备发起通信连接请求和功能,也可以作为接收端,例如第二NF实体,接收来自发送端的通信连接请求,并对发送端的身份进行验证。It should be noted that the NF entity in this embodiment can serve as a transmitting end, for example, a first NF entity, and has a request for initiating a communication connection and a function, and can also serve as a receiving end, for example, a second NF entity, and receive a communication connection from the sending end. Request and verify the identity of the sender.

参考图8,表示一种NF存储功能实体的结构示意图,用于对NF实体的发现进行控制,以及生成安全信息和密钥。Referring to FIG. 8, a schematic structural diagram of an NF storage function entity for controlling discovery of an NF entity and generating security information and a key is shown.

具体地,该实体包括:收发单元801和处理单元802。Specifically, the entity includes: a transceiver unit 801 and a processing unit 802.

收发单元801,用于接收来自第一NF实体的第一NF实体的标识和请求的NF类型信息。The transceiver unit 801 is configured to receive the identifier of the first NF entity from the first NF entity and the requested NF type information.

处理单元802,用于根据所述第一NF实体的标识和所述NF类型信息,获取安全信息标识和与所述NF类型对应的第二NF实体的标识.The processing unit 802 is configured to obtain, according to the identifier of the first NF entity and the NF type information, a security information identifier and an identifier of a second NF entity corresponding to the NF type.

收发单元801,还用于将所述安全信息标识和所述第二NF实体的标识发送给所述第一NF实体。The transceiver unit 801 is further configured to send the security information identifier and the identifier of the second NF entity to the first NF entity.

可选的,处理单元802,还用于根据所述第一NF实体的标识和所述NF类型信息,确定满足NF类型条件的至少一个NF实体,并生成至少一个安全信息,其中,所述安全信息中包括所述第一NF实体的标识和满足所述NF类型条件的一个NF实体的标识。Optionally, the processing unit 802 is further configured to determine, according to the identifier of the first NF entity and the NF type information, at least one NF entity that satisfies an NF type condition, and generate at least one security information, where the security The information includes an identifier of the first NF entity and an identifier of an NF entity that satisfies the NF type condition.

可选的,收发单元801,还用于接收第一NF存储功能实体转发的来自第一NF实体的第一NF实体的标识和请求的NF类型信息。Optionally, the transceiver unit 801 is further configured to receive the identifier of the first NF entity from the first NF entity forwarded by the first NF storage function entity and the requested NF type information.

可选的,收发单元801,还用于如下任意一种方式,将安全信息和所述第二NF实体的标识发送给所述第二NF实体;主动地发送所述安全信息和所述第二NF实体的标识,或者,当接收到来自第二NF实体的安全信息标识之后发送。Optionally, the transceiver unit 801 is further configured to: send the security information and the identifier of the second NF entity to the second NF entity, and actively send the security information and the second The identifier of the NF entity, or sent after receiving the security information identifier from the second NF entity.

可选的,收发单元801,还用于向所述第一NF实体和所述第二NF实体发送第一密钥,所述第一密钥用于解密所述第二NF实体从所述第一NF实体获取的第一加密密文。Optionally, the transceiver unit 801 is further configured to send, to the first NF entity and the second NF entity, a first key, where the first key is used to decrypt the second NF entity from the first The first encrypted ciphertext obtained by an NF entity.

可选的,处理单元802,还用于检测是否允许所述第一NF实体向所述第二NF实体发起通信连接请求。进一步地,处理单元802,还用于判断所述第二NF实体的标识所对应的NF类型是否在所述第一NF实体的NF类型清单中,如果是,则允许发起所述通信连接请求,否则,不允许发送所述通信连接请求。 Optionally, the processing unit 802 is further configured to detect whether the first NF entity is allowed to initiate a communication connection request to the second NF entity. Further, the processing unit 802 is further configured to determine whether the NF type corresponding to the identifier of the second NF entity is in the NF type list of the first NF entity, and if yes, allow the communication connection request to be initiated, Otherwise, the communication connection request is not allowed to be sent.

此外,收发单元801和处理器802还用于执行附图3中步骤301至步骤311中NF存储功能实体的部分或全部功能的步骤;以及执行附图4中步骤401至步骤409中NF存储功能实体的部分或全部功能的步骤。In addition, the transceiver unit 801 and the processor 802 are further configured to perform the steps of performing part or all of the functions of the NF storage function entity in steps 301 to 311 in FIG. 3; and performing the NF storage function in steps 401 to 409 in FIG. The steps of some or all of the functions of the entity.

在一个可能的实现中,如图11所示,包括第一NF存储功能实体和第二NF存储功能实体,并且,第一NF存储功能实体与所述第一NF实体属于第一移动网络,第二NF存储功能实体与所述第二NF实体属于第二移动网络,其中,收发单元801包括第一收发单元8011和第二收发单元8012,处理单元802包括第一处理单元8021和第二处理单元8022,第一收发单元8011和第一处理单元8021均位于所述第一NF存储功能实体,第二收发单元8012和第二处理单元8022均位于第二NF存储功能实体。In a possible implementation, as shown in FIG. 11, the first NF storage function entity and the second NF storage function entity are included, and the first NF storage function entity and the first NF entity belong to the first mobile network, The second NF storage function entity and the second NF entity belong to the second mobile network, wherein the transceiver unit 801 includes a first transceiver unit 8011 and a second transceiver unit 8012, and the processing unit 802 includes a first processing unit 8021 and a second processing unit. 8022. The first transceiver unit 8011 and the first processing unit 8021 are both located in the first NF storage function entity, and the second transceiver unit 8012 and the second processing unit 8022 are both located in the second NF storage function entity.

第一收发单元8011,用于接收第一NF实体发送的NF发现请求,所述NF发现请求中包括部署的PLMN的标识;The first transceiver unit 8011 is configured to receive an NF discovery request sent by the first NF entity, where the NF discovery request includes an identifier of the deployed PLMN.

