1. Patent Search
  2. Details

METHOD AND APPARATUS FOR PROCESSING NON-ACCESS STRATUM CONTEXT

20230232357 ยท 2023-07-20

    Inventors

    Cpc classification

    International classification

    Abstract

    A method for processing a non-access stratum context is as follows: A terminal device sends a registration request message to a first public land mobile network PLMN. The terminal device receives a registration accept message from the first PLMN. When the terminal device deregisters from the first PLMN over a first access network, the terminal device stores, in a storage medium of the terminal device, a first PLMN identifier of the first PLMN and a first NAS security context established by the terminal device with the first PLMN. Embodiments of this application are used for a processing process of the non-access stratum context.

    Claims

    1. A method for processing a non-access stratum (NAS) context, comprising: sending, by a terminal device, a first registration request message to a first public land mobile network (PLMN); receiving, by the terminal device, a registration accept message from the first PLMN; and in response to the first PLMN over a first access network being deregistered from the terminal device, storing, by the terminal device, in a storage medium of the terminal device, a first PLMN identifier of the first PLMN and a first NAS security context established by the terminal device with the first PLMN.

    2. The method according to claim 1, further comprising: determining, by the terminal device based on the first PLMN identifier, the first NAS security context established by the terminal device with the first PLMN; protecting, by the terminal device, a second registration request message with the first NAS security context; and sending, by the terminal device over the first access network, to the first PLMN the second registration request message protected by using the first NAS security context.

    3. The method according to claim 1, wherein the storing, by the terminal device, in the storage medium of the terminal device, the first PLMN identifier of the first PLMN and the first NAS security context established by the terminal device with the first PLMN comprises: in response to storage of a registration management parameter being supported by a universal subscriber identity module (USIM) of the terminal device, storing, by the terminal device, the first NAS security context and the first PLMN identifier on the USIM; or in response to storage of the registration management parameter not being supported by the USIM, storing, by the terminal device, the first NAS security context and the first PLMN identifier in a non-volatile storage medium of the terminal device.

    4. The method according to claim 1, further comprising: setting, by the terminal device, the first NAS security context to valid.

    5. The method according to claim 1, wherein the storing, by the terminal device in the storage medium of the terminal device, the first PLMN identifier of the first PLMN and the first NAS security context established by the terminal device with the first PLMN comprises: in response to a second NAS security context established by the terminal device with the first PLMN not being stored on the storage medium of the terminal device, storing, by the terminal device, a first NAS security file and the first PLMN identifier in the storage medium of the terminal device; or in response to the first PLMN identifier and the second NAS security context established by the terminal device with the first PLMN being stored on the storage medium of the terminal device, replacing, by the terminal device, the second NAS security context with the first NAS security context.

    6. The method according to claim 1, wherein the storing, by the terminal device in the storage medium of the terminal device, the first PLMN identifier of the first PLMN and the first NAS security context established by the terminal device with the first PLMN comprises: in response to a second NAS security context that corresponds to the first access network not being stored by the storage medium of the terminal device, storing, by the terminal device, the first NAS security context and the first PLMN identifier in the storage medium of the terminal device; or in response to the second NAS security context that corresponds to the first access network being stored by the storage medium of the terminal device, replacing, by the terminal device, the second NAS security context that corresponds to the first access network with the first NAS security context; and storing the first PLMN identifier.

    7. The method according to claim 1, further comprising: before the storing, by the terminal device in the storage medium of the terminal device, the first PLMN identifier of the first PLMN and the first NAS security context established by the terminal device with the first PLMN, deregistering, by the terminal device, from the first PLMN over all access networks.

    8. The method according to claim 1, further comprising: storing, by the terminal device, an identifier of the first access network in the storage medium of the terminal device.

    9. The method according to claim 1, further comprising: before the terminal device deregisters from the first PLMN over the first access network, receiving, by the terminal device, a first globally unique temporary identity (GUTI) allocated by the first PLMN, wherein the first GUTI is usable to identify the terminal device, and the first GUTI includes the first PLMN identifier; and in response to a second GUTI being stored by the storage medium of the terminal device, deleting, by the terminal device, the second GUTI; and storing the first GUTI; or replacing the second GUTI with the first GUTI; or in response to the second GUTI not being stored by the storage medium of the terminal device, storing, by the terminal device, the first GUTI, wherein the second GUTI is sent to the terminal device before the first PLMN allocates the first GUTI, and the second GUTI includes the first PLMN identifier.

    10. The method according to claim 1, further comprising: in response to the sending, by the terminal device, the first registration request message to the first PLMN, receiving, by the terminal device from the first PLMN, a second PLMN identifier of a second PLMN equivalent to the first PLMN; and storing, by the terminal device, the second PLMN identifier in the storage medium of the terminal device.

    11. The method according to claim 10, further comprising: in response to the first PLMN over the first access network being deregistered by the terminal device, obtaining, by the terminal device based on the second PLMN identifier, a third GUTI allocated by the second PLMN; including, by the terminal device, the third GUTI in a third registration request message; and sending, by the terminal device, the third registration request message to the first PLMN.

    12. A method for processing a non-access stratum (NAS) context, comprising: obtaining, by a terminal device based on a first PLMN identifier of the first PLMN from a storage medium of the terminal device, a first NAS security context established by the terminal device with the first PLMN; protecting, by the terminal device, a registration request message by using the first NAS security context; and sending, by the terminal device to a first public land mobile network (PLMN) over a first access network, the registration request message protected by using the first NAS security context.

    13. The method according to claim 12, wherein the obtaining, by the terminal device based on the first PLMN identifier from the storage medium of the terminal device, the first NAS security context established by the terminal device with the first PLMN comprises: in response to storage of a registration management parameter being supported by a universal subscriber identify module (USIM) of the terminal device, reading, by the terminal device, the first NAS security context from the USIM based on the first PLMN identifier; or in response to storage of the registration management parameter not being supported by the USIM, reading, by the terminal device, the first NAS security context from a non-volatile storage medium of the terminal device based on the first PLMN identifier of the first PLMN.

    14. The method according to claim 12, wherein the obtaining, by the terminal device based on the first PLMN identifier of the first PLMN from the storage medium of the terminal device, the first NAS security context established by the terminal device with the first PLMN comprises: obtaining, by the terminal device based on the first PLMN identifier and an identifier of the first access network, the first NAS security context that corresponds to the first access network and that is established by the terminal device with the first PLMN from the storage medium of the terminal device.

    15. The method according to claim 12, further comprising: before the terminal device sends the registration request message to the first PLMN, obtaining, by the terminal device based on the first PLMN identifier from the storage medium of the terminal device, a first GUTI allocated by the first PLMN; and including, by the terminal device, the first GUTI in the registration request message.

    16. An apparatus, comprising: at least one processor, and at least one memory coupled to the at least one processor and storing computer instructions, that in response to the computer instructions being performed by the at least one processor, cause the apparatus to: send a first registration request message to a first public land mobile network (PLMN); receive a registration accept message from the first PLMN; and in response to the first PLMN over a first access network being deregistered from a terminal device, store, in a storage medium of the terminal device, a first PLMN identifier of the first PLMN and a first non-access stratum (NAS) security context established by the terminal device with the first PLMN.

    17. The apparatus according to claim 16, wherein the computer instructions further cause the apparatus to: determine, based on the first PLMN identifier, a first NAS security context established by the terminal device with the first PLMN; protect a second registration request message by using the first NAS security context; and send, to the first PLMN over the first access network, the second registration request message protected by using the first NAS security context.

    18. The apparatus according to claim 16, wherein the computer instructions further cause the apparatus to: in response to storage of a registration management parameter being supported by a universal subscriber identity module (USIM) of the terminal device, store a first NAS security context and the first PLMN identifier on the USIM; or in response to storage of the registration management parameter not being supported by the USIM, store the first NAS security context and the first PLMN identifier in a non-volatile storage medium of the terminal device.

