Abstract: Embodiments of a session processing method and a device relating to a data network are provided. The method includes a data-network network element in the data network receiving a data network access request sent by a session management function (SMF) network element of the data network, where the data network access request includes an identifier of user equipment UE and a session address to be used by the UE. The data-network network element sends a response message to the SMF, where the response message instructs the SMF to allow the UE to access the data network, so that the SMF establishes a data packet unit session of the UE. The data-network network element detects, based on the session address or the identifier of the UE, that the data packet unit session of the UE needs to be processed, generates a session processing request, and instructs, by using the session processing request, the SMF to process the data packet unit session of the UE.

Abstract: Provided are a group communication method and related products. In the method, a first user device acquires a group identifier (ID), where the group identifier is used for identifying a group including at least the first user device and a second user device the first user device determines a current destination ID according to the group ID, and transmits to the second user device a packet carrying the current destination ID. With the group communication method and apparatus provided in the present disclosure, the application layer group ID will be converted to the destination L2 ID, thus enabling the end to end group communication.

Abstract: A data transmission method, a related device, and a related system. The method includes: receiving, by a first access network device, a data packet (for example, small data) sent by user equipment (for example, an IoT device), where the data packet includes a first cookie and raw data; verifying, by the first access network device, the first cookie, to obtain a verification result; and processing, by the first access network device, the raw data based on the verification result. Implementation of embodiments can reduce load on a network side when a large quantity of user equipments need to perform communication, thereby increasing data transmission efficiency.

Abstract: Embodiments of this application provide a communication method and a related product. The method includes: After primary authentication between a core network and user equipment succeeds, a network function entity in the core network assists a data network in performing secondary authentication between the data network and the user equipment if the secondary authentication further needs to be performed between the data network and the user equipment; the network function entity obtains an authentication result of the secondary authentication and a restriction condition of the secondary authentication from the data network; and the network function entity stores the authentication result and the restriction condition into the core network.

Abstract: The present disclosure relates to secondary authentication methods and apparatus. In one example method, a core network function entity obtains an identity of a first terminal device, where the identity of the first terminal device is an identity in a first network. The core network function entity sends the identity of the first terminal device to an authentication device in a second network, where the identity of the first terminal device is used to determine an identity used by the second network to perform secondary authentication on a first user, and the identity of the first user is different from the identity of the first terminal device.

Abstract: This application discloses a network authentication method, and a related device and system.

Abstract: A terminal device obtains first slice selection assistance information, where the first slice selection assistance information is obtained by encrypting second slice selection assistance information, and the second slice selection assistance information is selection assistance information of a slice to which the terminal device is allowed to access. The terminal device sends a registration request message to an access network device, where the registration request message includes the first slice selection assistance information.

Abstract: An authentication method, apparatus, and device. The method includes sending, by a core network device, an authentication request message of a user to a data network device, where the authentication request message requests that the data network device perform identity authentication on the user, and receiving, by the core network device, an authentication response message sent by the data network device, where the authentication response message comprises first information, and the first information indicates user identity information of the user.

Abstract: Embodiments of this application provide a private key generation method and system, and a device. The method includes: receiving, by a terminal device, a first response message sent by a first network device, where the first response message includes at least a first sub-private key, and the first sub-private key is generated based on a first parameter set sent by a second network device; receiving, by the terminal device, a second response message sent by the second network device, where the second response message includes at least a second sub-private key, and the second sub-private key is generated based on a second parameter set sent by the first network device; and synthesizing, by the terminal device, a joint private key based on at least the first sub-private key and the second sub-private key.

Abstract: A key management method/apparatus (user equipment) are described. The key management includes encrypting user identity information based on a first public key. The user equipment sends a first user identity message to a first network device. The first user identity message includes the user identity information, an indication identifier that indicates whether the user identity information is encrypted, and a reference identifier for indexing the first public key. The first network device sends, to a second network device, a third user identity message including the user identity information and the reference identifier that indexes the first public key. Thus, when receiving the third user identity message, the second network device can determine the encrypted user identity information, according to a pre-stored mapping table including the first private key.

Abstract: Example communication methods and apparatus are described. One example communication method includes that user equipment (UE) sends an N1 message to a security anchor function (SEAF), where the N1 message carries a Diffie-Hellman (DH) public parameter or a DH public parameter index, the N1 message further carries an encrypted identifier of the UE, and the encrypted identifier is obtained by encrypting a permanent identifier of the UE and a first DH public key. The UE receives an authentication request that carries a random number and that is sent by the SEAF. The UE sends, to the SEAF, an authentication response used to respond to the authentication request, where the authentication response carries an authentication result calculated based on a root key and the random number.