第一处理单元8021,用于接收第一收发单元8011发送的所述部署的PLMN的标识,根据所述部署的PLMN的标识确定所述第二NF存储功能实体,并将所述NF发现请求通过第一收发单元8011发送给所述第二收发单元8012;The first processing unit 8021 is configured to receive the identifier of the deployed PLMN sent by the first transceiver unit 8011, determine the second NF storage function entity according to the identifier of the deployed PLMN, and pass the NF discovery request The first transceiver unit 8011 is sent to the second transceiver unit 8012;

第二收发单元8012,用于接收第一收发单元8011发送的所述NF发现请求,The second transceiver unit 8012 is configured to receive the NF discovery request sent by the first transceiver unit 8011.

第二处理单元8022,用于根据所述NF发现请求中的第一NF实体的标识和所述NF类型确定满足条件的至少一个NF实体,并生成至少一个安全信息;The second processing unit 8022 is configured to determine, according to the identifier of the first NF entity and the NF type in the NF discovery request, at least one NF entity that satisfies the condition, and generate at least one security information;

第二收发单元8012,还用于将所述至少一个安全信息发送给第一收发单元8011;The second transceiver unit 8012 is further configured to send the at least one security information to the first transceiver unit 8011;

第一收发单元8011,还用于接收所述至少一个安全信息,并将将所述至少一个安全信息发送给第一NF实体。The first transceiver unit 8011 is further configured to receive the at least one security information, and send the at least one security information to the first NF entity.

此外,第一NF存储功能实体和第二NF存储功能实体用于执行附图3中步骤301至步骤311中NF存储功能实体的部分或全部功能的步骤;以及执行附图4中步骤401至步骤409中NF存储功能实体的部分或全部功能的步骤。Further, the first NF storage function entity and the second NF storage function entity are configured to perform the steps of performing some or all of the functions of the NF storage function entity in steps 301 to 311 of FIG. 3; and performing steps 401 to 141 in FIG. The step of 409 storing some or all of the functions of the functional entity in 409.

本实施例中,由NF存储功能实体对NF实体的发现进行控制,并将安全信息和密钥等信息提供给NF发现的对端NF实体,使NF实体可以根据该安全信息和密钥验证对方身份的真实性和建立安全连接,从而实现了NF间访问的安全验证,避免对NF实体的未授权访问。In this embodiment, the NF storage function entity controls the discovery of the NF entity, and provides the security information and the key information to the peer NF entity discovered by the NF, so that the NF entity can verify the other party according to the security information and the key. The authenticity of the identity and the establishment of a secure connection enable secure authentication of inter-NF access and avoid unauthorized access to the NF entity.

如图9和图10所示,本申请还提供了一种网络功能NF实体和NF存储功能实体。 所述NF实体和NF存储功能实体可以是部署在通用计算平台上的软件,也可以是单独的硬件设备。所述NF实体可以是前述任意实施例中的一种NF实体,用于实现前述实施例中的方法步骤。As shown in FIG. 9 and FIG. 10, the present application further provides a network function NF entity and an NF storage function entity. The NF entity and the NF storage function entity may be software deployed on a general-purpose computing platform or may be separate hardware devices. The NF entity may be an NF entity in any of the foregoing embodiments for implementing the method steps in the foregoing embodiments.

参考图9,所述NF实体设备包括收发器901、处理器902和存储器903。其中,收发器901中包括至少一个通信接口和I/O接口,用于实现与不同NF实体和NF存储功能实体之间数据的收发。收发器901可以包括接收机、发射机和天线等部件。所述NF实体还可以包括更多或更少的部件,或者组合某些部件,或者不同的部件布置,本申请对此不进行限定。Referring to FIG. 9, the NF entity device includes a transceiver 901, a processor 902, and a memory 903. The transceiver 901 includes at least one communication interface and an I/O interface for implementing data transmission and reception with different NF entities and NF storage function entities. The transceiver 901 can include components such as a receiver, a transmitter, and an antenna. The NF entity may also include more or fewer components, or a combination of certain components, or different component arrangements, which is not limited in this application.

处理器902为NF实体的控制中心,用于实现前述实施例中的各个方法步骤功能,利用各种接口和线路连接整个设备的各个部分,通过运行或执行存储在存储器903内的软件程序和/或模块,以及调用存储在存储器内的数据,以执行终端设备的各种功能和/或处理数据。处理器903可以由集成电路(integrated circuit,IC)组成,例如可以由单颗封装的IC所组成,也可以由连接多颗相同功能或不同功能的封装IC而组成。举例来说,处理器903可以仅包括中央处理器(central processing unit,CPU),也可以是GPU、数字信号处理器(digital signalprocessor,DSP)、及收发模块中的控制芯片(例如基带芯片)的组合。在本申请实施方式中,CPU可以是单运算核心,也可以包括多运算核心。The processor 902 is a control center of the NF entity for implementing the various method step functions in the foregoing embodiments, connecting various parts of the entire device by using various interfaces and lines, by running or executing a software program stored in the memory 903 and/or Or module, and recalling data stored in the memory to perform various functions of the terminal device and/or process data. The processor 903 may be composed of an integrated circuit (IC), for example, may be composed of a single packaged IC, or may be composed of a plurality of packaged ICs that have the same function or different functions. For example, the processor 903 may include only a central processing unit (CPU), or may be a GPU, a digital signal processor (DSP), and a control chip (for example, a baseband chip) in the transceiver module. combination. In the embodiment of the present application, the CPU may be a single operation core, and may also include a multi-operation core.