    19. An apparatus, comprising: at least one processor, and at least one memory coupled to the at least one processor and storing computer instructions, that in response to the computer instructions being performed by the at least one processor, cause the apparatus to: obtain, based on a first public land mobile network (PLMN) identifier of the first PLMN from a storage medium of a terminal device, a first NAS security context established by the terminal device with the first PLMN; and protect a registration request message by using a first non-access stratum (NAS) security context; and send, to a first PLMN over a first access network, the registration request message protected by using the first NAS security context.

    20. The apparatus according to claim 19, wherein the computer instructions further cause the apparatus to: in response to storage of a registration management parameter being supported by a universal subscriber identity module (USIM) of the terminal device, read the first NAS security context from the USIM based on the first PLMN identifier; or in response to storage of the registration management parameter not being supported by the USIM, read the first NAS security context from a non-volatile storage medium of the terminal device based on the identifier of the first PLMN.

    Description

    BRIEF DESCRIPTION OF DRAWINGS

    [0069] FIG. 1 is a schematic diagram of a scenario in which a terminal device registers over different access networks according to some embodiments;

    [0070] FIG. 2 is a schematic diagram of a network architecture according to some embodiments;

    [0071] FIG. 3 is a schematic flowchart of a method for processing a non-access stratum context according to some embodiments;

    [0072] FIG. 4 is a schematic flowchart of a method for processing a non-access stratum context according to some embodiments;

    [0073] FIG. 5 is a schematic flowchart of a method for processing a non-access stratum context according to some embodiments;

    [0074] FIG. 6 is a schematic diagram of a structure of a terminal device according to some embodiments; and

    [0075] FIG. 7 is a schematic diagram of a structure of a terminal device according to some embodiments.

    DESCRIPTION OF EMBODIMENTS

    [0076] For ease of understanding, some concepts related to the embodiments are described for reference by using examples. Details are shown as follows.

    [0077] 3GPP access network: includes a next generation radio access network (next generation radio access network, NG-RAN), where the NG-RAN includes a next generation NodeB (NR NodeB, gNB) and a next generation evolved NodeB (ng-eNB: Next Generation Evolved NodeB).

    [0078] Non-3GPP access network: for example, a wireless local area network (wireless local area network, WLAN) access network is the non-3GPP access network, and the non-3GPP access network includes an untrusted (Untrusted) non-3GPP access network, a trusted (Trusted) non-3GPP access network, and a wireline access network (wireline access network).

    [0079] Storage and Processing of a Security Context in a Scenario in which a Terminal Device Registers Over Different Access Networks

    [0080] There are two scenarios in which the terminal device registers over different access networks.

    [0081] Scenario 1 of registration over different access networks: A terminal device registers to a same PLMN over a 3GPP access network and a non-3GPP access network, and a same access and mobility management node (for example, an AMF (access and mobility management function)) of the PLMN serves the terminal device. The terminal device establishes a non-3GPP NAS connection and a 3GPP NAS connection with the PLMN (in some embodiments, the PLMN is an access and mobility management node). As shown in (a) in FIG. 1, a terminal device registers to a PLMN over a 3GPP access network, and a 3GPP NAS connection is established between the terminal device and the PLMN. The terminal device registers to the PLMN over a non-3GPP access network, and a non-3GPP NAS connection is established between the terminal device and the PLMN.

    [0082] Scenario 2 of registration over different access networks: A terminal device registers to two different PLMNs respectively over a 3GPP access network and a non-3GPP access network, and the terminal device establishes a NAS connection with each of the two PLMNs (or two access and mobility management nodes). As shown in (b) in FIG. 1, a terminal device registers to a PLMN-A over a 3GPP access network, and a 3GPP NAS connection is established between the terminal device and the PLMN-A. The terminal device registers to a PLMN-B over a non-3GPP access network, and a non-3GPP NAS connection is established between the terminal device and the PLMN-B.

    [0083] In Scenario 1 of registration over different access networks, a NAS security context established by the terminal device with the PLMN includes:

    [0084] a key Kamf and a key identifier ngKSI of the key Kamf, where the key Kamf is used to generate a NAS cipher key and a NAS integrity key, the NAS cipher key is used to cipher a NAS message, and the NAS integrity key is used to protect integrity of the NAS message;

    [0085] selected NAS cipher and integrity algorithms (or algorithm identifiers); and

    [0086] an identifier of the 3GPP NAS connection and NAS counts that are of the 3GPP NAS connection and that include an uplink NAS count and a downlink NAS count, and/or an identifier of the non-3GPP NAS connection and NAS counts that are of the non-3GPP NAS connection and that include an uplink NAS count and a downlink NAS count.

    [0087] In some embodiments, the 3GPP NAS connection and the non-3GPP NAS connection use the same key Kamf, the same key identifier ngKSI of the key Kamf, and the same selected NAS cipher and integrity algorithms (or algorithm identifiers), but use different NAS connection identifiers and NAS counts. The 3GPP NAS connection uses the identifier of the 3GPP NAS connection and the NAS counts of the 3GPP NAS connection; and the non-3GPP NAS connection uses the identifier of the non-3GPP NAS connection and the NAS counts of the non-3GPP NAS connection.

    [0088] In Scenario 2 of registration over different access networks, the terminal device respectively establishes NAS security contexts with the two PLMNs (for example, the PLMN-A and the PLMN-B shown in (b) in FIG. 1), namely, a 3GPP NAS security context (including a key Kamf and a key identifier ngKSI of the key Kamf, selected NAS cipher and integrity algorithms (or algorithm identifiers), an identifier of the 3GPP NAS connection and NAS counts of the 3GPP NAS connection) and a non-3GPP NAS security context (including the key Kamf, the key identifier ngKSI of the key Kamf, the selected NAS cipher and integrity algorithms (or algorithm identifiers), an identifier of the non-3GPP NAS connection and NAS counts of the non-3GPP NAS connection).

    [0089] In response to a terminal device deregistering from a PLMN, both the terminal device and the PLMN need to store a current NAS security context (current NAS security context) of the terminal device. (The current NAS security context refers to a recently activated NAS security context.)

    [0090] A specification on NAS security context storage on the terminal device is as follows.

    [0091] In response to a universal subscription identity module (UMTS (universal mobile telecommunications system, universal mobile telecommunications system) subscriber identity module, USIM) of the terminal device supporting storage of a registration management parameter, the terminal device stores the current NAS security context on the USIM, marks the NAS security context stored on the USIM as valid (valid), and does not store any NAS security context in a non-volatile memory (non-volatile memory) of a mobile equipment (mobile equipment, ME). Both the USIM and the ME are a part of the terminal device.

    [0092] In response to a USIM not supporting storage of a registration management parameter, the NAS security context is stored in a non-volatile memory (non-volatile memory) of a mobile equipment, and the NAS security context stored in the non-volatile memory is marked as valid.

    [0093] Allocation of 5th Generation Mobile Network-Globally Unique Temporary UE Identity (5th Generation Mobile Networks-Globally Unique Temporary UE Identity, 5G-GUTI)

    [0094] In response to a terminal device registering to a PLMN over an access network, an access and mobility management node of the PLMN are able to allocate a GUTI to the terminal device, to identify the terminal device. The access and mobility management node of the PLMN and the terminal device store the GUTI. The GUTI includes a PLMN identifier (identifier, ID) used to identify the PLMN. The PLMN identifier included in the GUTI indicates that the GUTI is allocated by the PLMN. The GUTI is further used by a network side to obtain a context of the terminal device based on the GUTI. The context of the terminal device includes a NAS security context.

