Abstract: A data transmission method, a related device, and a related system. The method includes: receiving, by a first access network device, a data packet (for example, small data) sent by user equipment (for example, an IoT device), where the data packet includes a first cookie and raw data; verifying, by the first access network device, the first cookie, to obtain a verification result; and processing, by the first access network device, the raw data based on the verification result. Implementation of embodiments can reduce load on a network side when a large quantity of user equipments need to perform communication, thereby increasing data transmission efficiency.

Abstract: Embodiments of this application provide a network security management method and an apparatus. The method includes: receiving, by a first network device, a session request sent by a terminal device, where the session request is used to request establishment of a first session with a first data network, the session request includes first authentication information for the first session, and the first authentication information includes identifier information of the first data network; obtaining, by the first network device, second authentication information for a second session of the terminal device, where the second authentication information includes identifier information of a second data network to which the second session is connected; and if the identifier information of the first data network is the same as the identifier information of the second data network, authorizing the terminal device to establish the first session with the first data network.

Abstract: The disclosure provides a network authentication method, a network device, and a core network device, the network authentication method including: receiving, by a first network device, an access request message sent by a terminal device, where the access request message includes an identity of the terminal device; determining, by the first network device based on the identity of the terminal device, whether to allow authentication on the terminal device; if the first network device does not allow the authentication on the terminal device, sending, by the first network device, the identity of the terminal device to a core network device, so that the core network device performs network authentication based on the identity of the terminal device.

Abstract: A key management method/apparatus (user equipment) are described. The key management includes encrypting user identity information based on a first public key. The user equipment sends a first user identity message to a first network device. The first user identity message includes the user identity information, an indication identifier that indicates whether the user identity information is encrypted, and a reference identifier for indexing the first public key. The first network device sends, to a second network device, a third user identity message including the user identity information and the reference identifier that indexes the first public key. Thus, when receiving the third user identity message, the second network device can determine the encrypted user identity information, according to a pre-stored mapping table including the first private key.

Abstract: A system for managing and distributing a blacklist of User Equipment IDs (UE IDs) in a network. The system comprises a number of groups of networks, each of the groups of networks comprise a blacklist server and a number of authentication servers. The system further comprises a Package Key Generator (PKG). The blacklist server is configured to: store a blacklist containing UE IDs that are not allowed to gain access to the network; transmit the blacklist to the plurality of authentication servers in the same group; receive a message; determine a content in the message is an order to add a new revoked UE ID to the blacklist; update the blacklist to include the new revoked UE ID; and send an update blacklist message to the plurality of authentication servers in the same group.

Abstract: This application provides a network authentication method, a network device, a terminal device, and a storage medium. In one aspect, in this application, a network device generates a symmetric key by itself, and generates a correct sequence number of a terminal device in real time by using a first sequence number. In other words, in this application, the network device does not need to store the symmetric key and the correct sequence number of the terminal device, but generates the symmetric key and the correct sequence number of the terminal device in real time. Therefore, storage load of an HSS in the prior art can be reduced.

Abstract: Embodiments of this application provide a private key generation method and system, and a device. The method includes: receiving, by a terminal device, a first response message sent by a first network device, where the first response message includes at least a first sub-private key, and the first sub-private key is generated based on a first parameter set sent by a second network device; receiving, by the terminal device, a second response message sent by the second network device, where the second response message includes at least a second sub-private key, and the second sub-private key is generated based on a second parameter set sent by the first network device; and synthesizing, by the terminal device, a joint private key based on at least the first sub-private key and the second sub-private key.

Abstract: This application discloses a private key generation method and system, and a device. The method includes: sending, by a first network device, a first request to a second network device, where the first request includes a first parameter set; receiving, by the first network device, a first response message returned by the second network device, where the first response message includes a first sub-private key and a second parameter set, the first sub-private key is generated based on the first parameter set, and the first sub-private key is generated for a terminal device; generating, by the first network device, a second sub-private key based on the second parameter set, where the second sub-private key is generated for the terminal device; and synthesizing, by the first network device, the first sub-private key and the second sub-private key into a joint private key according to a synthesis formula.

Abstract: Embodiments of this application disclose a network key processing system, including user equipment, a security anchor network element, and an access and mobility management network element, where the security anchor network element is configured to: obtain a first key parameter from a slice selection network element, where the first key parameter includes identifier information of N network slices; generate N slice-dedicated keys based on the first key parameter; and send the N slice-dedicated keys to the corresponding N network slices respectively; the access and mobility management network element is configured to: obtain the first key parameter, and send the first key parameter to the user equipment; and the user equipment is configured to: generate the N slice-dedicated keys for the N network slices based on the first key parameter, and access the N network slices based on the generated N slice-dedicated keys.

Abstract: A system for managing and distributing a blacklist of User Equipment IDs (UE IDs) in a network. The system comprises a number of groups of networks, each of the groups of networks comprise a blacklist server and a number of authentication servers. The system further comprises a Package Key Generator (PKG). The blacklist server is configured to: store a blacklist containing UE IDs that are not allowed to gain access to the network; transmit the blacklist to the plurality of authentication servers in the same group; receive a message; determine a content in the message is an order to add a new revoked UE ID to the blacklist; update the blacklist to include the new revoked UE ID; and send an update blacklist message to the plurality of authentication servers in the same group.