在本申请的不同实施方式中,收发器901中的各种收发模块一般以集成电路芯片(integrated circuit chip)的形式出现,并可进行选择性组合,而不必包括所有收发模块及对应的天线组。例如,所述收发模块可以仅包括基带芯片、射频芯片以及相应的天线以在一个蜂窝通信系统中提供通信功能。经由所述收发模块建立的无线通信连接,例如无线局域网接入或WCDMA接入,所述终端设备可以连接至蜂窝网(cellular network)或因特网(internet)。在本申请的一些可选实施方式中,所述收发模块中的通信模块,例如基带模块可以集成到处理器中,典型的如高通(Qualcomm)公司提供的APQ+MDM系列平台。射频电路用于信息收发或通话过程中接收和发送信号。通常,所述射频电路包括用于执行这些功能的公知电路,包括但不限于天线系统、射频收发机、一个或多个放大器、调谐器、一个或多个振荡器、数字信号处理器、编解码(codec)芯片组、用户身份模块(SIM)卡、存储器等等。此外,射频电路还可以通过无线通信与网络和其他设备通信。所述无线通信可以使用任一通信标准或协议,包括但不限于全球移动通讯系统(global system of mobile communication,GSM)、通用分组无线服务(general packet radio service,gprs)、码分多址(code division multiple  access,CDMA)、宽带码分多址(wideband code division multiple access,WCDMA)、高速上行行链路分组接入技术(high speed uplink packet access,HSUPA)、长期演进(long term evolution,LTE)、电子邮件、短消息服务(short messaging service,SMS)等。In various embodiments of the present application, various transceiver modules in the transceiver 901 are generally in the form of integrated circuit chips, and can be selectively combined without including all transceiver modules and corresponding antenna groups. . For example, the transceiver module can include only a baseband chip, a radio frequency chip, and a corresponding antenna to provide communication functionality in a cellular communication system. The terminal device can be connected to a cellular network or the internet via a wireless communication connection established by the transceiver module, such as wireless local area network access or WCDMA access. In some optional implementations of the present application, a communication module, such as a baseband module, in the transceiver module may be integrated into the processor, typically an APQ+MDM series platform such as that provided by Qualcomm. The radio frequency circuit is used for receiving and transmitting signals during information transmission and reception or during a call. Generally, the radio frequency circuit includes well-known circuits for performing these functions, including but not limited to an antenna system, a radio frequency transceiver, one or more amplifiers, a tuner, one or more oscillators, a digital signal processor, a codec. (codec) chipset, Subscriber Identity Module (SIM) card, memory, etc. In addition, the RF circuit can communicate with the network and other devices through wireless communication. The wireless communication may use any communication standard or protocol, including but not limited to global system of mobile communication (GSM), general packet radio service (gprs), code division multiple access (code) Division multiple Access, CDMA), wideband code division multiple access (WCDMA), high speed uplink packet access (HSUPA), long term evolution (LTE), electronic Mail, short message service (SMS), etc.

处理器902还执行图3至图5中涉及第一NF实体和第二NF实体处理过程和/或用于本申请所描述的技术的其他过程。例如,处理器/控制器902用于支持第一NF实体和/或第二NF实体执行图3中的步骤301至步骤311,图4中的步骤401至步骤409,图5中的步骤501至步骤512,和/或用于本文所描述的技术的其他过程。Processor 902 also performs the processes of FIGS. 3 through 5 relating to the first NF entity and second NF entity processing and/or for the techniques described herein. For example, the processor/controller 902 is configured to support the first NF entity and/or the second NF entity to perform step 301 to step 311 in FIG. 3, step 401 to step 409 in FIG. 4, step 501 in FIG. Step 512, and/or other processes for the techniques described herein.

在本申请实施例中,收发器901所要实现的功能可以由收发单元601或收发单元701实现,或者由处理器902控制收发器901实现;处理器902所要实现的功能则可以由所述处理单元602或处理单元702实现。In the embodiment of the present application, the function to be implemented by the transceiver 901 may be implemented by the transceiver unit 601 or the transceiver unit 701, or may be implemented by the processor 902 to control the transceiver 901; the function to be implemented by the processor 902 may be performed by the processing unit. 602 or processing unit 702 is implemented.

参见图10,为本申请NF存储功能实体的一个结构示意图。该NF存储功能实体可以是前述任意实施例中的安全信息生成装置,用于实现前述实施例中的方法步骤。Referring to FIG. 10, it is a schematic structural diagram of an NF storage function entity according to the present application. The NF storage function entity may be the security information generating device in any of the foregoing embodiments for implementing the method steps in the foregoing embodiments.

其中,该NF存储功能实体可以由收发器1001、处理器1002和存储器1003等组成。收发器1001中包括至少一个通信接口和I/O接口。The NF storage function entity may be composed of a transceiver 1001, a processor 1002, a memory 1003, and the like. The transceiver 1001 includes at least one communication interface and an I/O interface.

处理器1002为NF存储功能实体的控制中心,利用各种接口和线路连接整个设备的各个部分,通过运行或执行存储在存储器内的软件程序和/或模块,以及调用存储在存储器内的数据,以执行NF存储功能模块的各种功能和/或处理数据。所述处理器可以是中央处理器(central processing unit,CPU),网络处理器(network processor,NP)或者CPU和NP的组合。处理器还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,CPLD),现场可编程逻辑门阵列(field-programmable gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合。The processor 1002 is a control center of the NF storage function entity, which connects various parts of the entire device by using various interfaces and lines, by running or executing software programs and/or modules stored in the memory, and calling data stored in the memory, To perform various functions and/or process data of the NF storage function module. The processor may be a central processing unit (CPU), a network processor (NP) or a combination of a CPU and an NP. The processor may further include a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD), or a combination thereof. The PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (GAL), or any combination thereof.

处理器1002还执行图3至图5中涉及NF存储功能实体处理过程和/或用于本申请所描述的技术的其他过程。例如,处理器/控制器1002用于支持NF存储功能实体执行图3中的步骤301至步骤311,图4中的步骤401至步骤409,图5中的步骤501至步骤512,和/或用于本文所描述的技术的其他过程。 The processor 1002 also performs other processes in FIG. 3 through FIG. 5 that relate to the NF storage functional entity process and/or for the techniques described herein. For example, the processor/controller 1002 is configured to support the NF storage function entity to perform step 301 to step 311 in FIG. 3, step 401 to step 409 in FIG. 4, step 501 to step 512 in FIG. 5, and/or Other processes of the techniques described herein.