    [0095] For a PLMN, the terminal device needs to store a latest GUTI allocated by the PLMN. For example, in response to the terminal device first accessing the PLMN over an access network 1, the PLMN are able to allocate a GUTI, for example, a GUTI-A1, to the terminal device. In response to the terminal device accessing the same PLMN over an access network 2, the PLMN are able to allocate a GUTI, for example, a GUTI-A2, to the terminal device. In this case, both the terminal device and the access and mobility management node of the PLMN need to store and use a newly allocated GUTI, namely, the GUTI-A2.

    [0096] In response to the terminal device registering to a plurality of PLMNs, the terminal device needs to store a latest GUTI allocated by each PLMN. For example, in response to the terminal device first accessing a PLMN-A over an access network 1, the PLMN-A are able to allocate a GUTI, for example, a GUTI-A1, to the terminal device. In response to the terminal device accessing a PLMN-B over an access network 2, the PLMN-B are able to allocates a GUTI, for example, a GUTI-B1, to the terminal device. In this case, the terminal device needs to store the GUTI-A1 and the GUTI-A2.

    [0097] A specification for storing the GUTI on the terminal device is as follows.

    [0098] In response to a USIM in the terminal device supporting storage of a registration management parameter, the GUTI is stored on the USIM.

    [0099] In response to a USIM in the terminal device not supporting storage of a registration management parameter, the GUTI is stored in a non-volatile memory of a mobile equipment.

    [0100] An implementation in which the terminal device stores the GUTI in the USIM or the non-volatile memory of the ME is as follows: After receiving the GUTI allocated by the PLMN, the terminal device stores the GUTI; or the terminal device stores the GUTI in response to deregistering from the PLMN.

    [0101] In response to the terminal device intending to register to the PLMN, the terminal device sends a registration request message to the PLMN, and the terminal device includes the GUTI in the registration request message. In response to the terminal device selecting the included GUTI:

    [0102] In response to the GUTI stored in the USIM or the non-volatile memory of the ME of the terminal device being allocated by the PLMN to which the terminal device intends to register, the terminal device selects the GUTI; otherwise, in response to GUTIs stored in the USIM or the non-volatile memory of the ME of the terminal device being not allocated by the PLMN to which the terminal device intends to register, the terminal device selects a GUTI allocated by another PLMN.

    [0103] In response to the GUTI stored in the USIM or the non-volatile memory of the ME of the terminal device being allocated by an equivalent PLMN of the PLMN to which the terminal device intends to register, the terminal device selects the GUTI to include in the registration request message; otherwise, in response to GUTIs stored in the USIM or the non-volatile memory of the ME of the terminal device being not allocated by any equivalent PLMN of the PLMN, the terminal device selects a GUTI allocated by another PLMN.

    [0104] Implementation of Processing and Storing a NAS Security Context and a GUTI of a Terminal Device

    [0105] In response to a USIM of the terminal device supporting storage of a registration management parameter:

    [0106] An EF.sub.5GS3GPPNSC file on the USIM is used to store a 3GPP NAS security context including a key Kamf and a key identifier ngKSI of the key Kamf, a NAS count of a 3GPP NAS connection, a selected NAS integrity algorithm identifier, and a selected NAS cipher algorithm identifier.

    [0107] An EF.sub.5GSN3GPPNSC file on the USIM is used to store a non-3GPP NAS security context including the key Kamf and the key identifier ngKSI of the key Kamf, a NAS count of a non-3GPP NAS connection, the selected NAS integrity algorithm identifier, and the selected NAS cipher algorithm identifier.

    [0108] In response to the terminal device registering to a same PLMN over two access networks, keys Kamf, key identifiers ngKSI of the keys Kamf, selected NAS integrity algorithm identifiers, and selected NAS cipher algorithm identifiers in the two files (EF.sub.5GS3GPPNSC and EF.sub.5GSN3GPPNSC) are the same, but NAS counts in the two files are different. In response to the terminal device respectively registering to different PLMNs over two access networks, keys Kamf, key identifiers ngKSI of the keys Kamf, NAS counts, selected NAS integrity algorithm identifiers, and selected NAS cipher algorithm identifiers in the two files are able to be different.

    [0109] In response to the USIM of the terminal device supporting the storage of the registration management parameter:

    [0110] An EF.sub.5GS3GPPLOCI file (the file is used to store location information of the 3GPP NAS connection) on the USIM of the terminal device stores a GUTI received on the 3GPP NAS connection.

    [0111] An EF.sub.5GSN3GPPLOCI file (the file is used to store location information of the non-3GPP NAS connection) on the USIM of the terminal device stores a GUTI received on the non-3GPP NAS connection.

    [0112] However, based on the foregoing descriptions, in response to the terminal device registering to the PLMN, the following technical problems occurs.

    [0113] Technical problem 1: NAS security contexts stored on a terminal device side and a network side do not match.

    [0114] For example, in the following scenarios:

    [0115] Step 11: A terminal device registers to a PLMN-A over an access network 1 and an access network 2. An access and mobility management node AMF 1 of the PLMN-A serves the terminal device.

    [0116] Step 12: The terminal device deregisters from the PLMN-A over the access network 2.

    [0117] Step 13: The terminal device registers to a PLMN-B over the access network 2, and then the terminal device deregisters from the PLMN-B over the access network 2.

    [0118] Step 14: The terminal device registers to the PLMN-A over the access network 2.

    [0119] In step 14, the terminal device sends a registration request (registration request, RR) message to the AMF 1 in the PLMN-A over the access network 2. The registration request message carries a GUTI, and is protected by using a NAS security context. However, the AMF 1 fails to verify the registration request message because NAS security contexts stored in the terminal device and the AMF 1 are different. The terminal device stores a NAS security context established in response to the terminal device registering to the PLMN-B over the access network 2, and the PLMN-A stores a NAS security context established in response to the terminal device registering to the PLMN-A over the access network 2.

    [0120] In the following descriptions, an example in which an access network 2 is a non-3GPP access network and an access network 1 is a 3GPP access network is used for description.

    [0121] Step 21: A terminal device registers to a PLMN-A over the access network 1 (for example, the 3GPP access network) and the access network 2 (for example, the non-3GPP access network), and then the terminal device deregisters from the PLMN-A over the access network 2.

    [0122] After the terminal device registers to the PLMN-A over both the access network 1 and the access network 2, the PLMN-A (or an access and mobility management node of the PLMN-A) and the terminal device establish a NAS security context. On the terminal device, the NAS security context is stored in a memory. In response to the terminal device deregistering from the PLMN-A over the non-3GPP access network:

    [0123] In response to a USIM of the terminal device supporting storage of a registration management parameter, the terminal device stores a non-3GPP NAS security context in an EF.sub.5GSN3GPPNSC file in the USIM.

    [0124] In response to a USIM not supporting storage of a registration management parameter, the terminal device stores a non-3GPP NAS security context in a non-volatile (non-volatile) memory of an ME.

    [0125] The PLMN-A (that is, the access and mobility management node of the PLMN-A) stores NAS security contexts including a 3GPP NAS security context and the non-3GPP NAS security context.

    [0126] Step 22: The terminal device registers to a PLMN-B over the non-3GPP access network, and then the terminal device deregisters from the PLMN-B over the non-3GPP access network.

    [0127] After the terminal device registers to the PLMN-B over the non-3GPP access network, the terminal device and the PLMN-B establish a non-3GPP NAS security context.

    [0128] Then, in response to the terminal device deregistering from the PLMN-B over the non-3GPP access network:

    [0129] In response to the USIM of the terminal device supporting the storage of the registration management parameter, the terminal device stores the non-3GPP NAS security context of the PLMN-B in the EF.sub.5GSN3GPPNSC file in the USIM. In this case, the non-3GPP NAS security context of the PLMN-A stored in the EF.sub.5GSN3GPPNSC file is overwritten or deleted.