Abstract: A key generation method includes a user plane network function and a terminal device obtain key update information sent by each other. The user plane network function updates, by using the obtained key update information, a sub-key derived from a permanent key, to obtain a new protection key. The terminal device updates, by using the obtained key update information, a sub-key derived from the permanent key, to obtain a new protection key. The terminal device and the user plane network function perform, by using the new protection key, security protection on user plane data transmitted between the terminal device and the user plane network function.

Abstract: This application discloses a mobile network authentication method, a terminal device, a server, and a network authentication entity. The method includes: receiving, by a first terminal device, a DH public key and a first ID that are sent by at least one second terminal device; sending a first message to a server, where the first message includes a DH public key of each second terminal device of the at least one second terminal device and a first ID of the second terminal device; receiving a second message sent by the server, where the second message includes a DH public key of the server and a second ID of the second terminal device that is generated by the server; and sending, by the first terminal device, the second ID of the second terminal device and the DH public key of the server to the second terminal device.

Abstract: Embodiments of this application provide a pseudonym credential configuration method and apparatus. The method includes: receiving an identifier of a terminal device and information about N to-be-requested pseudonym credentials from the terminal device, sending N second request messages to a pseudonym credential generation server, and storing a tag of each second request message in association with the identifier of the terminal device in the registration server, so that the registration server can obtain, based on the tag, the identifier that is of the terminal device and that is associated with the tag; and generating N pseudonym credentials. The pseudonym credential generated in this application may enable a behavior investigation server to learn of a real identity of the terminal device.

Abstract: This application discloses a network authentication method, and a related device and system.

Abstract: A key distribution method is disclosed. In this method, a key request can be received by a key management system (KMS) from a mobile operator network element (MNO). The key request can carry a public key of UE. At least one PVT and one SSK can be allocated to the US based on an IBC ID. The at least one PVT and SSK can be encrypted based on the public key to generate ciphertext; and an object can be signed based on a preset digital signature private key (DSPK) to generate a digital signature. The object can include the public key and the ciphertext. Still, a signature validation public key associated with the DSPK can be determined and a key response can be returned to the MNO. The key response can carry the signature validation public key, the public key of the UE, the ciphertext, and the digital signature.

Abstract: This application discloses a private key generation method and system, and a device. The method includes: sending, by a first network device, a first request to a second network device, where the first request includes a first parameter set; receiving, by the first network device, a first response message returned by the second network device, where the first response message includes a first sub-private key and a second parameter set, the first sub-private key is generated based on the first parameter set, and the first sub-private key is generated for a terminal device; generating, by the first network device, a second sub-private key based on the second parameter set, where the second sub-private key is generated for the terminal device; and synthesizing, by the first network device, the first sub-private key and the second sub-private key into a joint private key according to a synthesis formula.

Abstract: This application provides a network slice allocation method, device, and system, including a terminal device, a first core network device, a second core network device, and a third core network device. The terminal device encrypts NSSAI and an ID of the terminal device to obtain encrypted information, and sends a slice access request message to the first core network device. The first core network device sends the encrypted information to the second core network device. The second core network device decrypts the encrypted information to obtain the NSSAI and the ID of the terminal device, generates an authentication vector, and sends the NSSAI and the authentication vector to the first core network device.

Abstract: Embodiments provide a network authentication method, and a related device and system. In this method, an access request sent by user equipment is received by a network authentication network element. The received access request includes identification information of the user equipment. It is then verified, by the network authentication network element, whether the identification information is valid. If the identification information is valid, a slice authentication network element corresponding to the user equipment is determined based on the identification information. The identification information can be then sent to the slice authentication network element corresponding to the user equipment. The identification information is used by the slice authentication network element corresponding to the user equipment to generate authentication data for the user equipment and initiate a user authentication request to the user equipment by using the authentication data.

Abstract: This application provides a network authentication method, a network device, a terminal device, and a storage medium. In one aspect, in this application, a network device generates a symmetric key by itself, and generates a correct sequence number of a terminal device in real time by using a first sequence number. In other words, in this application, the network device does not need to store the symmetric key and the correct sequence number of the terminal device, but generates the symmetric key and the correct sequence number of the terminal device in real time. Therefore, storage load of an HSS in the prior art can be reduced.