存储器1003可以包括易失性存储器(volatile memory),例如随机存取内存(random access memory,RAM);还可以包括非易失性存储器(non-volatile memory),例如快闪存储器(flash memory),硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD);存储器还可以包括上述种类的存储器的组合。所述存储器中可以存储有程序或代码,网元中的处理器通过执行所述程序或代码可以实现所述NF存储功能模块的功能。The memory 1003 may include a volatile memory, such as a random access memory (RAM), and may also include a non-volatile memory, such as a flash memory. A hard disk drive (HDD) or a solid state drive (SSD); the memory may also include a combination of the above types of memories. A program or code may be stored in the memory, and the processor in the network element may implement the function of the NF storage function module by executing the program or code.

收发器1001可以用于接收或发送数据,所述收发器可以在所述处理器的控制下向第一NF实体设备或其他NF实体设备发送数据。The transceiver 1001 can be configured to receive or transmit data, and the transceiver can transmit data to the first NF physical device or other NF physical device under the control of the processor.

在本申请实施例中,收发器可以用于实现前述实施例中用于接收发现请求,发送发现响应,接收第二NF实体发送的安全信息标识和反馈安全信息的方法步骤。接收器1001所要实现的功能可以由所述NF存储功能实体的收发单元实现,或者由处理器1002控制收发器1001实现;处理器1002所要实现的功能则可以由处理单元802实现。In the embodiment of the present application, the transceiver may be used to implement the method steps of receiving the discovery request, sending the discovery response, and receiving the security information identifier and the feedback security information sent by the second NF entity in the foregoing embodiment. The functions to be implemented by the receiver 1001 may be implemented by the transceiver unit of the NF storage function entity, or by the processor 1002 to control the transceiver 1001; the functions to be implemented by the processor 1002 may be implemented by the processing unit 802.

具体实现中,本申请还提供一种计算机存储介质,其中,该计算机存储介质可存储有程序,该程序执行时可包括本申请提供的网络功能实体之间的连接方法的各实施例中的部分或全部步骤。所述的存储介质可为磁碟、光盘、只读存储记忆体(read-only memory,ROM)或随机存储记忆体(random access memory,RAM)等。In a specific implementation, the present application further provides a computer storage medium, wherein the computer storage medium may store a program, where the program may include a part of each embodiment of a connection method between network function entities provided by the application. Or all steps. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

本领域的技术人员可以清楚地了解到本申请实施例中的技术可借助软件加必需的通用硬件平台的方式来实现。基于这样的理解,本申请实施例中的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例或者实施例的某些部分所述的方法。Those skilled in the art can clearly understand that the technology in the embodiments of the present application can be implemented by means of software plus a necessary general hardware platform. Based on such understanding, the technical solution in the embodiments of the present application may be embodied in the form of a software product in essence or in the form of a software product, and the computer software product may be stored in a storage medium such as a ROM/RAM. , a diskette, an optical disk, etc., including instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform the methods described in various embodiments of the present application or portions of the embodiments.

本说明书中各个实施例之间相同相似的部分互相参见即可。尤其,对于设备实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例中的说明即可。The same and similar parts between the various embodiments in this specification can be referred to each other. In particular, for the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant points can be referred to the description in the method embodiment.

以上所述的本申请实施方式并不构成对本申请保护范围的限定。 The embodiments of the present application described above are not intended to limit the scope of the present application.

Claims (32)