    [0130] In response to the USIM of the terminal device not supporting the storage of the registration management parameter, the terminal device stores the non-3GPP NAS security context of the PLMN-B in the non-volatile memory of the ME. In this case, the non-3GPP NAS security context of the PLMN-A stored in the non-volatile memory of the ME further is overwritten or deleted.

    [0131] Step 23: The terminal device registers to the PLMN-A over the non-3GPP access network.

    [0132] In this case, the terminal device sends a registration request message to the PLMN-A over the non-3GPP access network. Before sending the registration request message, the terminal device reads, based on the non-3GPP access network, a non-3GPP NAS security context stored in the EF.sub.5GSN3GPPNSC in the USIM or the non-volatile memory of the ME, where the NAS security context is established between the terminal device and the PLMN-B. The terminal device protects the registration request message by using the non-3GPP NAS security context of the PLMN-B.

    [0133] However, after receiving the registration request message of the terminal device over the non-3GPP access network, the PLMN-A (or the access and mobility management node of the PLMN-A) verifies the RR by using the NAS security context (namely, the NAS security context established by the terminal device with the PLMN-A) stored in step 21. The terminal device uses the non-3GPP NAS security context of the terminal device and the PLMN-B to protect the registration request message, while the PLMN-A uses the non-3GPP NAS security context of the terminal device and the PLMN-A. As a result, the PLMN-A (or the access and mobility management node of the PLMN-A) fails to verify the RR message. The PLMN-A initiates primary authentication. Additional signaling overheads are caused by the primary authentication, and the additional signaling overheads have great impact on some internet of things (internet of things, IoT) devices. In addition, after performing the primary authentication, the PLMN-A generates a new key Kamf. The PLMN-A further needs to activate the new key Kamf on a 3GPP NAS connection, and further needs to generate and activate, based on the new key Kamf, a new key for protecting user data. This affects service continuity.

    [0134] For another example, there is another scenario in which the PLMN-A fails to verify the RR message sent by the terminal device. For example, the terminal device first registers to the PLMN-A over the access network 1, and then deregisters from the PLMN-A. The terminal device then registers to the PLMN-B over the access network 1, and then deregisters from the PLMN-B. In this case, a storage medium of the terminal device stores a NAS security context of registering to the PLMN-B over the access network 1. In response to the terminal device re-registering to the PLMN-A over the access network 1, the PLMN-A initiates the primary authentication. This is because the PLMN-A still stores a NAS security context established in response to the terminal device registering to the PLMN-A over the access network 1.

    [0135] In the foregoing scenarios, the PLMN-A fails to verify the registration request message of the terminal device because the NAS security context stored on the terminal device is inconsistent with the NAS security context stored on the PLMN, and this is because in response to the terminal device side storing NAS security contexts, the NAS security contexts is respectively stored for the 3GPP access network and the non-3GPP access network and do not include PLMN information.

    [0136] Technical problem 2: A network side is unable to obtain a context of a terminal device.

    [0137] In the following scenario, a 3GPP access network is used as an example.

    [0138] Step 31: A terminal device registers to a PLMN-A over the 3GPP access network. The PLMN-A allocates a GUTI, for example, denoted as a GUTI-1, to the terminal device. Then, the terminal device deregisters from the PLMN-A over the 3GPP access network.

    [0139] The terminal device stores the GUTI-1 in a USIM (namely, an EF.sub.5GS3GPPLOCI file) or a non-volatile memory of an ME.

    [0140] Step 32: The terminal device registers to a PLMN-B over the 3GPP access network. The PLMN-B allocates a GUTI, for example, denoted as a GUTI-2, to the terminal device. Then, the terminal device deregisters from the PLMN-B over the 3GPP access network.

    [0141] The terminal device stores the GUTI-2 in the USIM (namely, the EF.sub.5GS3GPPLOCI file) or the non-volatile memory of the ME. In this case, the GUTI-1 allocated by the PLMN-A to the terminal device is already overwritten by the GUTI-2, or the GUTI-1 is deleted, and the GUTI-2 is stored.

    [0142] Step 33: The terminal device registers to the PLMN-A over the 3GPP access network.

    [0143] In this case, a GUTI obtained by the terminal device from the USIM (namely, the EF.sub.5GS3GPPLOCI) or the non-volatile memory of the ME is the GUTI-2. The terminal device sends a registration request message carrying the GUTI-2 to the PLMN-A over the 3GPP access network. After receiving the registration request message, the PLMN-A (or an access and mobility management function of the PLMN-A) obtains a context of the terminal device based on the GUTI carried in the registration request message. However, the GUTI-2 in the registration request message is allocated by the PLMN-B, and the PLMN-A does not recognize the GUTI-2. As a result, the PLMN-A is unable to obtain the context of the terminal device. Therefore, the PLMN-A initiates primary authentication, and then re-establish the context of the terminal device. This increases signaling overheads, and affects a speed at which the terminal device uses a service. Impact is great especially for some IoT devices.

    [0144] In some embodiments, a reason why the PLMN-A is unable to obtain the context of the terminal device is mainly that on the terminal device side, a GUTI is independently stored based on different access networks. In some scenarios, the GUTI is lost.

    [0145] The following scenario is used as an example.

    [0146] Step 41: A terminal device registers to a PLMN-A over the 3GPP access network. The PLMN-A allocates a GUTI denoted as a GUTI-1 to the terminal device. The terminal device deregisters from the PLMN-A over the 3GPP access network.

    [0147] In this case, the terminal device stores the GUTI-1 in a USIM (an EF.sub.5GS3GPPLOCI file) or a non-volatile memory of an ME.

    [0148] Step 42: The terminal device registers to the PLMN-A over a non-3GPP access network. The PLMN-A allocates a GUTI denoted as a GUTI-2 to the terminal device. The terminal device deregisters from the PLMN-A over the non-3GPP access network.

    [0149] In this case, the terminal device stores the GUTI-2 in the USIM (an EF.sub.5GSN3GPPLOCI file) or the non-volatile memory of the ME. The GUTI-2 is a latest GUTI allocated by the PLMN-A to the terminal device. In this case, the GUTI-2 is stored in the PLMN-A (or an access and mobility management device of the PLMN-A), and the GUTI-1 is deleted.

    [0150] Step 43: The terminal device registers to the PLMN-A over the 3GPP access network.

    [0151] During the registration, in response to the terminal device obtaining a GUTI from the USIM, both the EF.sub.5GS3GPPLOCI file and the EF.sub.5GSN3GPPLOCI file store a GUTI allocated by the PLMN-A to the terminal device. However, the terminal device is unable to determine a file in which a GUTI is the newly allocated GUTI. In response to the terminal device selecting the GUTI-1, a registration request message sent by the terminal device to the PLMN-A carries the GUTI-1, but the PLMN-A stores the GUTI-2. The PLMN-A is unable to determine a context of the terminal device based on the GUTI-1. As a result, the PLMN-A initiates primary authentication and establish the context of the terminal device. Such impact is similar to the impact described in the foregoing scenario. The primary authentication causes additional signaling overheads, and the additional signaling overheads have large impact on some IoT devices. In addition, after performing the primary authentication, the PLMN-A generates a new key Kamf. The PLMN-A further needs to activate the new key Kamf on a 3GPP NAS connection, and further needs to generate and activate, based on the new key Kamf, a new key for protecting user data. This affects service continuity.

    [0152] Technical problem 3: A terminal device is unable to select a GUTI allocated by an equivalent PLMN, and a network side is unable to obtain a context of the terminal device from the equivalent network.

    [0153] In response to a terminal device intending to register to a PLMN, the terminal device sends a registration request message to the PLMN, and the terminal device includes a GUTI in the registration request message. An implementation in which the terminal device obtains the GUTI is as follows.