Abstract: Embodiments provide a network authentication method, and a related device and system. In this method, an access request sent by user equipment is received by a network authentication network element. The received access request includes identification information of the user equipment. It is then verified, by the network authentication network element, whether the identification information is valid. If the identification information is valid, a slice authentication network element corresponding to the user equipment is determined based on the identification information. The identification information can be then sent to the slice authentication network element corresponding to the user equipment. The identification information is used by the slice authentication network element corresponding to the user equipment to generate authentication data for the user equipment and initiate a user authentication request to the user equipment by using the authentication data.

Abstract: A key distribution method is disclosed. In this method, a key request can be received by a key management system (KMS) from a mobile operator network element (MNO). The key request can carry a public key of UE. At least one PVT and one SSK can be allocated to the US based on an IBC ID. The at least one PVT and SSK can be encrypted based on the public key to generate ciphertext; and an object can be signed based on a preset digital signature private key (DSPK) to generate a digital signature. The object can include the public key and the ciphertext. Still, a signature validation public key associated with the DSPK can be determined and a key response can be returned to the MNO. The key response can carry the signature validation public key, the public key of the UE, the ciphertext, and the digital signature.

Abstract: This application discloses a mobile network authentication method, a terminal device, a server, and a network authentication entity. The method includes: receiving, by a first terminal device, a DH public key and a first ID that are sent by at least one second terminal device; sending a first message to a server, where the first message includes a DH public key of each second terminal device of the at least one second terminal device and a first ID of the second terminal device; receiving a second message sent by the server, where the second message includes a DH public key of the server and a second ID of the second terminal device that is generated by the server; and sending, by the first terminal device, the second ID of the second terminal device and the DH public key of the server to the second terminal device.

Abstract: This invention relates a unified authentication method for a device to authenticate an operator provider network and a service provider network based on Identity-Based Cryptography where each of the device, operator provider network and service provider network has a different private key and a same Global Public Key (GPK) issued by a public key generator, the unified authentication method comprising: the device, generating and transmitting an authentication data package to the operator provider network, in response to receiving the authentication data package, determining a type of authentication based on the Authentication Type; the element of the operator provider network, in response to determining the first type of authentication, generating and transmitting a first Authentication Response Message to the device and transmitting the authentication data package to the element of the service provider network based on the SP_ID.

Abstract: This invention relates to a key generation and distribution method. The method comprises receiving a first request from a first requestor, the first requestor comprising an identity of the first requestor; generating a new identity (ID) based on the identity of the first requestor; generating a secret key for the new ID with a predetermined pair of global keys, namely Global Secret Key (GSK), Global Public Key (GPK); transmitting the new ID, secret key and the GPK to the first requestor; receiving a request from a second requestor, the request comprising a plurality of identities; generating an new ID for each of the plurality of identities; generating a secret key based on the IBC key generation algorithm for each of the plurality of new IDs; and transmitting the plurality of new IDs, secret keys corresponding to each of the plurality of IDs and the GPK to the second requestor.

Abstract: This invention relates to a User Equipment (UE) for communicating directly with a core network comprising: a first communication device; a second communication device; an authentication management module; a processor; a storage medium; instructions stored on the storage medium and executable by the processor to: perform a first authentication with the core network to obtain a security context; transmit a security context from the authentication management module to at least one of the first and second communication devices; and perform a second authentication for one of the first and second communication devices with the core network using the security context from the authentication management module to establish connection with the core network.

Abstract: Embodiments of the present invention disclose a vertical industry user system, including a service provider device, a terminal, a core network element, and a base station. The core network element is configured to: obtain a distribution instruction; and according to the distribution instruction, configure a core network identification number for the core network element, distribute a provider identification number to the service provider device, and distribute a base station identification number to the base station. The service provider device is configured to receive the provider identification number. The base station is configured to receive the base station identification number. The embodiments of the present invention further provide an identification number distribution method.

Abstract: Embodiments of the present disclosure disclose a network authentication method, a relay node, and a related system. The system includes user equipment, a relay node, and a cellular network authentication network element. The user equipment is configured to send a first authentication message to the relay node; the relay node is configured to receive first authentication messages, and generate first encrypted information by using an aggregation algorithm based on first encrypted identifiers in the first authentication; the cellular network authentication network element is configured to receive a first aggregation message, and when verifying, by using the first encrypted information, that information in the first aggregation message is correct, send a first response message to the relay node; and the user equipment is configured to generate a session key between the user equipment and the cellular network authentication network element when verifying that information in the first response message is correct.

Abstract: A system for transmission data protection includes user equipment (UE) and an access point. The access point sends a broadcast message that carries a public key for encryption. The UE receives and stores the public key for encryption. The UE obtains a global public key or a private key corresponding to the UE, and protects transmission data using the public key for encryption and the global public key or the private key corresponding to the UE.

Abstract: The present disclosure relates to example key distribution and authentication methods and devices. In one example method, a second-level key is received by a terminal device from a user management server. The terminal device performs mutual authentication with a network authentication server based on the second-level key, to obtain a communication key for communication between the terminal device and a functional network element.