一种网络功能实体连接方法,其特征在于,所述方法包括:A network function entity connection method, the method comprising: 第二网络功能NF实体接收来自第一网络功能NF实体的通信连接请求,所述通信连接请求中包括第一NF实体的标识和安全信息标识;The second network function NF entity receives a communication connection request from the first network function NF entity, where the communication connection request includes an identifier of the first NF entity and a security information identifier; 所述第二NF实体从NF存储功能实体中获取与所述安全信息标识对应的安全信息;Obtaining, by the second NF entity, security information corresponding to the security information identifier from an NF storage function entity; 如果所述安全信息包含所述第一NF实体的标识,则所述第二NF实体与所述第一NF实体建立通信连接。And if the security information includes an identifier of the first NF entity, the second NF entity establishes a communication connection with the first NF entity. 根据权利要求1所述的方法,其特征在于,如果所述安全信息包含所述第一NF实体的标识,则与所述第一NF实体建立通信连接包括:The method according to claim 1, wherein if the security information includes an identifier of the first NF entity, establishing a communication connection with the first NF entity comprises: 所述安全信息中包括至少一个NF实体的标识,The security information includes an identifier of at least one NF entity, 如果所述安全信息中的至少一个标识与所述通信连接请求中的第一NF实体的标识相同,则所述第二NF实体与所述第一NF实体建立通信连接。And if the at least one identifier of the security information is the same as the identifier of the first NF entity in the communication connection request, the second NF entity establishes a communication connection with the first NF entity. 根据权利要求2所述的方法,其特征在于,所述通信连接请求中还包括第一挑战随机数,The method according to claim 2, wherein the communication connection request further includes a first challenge random number, 所述第二NF实体与所述第一NF实体建立通信连接包括:The establishing, by the second NF entity, the communication connection with the first NF entity includes: 所述第二NF实体获取来自所述NF存储功能实体的第一密钥,以及来自所述第一NF实体的第一加密密文,使用所述第一密钥对所述第一加密密文进行解密,生成第二挑战随机数;The second NF entity acquires a first key from the NF storage function entity, and a first encrypted ciphertext from the first NF entity, using the first key pair to the first encrypted ciphertext Decrypting to generate a second challenge random number; 如果所述安全信息中的至少一个标识与所述通信连接请求中的第一NF实体的标识相同,并且所述第一挑战随机数与所述第二挑战随机数相同,则与所述第一NF实体建立通信连接。And if the at least one identifier of the security information is the same as the identifier of the first NF entity in the communication connection request, and the first challenge random number is the same as the second challenge random number, The NF entity establishes a communication connection. 根据权利要求1-3任一项所述的方法,其特征在于,方法还包括:The method according to any one of claims 1 to 3, wherein the method further comprises: 如果所述第二NF实体与所述第一NF实体建立通信连接,则所述第二NF实体生成第三挑战随机数,使用所述第三挑战随机数和所述第一密钥生成第二加密密文,并将所述第二加密密文和所述第三挑战随机数发送给所述第一NF实体。And if the second NF entity establishes a communication connection with the first NF entity, the second NF entity generates a third challenge random number, and generates a second using the third challenge random number and the first key Encrypting the ciphertext and transmitting the second encrypted ciphertext and the third challenge random number to the first NF entity. 一种网络功能实体连接方法,其特征在于,所述方法包括: A network function entity connection method, the method comprising: 第一NF实体向NF存储功能实体发送第一NF实体的标识和请求的NF类型信息;The first NF entity sends the identifier of the first NF entity and the requested NF type information to the NF storage function entity; 所述第一NF实体接收来自所述NF存储功能实体的安全信息标识和与所述NF类型对应的第二NF实体的标识;The first NF entity receives a security information identifier from the NF storage function entity and an identifier of a second NF entity corresponding to the NF type; 所述第一NF实体向所述第二NF实体发送通信连接请求,所述通信连接请求中包括第一NF实体的标识和所述安全信息标识。The first NF entity sends a communication connection request to the second NF entity, where the communication connection request includes an identifier of the first NF entity and the security information identifier. 根据权利要求5所述的方法,其特征在于,所述方法还包括:The method of claim 5, wherein the method further comprises: 所述第一NF实体接收来自所述第二NF实体的通信连接响应,所述通信连接响应用于指示所述第二NF实体是否允许与所述第一NF实体建立通信连接。The first NF entity receives a communication connection response from the second NF entity, the communication connection response indicating whether the second NF entity is allowed to establish a communication connection with the first NF entity. 根据权利要求5所述的方法,其特征在于,所述方法还包括:The method of claim 5, wherein the method further comprises: 所述第一NF实体接收来自所述NF存储功能实体的第一密钥;The first NF entity receives a first key from the NF storage function entity; 所述第一NF实体获取第一挑战随机数,根据所述第一挑战随机数和所述第一密钥生成第一加密密文,并将所述第一加密密文和第一挑战随机数发送给所述第二NF实体。Obtaining, by the first NF entity, a first challenge random number, generating a first encrypted ciphertext according to the first challenge random number and the first key, and using the first encrypted ciphertext and the first challenge random number Send to the second NF entity. 根据权利要求6和7所述的方法,其特征在于,所述方法还包括:The method according to claims 6 and 7, wherein the method further comprises: 如果所述通信连接响应指示允许建立通信连接,则所述第一NF实体接收来自所述第二NF实体的第二加密密文和第三挑战随机数;The first NF entity receives a second encrypted ciphertext and a third challenge random number from the second NF entity if the communication connection response indicates that a communication connection is allowed to be established; 所述第一NF实体使用所述第一密钥对所述第二加密密文进行解密,并生成第四挑战随机数,如果所述第四挑战随机数与所述第三挑战随机数相同,则与所述第二NF实体建立会话连接。The first NF entity decrypts the second encrypted ciphertext by using the first key, and generates a fourth challenge random number, if the fourth challenge random number is the same as the third challenge random number, And establishing a session connection with the second NF entity. 一种安全信息发送方法,其特征在于,所述方法包括:A method for transmitting a security information, characterized in that the method comprises: NF存储功能实体接收来自第一NF实体的第一NF实体的标识和请求的NF类型信息;The NF storage function entity receives the identifier of the first NF entity from the first NF entity and the requested NF type information; 所述NF存储功能实体根据所述第一NF实体的标识和所述NF类型信息,获取安全信息标识和与所述NF类型对应的第二NF实体的标识;Obtaining, by the NF storage function entity, the security information identifier and the identifier of the second NF entity corresponding to the NF type, according to the identifier of the first NF entity and the NF type information; 所述NF存储功能实体将所述安全信息标识和所述第二NF实体的标识发送给所述第一NF实体。 The NF storage function entity sends the security information identifier and the identifier of the second NF entity to the first NF entity. 根据权利要求9所述的方法,其特征在于,所述NF存储功能实体获取安全信息标识和与所述NF类型对应的第二NF实体的标识,包括:The method according to claim 9, wherein the NF storage function entity obtains the security information identifier and the identifier of the second NF entity corresponding to the NF type, including: 所述NF存储功能实体根据所述第一NF实体的标识和所述NF类型信息,确定满足NF类型条件的至少一个NF实体,并生成至少一个安全信息,其中,所述安全信息中包括所述第一NF实体的标识和满足所述NF类型条件的一个NF实体的标识。Determining, by the NF storage function entity, at least one NF entity that satisfies the NF type condition according to the identifier of the first NF entity and the NF type information, and generating at least one security information, where the security information includes the The identity of the first NF entity and the identity of an NF entity that satisfies the conditions of the NF type. 