    [0154] In response to a GUTI stored in a USIM or a non-volatile memory of an ME of the terminal device being allocated by the PLMN to which the terminal device intends to register, the terminal device selects the GUTI; otherwise, in response to stored GUTIs being not allocated by the PLMN, the following step is performed.

    [0155] In response to a GUTI stored in a USIM or a non-volatile memory of an ME being allocated by an equivalent PLMN the PLMN to which the terminal device intends to register, the terminal device selects the GUTI; otherwise, in response to stored GUTIs being not allocated by any equivalent PLMN of the PLMN, the following step is performed.

    [0156] The terminal device selects a GUTI allocated by another PLMN.

    [0157] In response to the GUTI selected by the terminal device being the GUTI allocated by the equivalent PLMN, after the PLMN receives a registration request message including the GUTI, the PLMN obtains a context of the terminal device from the equivalent PLMN based on the GUTI.

    [0158] However, in response to the terminal device deregistering from the PLMN, the terminal device does not store information about the equivalent PLMN. Therefore, whether a GUTI is allocated by the equivalent PLMN is unable to be determined. As a result, the terminal device is unable to select the GUTI allocated by the equivalent PLMN, and the network side is unable to obtain the context of the terminal device from the equivalent PLMN. The network side performs primary authentication and establish the context of the terminal device. Impact is similar to that described above. Additional signaling overheads are added. The additional signaling overheads have great impact on some IoT devices, and service continuity is affected during the primary authentication. Details are described above.

    [0159] In response to the USIM or the non-volatile memory of the ME storing GUTIs allocated by a plurality of equivalent PLMNs, an existing standard does not limit how the terminal device selects a GUTI.

    [0160] In response to the terminal device selecting the GUTI allocated by the another PLMN, in response to the USIM or the non-volatile memory of the ME having a plurality of GUTIs allocated by the PLMN, the existing standard does not limit how the terminal device selects a GUTI.

    [0161] For the foregoing problems, this some embodiments provide a method for processing a non-access stratum context. The method is applied to a process in which a terminal device registers to a PLMN and a process in which the terminal device deregisters from the PLMN. According to the method, a problem that a context (including a GUTI and a NAS security context) of the terminal device stored by the terminal device is inconsistent with a context of the terminal device stored on a network side is resolved, and additional primary authentication is avoided between the network side and the terminal device side to avoid additional signaling overheads. The method also resolves a problem of selecting a GUTI by the terminal device.

    [0162] As shown in FIG. 2, a network architecture in some embodiments includes a terminal device 21, an access network 22, and a core network 23. The access network 22 includes, for example, the 3GPP access network and the non-3GPP access network. The core network 23 includes a PLMN, and the PLMN includes an AMP.

    [0163] The terminal device 21 in some embodiments are a user-side entity, such as UE, configured to receive or transmit a signal. The terminal device further is referred to as a terminal (Terminal), UE, a mobile station (mobile station, MS), a mobile terminal (mobile terminal, MT), or the like. The terminal device is a mobile phone (mobile phone), a tablet computer (Pad), a computer having a wireless transceiver function, a virtual reality (virtual reality, VR) terminal device, an augmented reality (augmented reality, AR) terminal device, a wireless terminal in industrial control (industrial control), a wireless terminal in self-driving (self-driving), a wireless terminal in a remote surgery (remote medical surgery), a wireless terminal in a smart grid (smart grid), a wireless terminal in transportation safety (transportation safety), a wireless terminal in a smart city (smart city), a wireless terminal in a smart home (smart home), or the like. A technology and a device form that are used by the terminal device are not limited in the embodiments.

    [0164] Based on the foregoing network architecture, for the foregoing technical problem 1, a solution provided in some embodiments are as follows: In response to the terminal device deregistering from the PLMN, a PLMN identifier and a NAS security context established by the terminal device with the PLMN are stored in a storage medium of the terminal device. In this way, in response to the terminal device registering to the PLMN next time, the terminal device determines the NAS security context of the PLMN and the terminal device based on the PLMN identifier, and protect, by using the NAS security context of the PLMN and the terminal device, a registration request message sent to the PLMN. In this way, the terminal device obtains, based on the stored PLMN identifier, the NAS security context established by the PLMN and the terminal device, so that the NAS security context used in response to the terminal device sending the registration request message is consistent with a NAS security context stored in the PLMN. This avoids additional signaling overheads caused by primary authentication performed by the PLMN in response to the NAS security context stored in the PLMN being inconsistent with the NAS security context stored in the terminal device and reduces impact on an IoT device. This also avoids that after the primary authentication performed by the PLMN, a new key needs to be generated and a new key needs to be activated for protecting user data, and therefore, impact on service continuity is reduced.

    [0165] Based on the foregoing network architecture, for the foregoing technical problem 2, a solution provided in some embodiments are as follows: In response to the terminal device deregistering from the PLMN, a storage medium stores a GUTI allocated by the PLMN to the terminal device. In this case, in response to the storage medium already storing a GUTI allocated by the PLMN, the terminal device deletes or update the previously stored GUTI and store the GUTI allocated this time. In this way, the terminal device side stores the GUTI newly allocated by the PLMN this time. Because the PLMN side also stores the latest GUTI allocated to the terminal device, in response to the terminal device registering to the PLMN again, a GUTI in a registration request message sent by the terminal device is identified by the PLMN. This avoids additional signaling overheads caused by inconsistency between the GUTI in the registration request message sent by the terminal device and the GUTI stored in the PLMN, and reduces impact on an IoT device. This also avoids that after primary authentication performed by the PLMN, a new key needs to be generated and a new key needs to be activated for protecting user data, and therefore, impact on service continuity is reduced.

    [0166] Based on the foregoing network architecture, for the foregoing technical problem 3, a solution provided in some embodiments are as follows: In response to registering to the PLMN, the terminal device receives an identifier that is of an equivalent PLMN and that is allocated by the PLMN. In response to the terminal device deregistering from the PLMN, the terminal device stores the equivalent PLMN identifier of the equivalent PLMN of the PLMN in a storage medium. In this way, in response to the terminal device determining that a GUTI stored in the storage medium is not allocated by the PLMN, in response to the terminal device determines, based on the equivalent PLMN identifier, that the GUTI is allocated by the equivalent PLMN of the PLMN, the terminal device includes the GUTI in a registration request message in response to the terminal device registering to the PLMN again. The GUTI includes the equivalent PLMN identifier. In this way, in response to receiving the registration request message, the PLMN obtains a context of the terminal device from the equivalent PLMN based on the GUTI. This avoids that in a conventional technology, the terminal device is unable to select the GUTI allocated by the equivalent PLMN because the terminal device does not store the equivalent PLMN identifier of the equivalent PLMN, and therefore, a problem that a network side is unable to obtain the context of the terminal device from the equivalent network is avoided. For the technical problem 3, this solution of some embodiments further provides a GUTI selection method. In response to the terminal device storing a plurality of GUTIs allocated by the PLMN or an equivalent PLMN or another PLMN, the terminal device selects a recently allocated GUTI, or the terminal device selects a GUTI based on an access network used for registration.

    [0167] The following first describes the solution of the foregoing technical problem 1.

    [0168] Some embodiments provide a method for processing a non-access stratum context. As shown in FIG. 3, the method includes the following steps.

    [0169] 301: A terminal device sends a first registration request message to a first PLMN over a first access network. The first PLMN sends a registration accept message to the terminal device.

    [0170] The first access network is a 3GPP access network or a non-3GPP access network.

    [0171] 302: In response to the terminal device deregistering from the first PLMN over the first access network, the terminal device stores, in a storage medium of the terminal device, a first PLMN identifier of the first PLMN and a first NAS security context established by the terminal device with the first PLMN.