根据权利要求9所述的方法,其特征在于,所述NF存储功能实体接收来自第一NF实体的第一NF实体的标识和请求的NF类型信息包括:The method according to claim 9, wherein the NF storage function entity receives the identifier of the first NF entity from the first NF entity and the requested NF type information includes: 所述NF存储功能实体接收第一NF存储功能实体转发的来自第一NF实体的第一NF实体的标识和请求的NF类型信息。The NF storage function entity receives the identifier of the first NF entity from the first NF entity forwarded by the first NF storage function entity and the requested NF type information. 根据权利要求9所述的方法,其特征在于,如果所述NF发现请求中还包括部署的PLMN的标识,则所述NF存储功能实体获取安全信息标识和与所述NF类型对应的第二NF实体的标识,包括:The method according to claim 9, wherein if the NF discovery request further includes an identifier of the deployed PLMN, the NF storage function entity acquires a security information identifier and a second NF corresponding to the NF type. The identity of the entity, including: 所述第一NF存储功能实体根据所述部署的PLMN的标识确定所述第二NF存储功能实体,并将所述第一NF实体的标识和请求的NF类型信息发送给所述第二NF存储功能实体;Determining, by the first NF storage function entity, the second NF storage function entity according to the identifier of the deployed PLMN, and sending the identifier of the first NF entity and the requested NF type information to the second NF storage Functional entity 所述第一NF存储功能实体接收来自所述第二NF存储功能实体返回的至少一个安全信息,所述安全信息中对应包括所述第一NF实体的标识和满足NF类型条件的一个NF实体的标识。Receiving, by the first NF storage function entity, at least one piece of security information returned by the second NF storage function entity, where the security information includes an identifier of the first NF entity and an NF entity that satisfies an NF type condition Logo. 根据权利要求9-12任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 9 to 12, wherein the method further comprises: 所述NF存储功能实体采用如下任意一种方式,将安全信息和所述第二NF实体的标识发送给所述第二NF实体;The NF storage function entity sends the security information and the identifier of the second NF entity to the second NF entity in any one of the following manners; 所述NF存储功能实体主动地发送所述安全信息和所述第二NF实体的标识;The NF storage function entity actively sends the security information and an identifier of the second NF entity; 或者,当所述NF存储功能实体接收到来自第二NF实体的安全信息标识之后,向所述第二NF实体发送。Or sending, after the NF storage function entity receives the security information identifier from the second NF entity, to the second NF entity. 根据权利要求13所述的方法,其特征在于,当所述NF存储功能实体接收到来自第二NF实体发送的安全信息标识之后,还包括:The method according to claim 13, wherein after the NF storage function entity receives the security information identifier sent by the second NF entity, the method further includes: 所述NF存储功能实体向所述第一NF实体和所述第二NF实体发送第一密 钥,所述第一密钥用于解密所述第二NF实体从所述第一NF实体获取的第一加密密文。The NF storage function entity sends the first secret to the first NF entity and the second NF entity And the first key is used to decrypt the first encrypted ciphertext obtained by the second NF entity from the first NF entity. 根据权利要求9-14任一项所述的方法,其特征在于,所述NF存储功能实体接收来自第一NF实体的第一NF实体的标识和请求的NF类型信息之后,还包括:The method according to any one of claims 9 to 14, wherein after the NF storage function entity receives the identifier of the first NF entity from the first NF entity and the requested NF type information, the method further includes: 所述NF存储功能实体检测是否允许所述第一NF实体向所述第二NF实体发起通信连接请求。The NF storage function entity detects whether the first NF entity is allowed to initiate a communication connection request to the second NF entity. 根据权利要求15所述的方法,其特征在于,所述NF存储功能实体中存储有所述第一NF实体的NF类型清单,The method according to claim 15, wherein the NF storage function entity stores a list of NF types of the first NF entity, 所述NF存储功能实体检测是否允许发起通信连接请求,包括:The NF storage function entity detects whether to allow a communication connection request to be initiated, including: 判断所述第二NF实体的标识所对应的NF类型是否在所述第一NF实体的NF类型清单中;Determining whether the NF type corresponding to the identifier of the second NF entity is in the NF type list of the first NF entity; 如果是,则允许发起所述通信连接请求,否则,不允许发送所述通信连接请求。If so, the communication connection request is allowed to be initiated, otherwise the communication connection request is not allowed to be sent. 一种网络功能实体,应用于第二网络功能NF实体,其特征在于,包括:A network function entity is applied to a second network function NF entity, and is characterized by: 收发单元,用于接收来自第一网络功能NF实体的通信连接请求,所述通信连接请求中包括第一NF实体的标识和安全信息标识;a transceiver unit, configured to receive a communication connection request from the first network function NF entity, where the communication connection request includes an identifier of the first NF entity and a security information identifier; 所述收发单元,还用于从NF存储功能实体中获取与所述安全信息标识对应的安全信息;The transceiver unit is further configured to acquire, from the NF storage function entity, security information corresponding to the security information identifier; 处理单元,用于判断如果所述安全信息包含所述第一NF实体的标识,则与所述第一NF实体建立通信连接。And a processing unit, configured to determine, if the security information includes an identifier of the first NF entity, establish a communication connection with the first NF entity. 根据权利要求17所述的实体,其特征在于,所述安全信息中包括至少一个NF实体的标识,The entity according to claim 17, wherein the security information includes an identifier of at least one NF entity, 所述处理单元,还用于判断如果所述安全信息中的至少一个标识与所述通信连接请求中的第一NF实体的标识相同,则与所述第一NF实体建立通信连接。The processing unit is further configured to determine, if the at least one identifier of the security information is the same as the identifier of the first NF entity in the communication connection request, establish a communication connection with the first NF entity. 根据权利要求18所述的实体,其特征在于,所述通信连接请求中还包括第一挑战随机数, The entity according to claim 18, wherein the communication connection request further includes a first challenge random number, 所述收发单元,还用于获取来自所述NF存储功能实体的第一密钥,以及来自所述第一NF实体的第一加密密文,The transceiver unit is further configured to acquire a first key from the NF storage function entity, and a first encrypted ciphertext from the first NF entity, 所述处理单元,还用于使用所述第一密钥对所述第一加密密文进行解密,生成第二挑战随机数;The processing unit is further configured to decrypt the first encrypted ciphertext by using the first key to generate a second challenge random number; 所述处理单元,还用于判断如果所述安全信息中的至少一个标识与所述通信连接请求中的第一NF实体的标识相同,并且所述第一挑战随机数与所述第二挑战随机数相同,则与所述第一NF实体建立通信连接。The processing unit is further configured to determine that if at least one identifier in the security information is the same as an identifier of a first NF entity in the communication connection request, and the first challenge random number and the second challenge are random If the numbers are the same, a communication connection is established with the first NF entity. 根据权利要求17-19任一项所述的实体,其特征在于,An entity according to any one of claims 17 to 19, characterized in that 所述处理单元,还用于判断如果与所述第一NF实体建立通信连接,则生成第三挑战随机数,使用所述第三挑战随机数和所述第一密钥生成第二加密密文;The processing unit is further configured to: if a communication connection is established with the first NF entity, generate a third challenge random number, and generate a second encrypted ciphertext by using the third challenge random number and the first key ; 所述收发单元,还用于将所述第二加密密文和所述第三挑战随机数发送给所述第一NF实体。The transceiver unit is further configured to send the second encrypted ciphertext and the third challenge random number to the first NF entity. 一种网络功能实体,应用于第一网络功能NF实体,其特征在于,包括:A network function entity is applied to a first network function NF entity, and is characterized by: 收发单元,用于向NF存储功能实体发送第一NF实体的标识和请求的NF类型信息;a transceiver unit, configured to send, to the NF storage function entity, the identifier of the first NF entity and the requested NF type information; 所述收发单元,还用于接收来自所述NF存储功能实体的安全信息标识和与所述NF类型对应的第二NF实体的标识;The transceiver unit is further configured to receive a security information identifier from the NF storage function entity and an identifier of a second NF entity corresponding to the NF type; 所述收发单元,还用于向所述第二NF实体发送通信连接请求,所述通信连接请求中包括第一NF实体的标识和所述安全信息标识。The transceiver unit is further configured to send a communication connection request to the second NF entity, where the communication connection request includes an identifier of the first NF entity and the security information identifier. 根据权利要求21所述的实体,其特征在于,The entity of claim 21, wherein 所述收发单元,还用于接收来自所述第二NF实体的通信连接响应,所述通信连接响应用于指示所述第二NF实体是否允许与其建立通信连接。The transceiver unit is further configured to receive a communication connection response from the second NF entity, where the communication connection response is used to indicate whether the second NF entity is allowed to establish a communication connection with the second NF entity. 根据权利要求21所述的实体,其特征在于,所述实体还包括处理单元,The entity of claim 21, wherein the entity further comprises a processing unit, 所述收发单元,还用于接收来自所述NF存储功能实体的第一密钥,以及,获取第一挑战随机数;The transceiver unit is further configured to receive a first key from the NF storage function entity, and acquire a first challenge random number; 所述处理单元,用于根据所述第一挑战随机数和所述第一密钥生成第一加密密文;The processing unit is configured to generate a first encrypted ciphertext according to the first challenge random number and the first key; 所述收发单元,还用于将所述第一加密密文和第一挑战随机数发送给所述第 二NF实体。The transceiver unit is further configured to send the first encrypted ciphertext and the first challenge random number to the first Two NF entities. 根据权利要求21所述的实体,其特征在于,The entity of claim 21, wherein 所述收发单元,还用于判断如果所述通信连接响应指示允许建立通信连接,则接收来自所述第二NF实体的第二加密密文和第三挑战随机数;The transceiver unit is further configured to: if the communication connection response indication indicates that the communication connection is allowed to be established, receive the second encrypted ciphertext and the third challenge random number from the second NF entity; 所述处理单元,还用于使用所述第一密钥对所述第二加密密文进行解密,并生成第四挑战随机数,判断如果所述第四挑战随机数与所述第三挑战随机数相同,则与所述第二NF实体建立会话连接。The processing unit is further configured to decrypt the second encrypted ciphertext by using the first key, and generate a fourth challenge random number, and determine, if the fourth challenge random number and the third challenge are random If the numbers are the same, a session connection is established with the second NF entity. 一种网络功能存储功能实体,其特征在于,包括:A network function storage function entity, comprising: 收发单元,用于接收来自第一NF实体的第一NF实体的标识和请求的NF类型信息;a transceiver unit, configured to receive an identifier of the first NF entity from the first NF entity and the requested NF type information; 处理单元,用于根据所述第一NF实体的标识和所述NF类型信息,获取安全信息标识和与所述NF类型对应的第二NF实体的标识;a processing unit, configured to acquire, according to the identifier of the first NF entity and the NF type information, a security information identifier and an identifier of a second NF entity corresponding to the NF type; 所述收发单元,还用于将所述安全信息标识和所述第二NF实体的标识发送给所述第一NF实体。The transceiver unit is further configured to send the security information identifier and the identifier of the second NF entity to the first NF entity. 根据权利要求25所述的实体,其特征在于,The entity of claim 25, wherein 所述处理单元,还用于根据所述第一NF实体的标识和所述NF类型信息,确定满足NF类型条件的至少一个NF实体,并生成至少一个安全信息,其中,所述安全信息中包括所述第一NF实体的标识和满足所述NF类型条件的一个NF实体的标识。The processing unit is further configured to determine, according to the identifier of the first NF entity and the NF type information, at least one NF entity that satisfies an NF type condition, and generate at least one security information, where the security information includes An identifier of the first NF entity and an identifier of an NF entity that satisfies the NF type condition. 根据权利要求25所述的实体,其特征在于,The entity of claim 25, wherein 所述收发单元,还用于接收第一NF存储功能实体转发的来自第一NF实体的第一NF实体的标识和请求的NF类型信息。The transceiver unit is further configured to receive an identifier of the first NF entity from the first NF entity forwarded by the first NF storage function entity and the requested NF type information. 根据权利要求25所述的实体,其特征在于,所述NF发现请求中还包括部署的PLMN的标识,The entity according to claim 25, wherein the NF discovery request further includes an identifier of the deployed PLMN, 所述处理单元,还用于根据所述部署的PLMN的标识确定所述第二NF存储功能实体,并将所述第一NF实体的标识和请求的NF类型信息发送给所述第二NF存储功能实体; The processing unit is further configured to determine, according to the identifier of the deployed PLMN, the second NF storage function entity, and send the identifier of the first NF entity and the requested NF type information to the second NF storage. Functional entity 所述收发单元,还用于接收来自所述第二NF存储功能实体返回的至少一个安全信息,所述安全信息中对应包括所述第一NF实体的标识和满足NF类型条件的一个NF实体的标识。The transceiver unit is further configured to receive at least one piece of security information returned by the second NF storage function entity, where the security information includes an identifier of the first NF entity and an NF entity that satisfies an NF type condition. Logo. 根据权利要求25-28任一项所述的实体,其特征在于,An entity according to any one of claims 25-28, characterized in that 所述收发单元,还用于如下任意一种方式,将安全信息和所述第二NF实体的标识发送给所述第二NF实体;The transceiver unit is further configured to send the security information and the identifier of the second NF entity to the second NF entity in any one of the following manners; 主动地发送所述安全信息和所述第二NF实体的标识,或者,当接收到来自第二NF实体的安全信息标识之后发送。The security information and the identifier of the second NF entity are actively sent, or are sent after receiving the security information identifier from the second NF entity. 根据权利要求29所述的实体,其特征在于,The entity of claim 29, wherein 所述收发单元,还用于向所述第一NF实体和所述第二NF实体发送第一密钥,所述第一密钥用于解密所述第二NF实体从所述第一NF实体获取的第一加密密文。The transceiver unit is further configured to send a first key to the first NF entity and the second NF entity, where the first key is used to decrypt the second NF entity from the first NF entity The first encrypted ciphertext obtained. 根据权利要求25-30任一项所述的实体,其特征在于,An entity according to any one of claims 25-30, characterized in that 所述处理单元,还用于检测是否允许所述第一NF实体向所述第二NF实体发起通信连接请求。The processing unit is further configured to detect whether the first NF entity is allowed to initiate a communication connection request to the second NF entity. 根据权利要求31所述的实体,其特征在于,所述NF存储功能实体中存储有所述第一NF实体的NF类型清单,The entity according to claim 31, wherein the NF storage function entity stores a list of NF types of the first NF entity, 所述处理单元,还用于判断所述第二NF实体的标识所对应的NF类型是否在所述第一NF实体的NF类型清单中,如果是,则允许发起所述通信连接请求,否则,不允许发送所述通信连接请求。 The processing unit is further configured to determine whether the NF type corresponding to the identifier of the second NF entity is in the NF type list of the first NF entity, and if yes, allow the communication connection request to be initiated; otherwise, The communication connection request is not allowed to be sent.
PCT/CN2016/113796 2016-12-30 2016-12-30 Method and apparatus for connection between network entities Ceased WO2018120150A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/113796 WO2018120150A1 (en) 2016-12-30 2016-12-30 Method and apparatus for connection between network entities