    [0172] In some embodiments, a NAS security context includes a key Kamf, a key identifier ngKSI of the key Kamf, selected NAS cipher and integrity algorithms (or algorithm identifiers), and a security parameter related to a 3GPP NAS connection. Alternatively, the first NAS security context includes a key Kamf, a key identifier ngKSI of the key Kamf, selected NAS cipher and integrity algorithms (or algorithm identifiers), and a security parameter related to a 3GPP NAS connection. Alternatively, the first NAS security context includes a key Kamf, a key identifier ngKSI of the key Kamf, selected NAS cipher and integrity algorithms (or algorithm identifiers), a security parameter related to a 3GPP NAS connection, and a security parameter related to a non-3GPP NAS connection. The key Kamf is used to generate a NAS cipher key and a NAS integrity key. The NAS cipher key is used to encrypt a NAS message, and the NAS integrity key is used to protect integrity of the NAS message. The security parameter related to the 3GPP NAS connection includes an identifier of the 3GPP NAS connection and a NAS count of the 3GPP NAS connection. The security parameter related to the non-3GPP NAS connection includes an identifier of the non-3GPP NAS connection and a NAS count of the non-3GPP NAS connection. A NAS count includes an uplink NAS count and a downlink NAS count. A NAS security context that corresponds to the 3GPP access network includes a key Kamf, a key identifier ngKSI of the key Kamf, selected NAS cipher and integrity algorithms (or algorithm identifiers), and a security parameter related to a 3GPP NAS connection. A NAS security context that corresponds to the non-3GPP access network includes a key Kamf, a key identifier ngKSI of the key Kamf, selected NAS cipher and integrity algorithms (or algorithm identifiers), and a security parameter related to a non-3GPP NAS connection. The first NAS security context is a NAS security context established by the terminal device with the first PLMN or a NAS security context that is established by the terminal device with the first PLMN and that corresponds to the first access network.

    [0173] In some embodiments, a connection identifier is the identifier of the 3GPP NAS connection or the identifier of the non-3GPP NAS connection.

    [0174] In some embodiments, the 3GPP NAS security context includes the key Kamf, the key identifier ngKSI of the key Kamf, the selected NAS cipher and integrity algorithms (or algorithm identifiers), and the security parameter related to the 3GPP NAS connection.

    [0175] In some embodiments, the non-3GPP NAS security context includes the key Kamf, the key identifier ngKSI of the key Kamf, the selected NAS cipher and integrity algorithms (or algorithm identifiers), and the security parameter related to the non-3GPP NAS connection.

    [0176] In some embodiments, the storage medium of the terminal device is a USIM of the terminal device, a non-volatile memory of a mobile equipment, or a non-volatile memory of the terminal device.

    [0177] In some embodiments, in response to the terminal device deregistering from the first PLMN over the first access network is considered as โ€œin response to a registration state of the terminal device on the first access network changing from a registered state to a deregistered stateโ€, โ€œafter a registration state of the terminal device on the first access network changes from a registered state to a deregistered stateโ€, โ€œin response to the terminal device receiving a deregistration accept messageโ€, โ€œafter the terminal device receives a deregistration accept messageโ€, โ€œin response to the terminal device sending a deregistration request messageโ€, or โ€œafter the terminal device sends a deregistration request messageโ€.

    [0178] In some embodiments, in response to the USIM of the terminal device supporting storage of a registration management parameter, the terminal device stores the first NAS security context and the first PLMN identifier on the USIM, where the first PLMN identifier corresponds to the first NAS security context.

    [0179] In response to the USIM not supporting storage of a registration management parameter, the terminal device stores the first NAS security context and the first PLMN identifier in a non-volatile storage medium of the terminal device, where the first PLMN identifier corresponds to the first NAS security context.

    [0180] In some embodiments, the terminal device stores the first NAS security context and the first PLMN identifier in the storage medium of the terminal device, and sets the first NAS security context to valid.

    [0181] In some embodiments, the terminal device stores the first NAS security context and the first PLMN identifier in the following manners.

    [0182] Manner 1

    [0183] In some embodiments, the terminal device stores the first NAS security context and the first PLMN identifier based on a PLMN. Therefore, the terminal device stores the first NAS security context and the first PLMN identifier in a file used to store a NAS security context of the first PLMN. Optionally, the terminal device further stores an identifier of the first access network in the file used to store the NAS security context of the first PLMN.

    [0184] That the terminal device stores the first NAS security context and the first PLMN identifier in the file used to store the NAS security context of the first PLMN includes:

    [0185] In response to the storage medium of the terminal device not storing a NAS security context established by the terminal device with the first PLMN, or does not store a NAS security context that is established by the terminal device with the first PLMN and that corresponds to the first access network, the terminal device stores a first NAS security file and the first PLMN identifier in the storage medium of the terminal device.

    [0186] In response to the storage medium of the terminal device already storing a NAS security context of the terminal device with the first PLMN, or already stores a NAS security context that is established by the terminal device with the first PLMN and that corresponds to the first access network, the terminal device replaces the stored NAS security context of the terminal device with the first PLMN or the stored NAS security context that is established by the terminal device with the first PLMN and that corresponds to the first access network with the first NAS security context, and stores the first PLMN identifier. In other words, in response to the storage medium of the terminal device already storing the NAS security context that corresponds to the first access network of the first PLMN, the terminal device replaces the stored NAS security context with the first NAS security context, and optionally stores the first PLMN identifier.

    [0187] In this manner, in the storage medium of the terminal device, each PLMN corresponds to a file used to store a NAS security context of the PLMN, and the NAS security context includes a 3GPP NAS security context and a non-3GPP NAS security context.

    [0188] For example, before the first NAS security context and the first PLMN identifier are stored, in response to the file used to store the NAS security context of the first PLMN not storing a NAS security context or a NAS security context that corresponds to the first access network, the terminal device stores the first NAS security file and the first PLMN identifier in the file.

    [0189] Before the first NAS security context and the first PLMN identifier are stored, in response to the file used to store the NAS security context of the first PLMN already storing a NAS security context or a NAS security context that corresponds to the first access network, or a NAS security context stored in the file or a NAS security context that corresponds to the first access network that has been stored in the file is set to invalid, the terminal device replaces the NAS security context stored in the file with the first NAS security context, or replaces the stored NAS security context that corresponds to the first access network with the first NAS security context. Optionally, the terminal device stores the first PLMN identifier.

    [0190] In this way, in response to the first access network being a 3GPP access network, the storage medium of the terminal device includes a file used to store the NAS security context of the first PLMN, and the file used to store the NAS security context of the first PLMN includes a first NAS security context that is established by the terminal device with the first PLMN and that corresponds to the 3GPP access network, and the first PLMN identifier of the first PLMN. In response to the first access network being a non-3GPP access network, a file used to store the NAS security context of the first PLMN includes a first NAS security context that is established by the terminal device with the first PLMN and that corresponds to the non-3GPP access network, and the first PLMN identifier of the first PLMN.

    [0191] In some embodiments, the terminal device further stores a connection identifier of the first access network in the file used to store the NAS security context of the first PLMN. For example, a connection identifier of the 3GPP access network or the non-3GPP access network is stored.

    [0192] Manner 2

    [0193] In some embodiments, the terminal device stores the first NAS security context and the first PLMN identifier based on a type of an access network. Therefore, the terminal device stores the first NAS security context and the first PLMN identifier in a file that is in the storage medium of the terminal device and that is used to store a NAS security context of the first access network.

    [0194] In response to the storage medium of the terminal device not storing a NAS security context that corresponds to the first access network, the terminal device stores the first NAS security context and the first PLMN identifier in the storage medium of the terminal device.

    [0195] In response to the storage medium of the terminal device already storing a NAS security context that corresponds to the first access network, the terminal device replaces the stored NAS security context that corresponds to the first access network with the first NAS security context, and stores the first PLMN identifier.