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/113796 WO2018120150A1 (en) 2016-12-30 2016-12-30 Method and apparatus for connection between network entities

Publications (1)

Publication Number Publication Date
WO2018120150A1 true WO2018120150A1 (en) 2018-07-05

Family

ID=62706816

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/113796 Ceased WO2018120150A1 (en) 2016-12-30 2016-12-30 Method and apparatus for connection between network entities

Country Status (1)

Country Link
WO (1) WO2018120150A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112995090A (en) * 2019-12-02 2021-06-18 中国电信股份有限公司 Authentication method, device and system for terminal application and computer readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101977378A (en) * 2010-09-30 2011-02-16 中兴通讯股份有限公司 Information transmission method, network side and relay node
CN103441989A (en) * 2013-08-05 2013-12-11 大唐移动通信设备有限公司 Authentication and information processing method and device
WO2015050892A1 (en) * 2013-10-01 2015-04-09 Ruckus Wireless, Inc. Secure network access using credentials
CN104579889A (en) * 2013-10-16 2015-04-29 华为技术有限公司 Method and device for calling NF (network function)

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101977378A (en) * 2010-09-30 2011-02-16 中兴通讯股份有限公司 Information transmission method, network side and relay node
CN103441989A (en) * 2013-08-05 2013-12-11 大唐移动通信设备有限公司 Authentication and information processing method and device
WO2015050892A1 (en) * 2013-10-01 2015-04-09 Ruckus Wireless, Inc. Secure network access using credentials
CN104579889A (en) * 2013-10-16 2015-04-29 华为技术有限公司 Method and device for calling NF (network function)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112995090A (en) * 2019-12-02 2021-06-18 中国电信股份有限公司 Authentication method, device and system for terminal application and computer readable storage medium
CN112995090B (en) * 2019-12-02 2022-11-08 中国电信股份有限公司 Authentication method, device and system for terminal application and computer readable storage medium

Similar Documents

Publication Publication Date Title
CN113993143B (en) Session management method, device and system
CN111865597B (en) Communication method and communication device
US11503469B2 (en) User authentication method and apparatus
US11510052B2 (en) Identity information processing method, device, and system
CN110798833A (en) Method and device for verifying user equipment identification in authentication process
WO2018232570A1 (en) Method for registering and session establishment, terminal and AMF entity
CN113541925A (en) Communication system, method and device
CN113055879B (en) User identification access method and communication device
CN110366204B (en) Communication method and communication device
CN109246769B (en) PDU session establishment method and device
WO2019158093A1 (en) Method and device for determining ssc mode
US20210127265A1 (en) Communication system
CN115942305A (en) A session establishment method and related device
WO2021047403A1 (en) Authorization method and device in a plurality of nrf scenarios
JP2013513986A (en) Smart card security function profile in the server
CN115412911A (en) An authentication method, communication device and system
CN112449377B (en) Method and device for reporting network data
CN114880657B (en) API topology hiding method, device and system
WO2018120150A1 (en) Method and apparatus for connection between network entities
CN113055342A (en) Information processing method and communication device
EP4131847A1 (en) Apparatus, method, and computer program
WO2020215272A1 (en) Communication method, communication apparatus, and communication system
CN115884187A (en) Message transmission method and communication device
CN113678127A (en) Access control method, server, access device, and storage medium
US20240356742A1 (en) Verification of service based architecture parameters

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16925089

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16925089

Country of ref document: EP

Kind code of ref document: A1