    [0196] In other words, after the file used to store the NAS security context of the first access network stores the first NAS security context, there is the first NAS security context, and then the first PLMN identifier is stored.

    [0197] In addition, in this manner, in response to the type of the access network including a 3GPP access network and a non-3GPP access network, in the storage medium of the terminal device, there is two files used to store NAS security contexts. One file is used to store a NAS security context that corresponds to the 3GPP access network, and the other file is used to store a NAS security context that corresponds to the non-3GPP access network.

    [0198] For example, before the first NAS security context and the first PLMN identifier are stored, in response to the file used to store the NAS security context of the first access network not storing a NAS security context of the first PLMN and the terminal device, the terminal device stores a first NAS security file and the first PLMN identifier in the file.

    [0199] For example, in response to the first access network being the 3GPP access network, in response to the file used to store the NAS security context that corresponds to the 3GPP access network not storing the NAS security context of the first PLMN and the terminal device, the terminal device stores the first NAS security context and the first PLMN identifier in the file used to store the NAS security context of the 3GPP access network. For another example, in response to the first access network being the non-3GPP access network, in response to the file used to store the security context that corresponds to the non-3GPP access network not storing the NAS security context of the first PLMN and the terminal device, the terminal device stores the first NAS security context and the first PLMN identifier in the file used to store the NAS security context of the non-3GPP access network.

    [0200] Before the first NAS security context and the first PLMN identifier are stored, in response to the file used to store the NAS security context of the first access network already storing a NAS security context of the first PLMN and the terminal device and the first PLMN identifier, or in response to the file used to store the NAS security context of the first access network already storing a NAS security context of the first PLMN and the terminal device and the first PLMN identifier but the NAS security context and the first PLMN identifier are set to invalid, the terminal device replaces the stored NAS security context of the first PLMN and the terminal device with the first NAS security context, and optionally stores the first PLMN identifier.

    [0201] In this manner, the file used to store the NAS security context that corresponds to the first access network stores a plurality of PLMN identifiers and NAS security contexts of the terminal device and a plurality of PLMNs. For example, the file used to store the NAS security context of the 3GPP access network stores a plurality of 3GPP NAS security contexts of a plurality of PLMNs and the terminal device at the same time, or the file used to store the NAS security context of the non-3GPP access network stores a plurality of non-3GPP NAS security contexts of a plurality of PLMNs and the terminal device at the same time. For another example, before the first NAS security context and the first PLMN identifier are stored, in response to the file used to store the NAS security context that corresponds to the first access network not including a NAS security context and a PLMN identifier, the terminal device stores the first NAS security file and the first PLMN identifier in the file.

    [0202] Before the first NAS security context and the first PLMN identifier are stored, in response to the file used to store the NAS security context that corresponds to the first access network already storing a NAS security context and a PLMN identifier, or in response to the file used to store the NAS security context that corresponds to the first access network already storing a NAS security context and a PLMN identifier but the NAS security context and the PLMN identifier are set to invalid, the terminal device replaces the stored NAS security context with the first NAS security context, and replaces the stored PLMN identifier with the first PLMN identifier.

    [0203] The stored NAS security context herein is understood as a NAS security context established by the terminal device with the first PLMN or another PLMN over the first access network.

    [0204] For example, in response to the first access network being the 3GPP access network, in response to the file used to store the NAS security context of the 3GPP access network already storing a NAS security context and a PLMN identifier, the terminal device replaces the stored NAS security context in the file used to store the NAS security context of the 3GPP access network with the first NAS security context, and replaces the stored PLMN identifier with the first PLMN identifier.

    [0205] For example, in response to the first access network being the non-3GPP access network, in response to the file used to store the NAS security context of the non-3GPP access network already storing a NAS security context and a PLMN identifier, the terminal device replaces the stored NAS security context in the file used to store the NAS security context of the non-3GPP access network with the first NAS security context, and replaces the stored PLMN identifier with the first PLMN identifier.

    [0206] In this case, one NAS security context and one PLMN identifier are stored in a file that corresponds to one access network, that is used to store a NAS security context that corresponds to the access network, and that is in the storage medium of the terminal device. For example, in some embodiments, the file used to store the NAS security context of the first access network stores one PLMN identifier and a corresponding NAS security context. For example, the file used to store the NAS security context of the 3GPP access network stores one 3GPP NAS security context of one PLMN, or the file used to store the NAS security context of the non-3GPP access network stores one non-3GPP NAS security context of one PLMN.

    [0207] Manner 3

    [0208] In some embodiments, the terminal device stores the first NAS security context and the first PLMN identifier based on a PLMN and a type of an access network. Therefore, the terminal device stores the first NAS security context and the first PLMN identifier in a file used to store a NAS security context that is of the first PLMN and the terminal device and that corresponds to the first access network.

    [0209] In this manner, in response to the type of the access network accessed by the terminal device including a 3GPP access network and a non-3GPP access network, in the storage medium of the terminal device, each PLMN corresponds to two files used to store NAS security contexts of the PLMN and the terminal device. One file is used to store a NAS security context that is of the PLMN and the terminal device and that corresponds to the 3GPP access network and an identifier of the PLMN, and the other file is used to store a NAS security context that is of the PLMN and the terminal device and that corresponds to the non-3GPP access network and an identifier of the PLMN.

    [0210] In the foregoing plurality of manners, before the first NAS security context and the first PLMN identifier are stored in the storage medium of the terminal device, the method further includes: The terminal device deregisters from the first PLMN over access networks. For example, after the terminal device deregisters from the first PLMN over the first access network, in response to the terminal device further registering to the first PLMN over a second access network, the terminal device stores, in the storage medium of the terminal device, the first PLMN identifier of the first PLMN and the first NAS security context established by the terminal device with the first PLMN after the terminal device also deregisters from the first PLMN over the second access network. In this way, a process in which a terminal device stores a NAS security context and a PLMN identifier to a storage medium is simplified.

    [0211] In some embodiments, the terminal device stores the first NAS security context and the first PLMN identifier after the terminal device deregisters over access networks (for example, a 3GPP access network and a non-3GPP access network) (that is, NAS connections of the terminal device in the first PLMN are in a deregistered state). For example, after the terminal device deregisters from the first PLMN over the 3GPP access network, in response to the terminal device being still registered with the first PLMN over another access network (for example, the non-3GPP access network) (that is, the terminal device is still in a registered state in the first PLMN on the non-3GPP access network), the terminal device stores the current first NAS security context and the first PLMN identifier after the terminal device deregisters from the another access network (for example, the non-3GPP access network).

    [0212] In some embodiments, the method further includes the following step.

    [0213] The terminal device further stores first time information. The first time information is a moment at which the terminal device last uses the first NAS security context, a moment at which the terminal device deregisters from the first PLMN over the first access network, a moment at which the terminal device stores the first NAS security context, or a validity period of the first NAS security context.

    [0214] In this way, the terminal device determines, based on the first time information, that the first NAS security context is invalid, and delete the first NAS security context stored in the storage medium of the terminal device or set the first NAS security context to invalid. The invalid first NAS security context is replaced with a NAS security context to be stored subsequently. In this way, storage space of the storage medium of the terminal device is saved.

    [0215] In addition, in response to the terminal device deleting the first NAS security context stored in the storage medium of the terminal device or sets the first NAS security context to invalid based on the first time information, the terminal device deletes the first PLMN identifier in the storage medium of the terminal device or sets the first PLMN identifier to invalid.

    [0216] In response to the terminal device needing to register to the first PLMN over the first access network again, the method further includes the following steps.

    [0217] 303: Before the terminal device sends a second registration request message to the first PLMN, the terminal device obtains the first NAS security context of the first PLMN and the terminal device based on the first PLMN identifier of the first PLMN, and protects, by using the first NAS security context, the second registration request message sent to the first PLMN.

    [0218] The terminal device obtains the NAS security context of the first PLMN and the terminal device from the storage medium of the terminal device based on the first PLMN identifier. In some embodiments, in response to the USIM of the terminal device supporting the storage of the registration management parameter, the terminal device reads the first NAS security context from the USIM based on the first PLMN identifier. In response to the USIM not supporting the storage of the registration management parameter, the terminal device reads the first NAS security context from the non-volatile storage medium of the terminal device based on the identifier of the first PLMN.

    [0219] That the terminal device obtains the first NAS security context of the first PLMN and the terminal device based on the first PLMN identifier includes the following embodiments.

    [0220] In some embodiments, the terminal device reads a NAS security context and a PLMN identifier that corresponds to the first access network and that are stored in the storage medium of the terminal device. In response to the read NAS security context that corresponds to the first access network being the NAS security context established by the terminal device with the first PLMN (that is, the read PLMN identifier is the first PLMN identifier), the terminal device obtains the NAS security context that corresponds to the first access network to protect the second registration request message.

    [0221] In other words, the terminal device obtains the first NAS security context by comparing the first PLMN identifier with a storage identifier in the file used to store the NAS security context of the first access network.

    [0222] For example, in response to the first access network being the 3GPP access network, the terminal device reads a NAS security context and a PLMN identifier that are in the file used to store the NAS security context of the 3GPP access network. In response to the PLMN identifier being the same as the first PLMN identifier, the terminal device obtains the NAS security context, and protects the registration request message by using the NAS security context. In response to the first access network being the non-3GPP access network, the terminal device reads a NAS security context and a PLMN identifier that are in the file used to store the NAS security context of the non-3GPP access network. In response to the PLMN identifier being the same as the first PLMN identifier, the terminal device obtains the NAS security context, and protects the registration request message by using the NAS security context.

    [0223] In some other embodiments, the terminal device reads a PLMN identifier and a NAS security context of the terminal device and the PLMN that are stored in the storage medium of the terminal device. In response to the PLMN identifier being the same as the first PLMN identifier, the terminal device obtains the stored NAS security context to protect the second registration request message.

    [0224] For example, the terminal device reads a file that is in the storage medium and that is used to store a NAS security context of a PLMN and the terminal device. In response to a PLMN identifier in the file being the same as the first PLMN identifier, the terminal device obtains the stored NAS security context, and protects the second registration request message by using the stored NAS security context.

    [0225] In some other embodiments, the terminal device reads a PLMN identifier, a connection identifier, and a NAS security context that are stored in the storage medium. In response to the stored PLMN identifier being the same as the first PLMN identifier, and the stored connection identifier is the same as the connection identifier that corresponds to the first access network, the terminal device obtains the stored NAS security context, and protects the second registration request message by using the stored NAS security context.

    [0226] For example, the terminal device reads a file that is in the storage medium and that is used to store a NAS security context of a PLMN and the terminal device. In response to a PLMN identifier in the file being the same as the first PLMN identifier, and a connection identifier in the file is the same as the connection identifier that corresponds to the first access network, the terminal device obtains the stored NAS security context, and protects the second registration request message by using the NAS security context.

    [0227] In some other embodiments, in response to the storage medium of the terminal device not including a NAS security context of the terminal device with the first PLMN, the terminal device obtains a recently stored NAS security context based on a stored NAS security context and stored time information, and protects the second registration request message by using the NAS security context. The time information is a moment at which the terminal device last uses the stored NAS security context, a moment at which the terminal device stores the stored NAS security context, or a validity period of the stored NAS security context.

    [0228] In some embodiments, the method further includes: The terminal device obtains a first GUTI on the storage medium of the terminal device, and includes the first GUTI in the second registration request message. The first GUTI includes the first PLMN identifier.

    [0229] 304: The terminal device sends, to the first PLMN over the first access network, the second registration request message protected by using the first NAS security context.

    [0230] The following uses a process in which the terminal device registers to the first PLMN again after deregistering from the first PLMN as an example for description.

    [0231] For example, in the following scenarios:

    [0232] An example in which an access network 1 is a 3GPP access network is used for description. An access network 2 is a non-3GPP access network.

    [0233] Step 51: A terminal device registers to a PLMN-A over the access network 1 (the 3GPP access network) and the access network 2 (the non-3GPP access network), and then the terminal device deregisters from the PLMN-A over the access network 2.

    [0234] After the terminal device registers to the PLMN-A over both the access network 1 and the access network 2, the PLMN-A (or an access and mobility management node of the PLMN-A) and the terminal device establish a NAS security context.

    [0235] In response to the terminal device deregistering from the PLMN-A over the non-3GPP access network:

    [0236] In response to a NAS security context and a PLMN identifier being stored based on an access type, the terminal device stores a PLMN-A identifier and a NAS security context established by the terminal device with the PLMN-A in a file used to store a NAS security context that corresponds to the non-3GPP access network, or the terminal device stores a PLMN-A identifier and a NAS security context that is established by the terminal device with the PLMN-A and that corresponds to the non-3GPP access network in a file used to store a NAS security context that corresponds to the non-3GPP access network.

    [0237] Alternatively, in response to a storage medium of the terminal device storing a NAS security context and a PLMN identifier based on a PLMN type, the terminal device stores a NAS security context that is established by the terminal device with the PLMN-A over the non-3GPP access network and a PLMN-A identifier, or store a PLMN-A identifier and a NAS security context that is established by the terminal device with the PLMN-A over the non-3GPP access network and that corresponds to the non-3GPP, in a file used to store a NAS security context of the PLMN-A and the terminal. The terminal device further stores a connection identifier that corresponds to the non-3GPP access network in the file used to store the NAS security context of the PLMN-A and the terminal.

    [0238] Alternatively, in response to a NAS security context and a PLMN identifier being stored based on a PLMN type and an access type, in a storage medium of the terminal device, a file that is used to store a NAS security context that is of the terminal device and the PLMN-A and that corresponds to the non-3GPP access network stores a PLMN-A identifier and a NAS security context established by the terminal device with the PLMN-A.

    [0239] In some embodiments, in response to the terminal device deregistering from the PLMN-A over the non-3GPP access network:

    [0240] In response to a USIM of the terminal device supporting storage of a registration management parameter, the terminal device stores the NAS security context that corresponds to the non-3GPP access network and the PLMN-A identifier in the USIM. In response to a USIM not supporting storage of a registration management parameter, the terminal device stores the NAS security context that corresponds to the non-3GPP access network and the PLMN-A identifier in a non-volatile storage medium of an ME. The storage manner is based on the PLMN type, the access type, or the PLMN type and the access type.

    [0241] For the PLMN-A, the PLMN-A (namely, the access and mobility management node of the PLMN-A) stores a 3GPP NAS security context established by the terminal device with the PLMN-A over the 3GPP access network and a non-3GPP NAS security context established by the terminal device with the PLMN-A over the non-3GPP access network.

    [0242] Step 52: The terminal device registers to a PLMN-B over the non-3GPP access network, and then the terminal device deregisters from the PLMN-B over the non-3GPP access network.

    [0243] After the terminal device registers to the PLMN-B over the non-3GPP access network, the terminal device and the PLMN-B establish a non-3GPP NAS security context.

    [0244] Then, in response to the terminal device deregistering from the PLMN-B over the non-3GPP access network:

    [0245] In response to the USIM of the terminal device supporting the storage of the registration management parameter, the terminal device stores, in the USIM, the NAS security context that is established by the terminal device with the PLMN-B and that corresponds to the non-3GPP access network and a PLMN-B identifier. In response to the USIM of the terminal device not supporting the storage of the registration management parameter, the terminal device stores, in a non-volatile memory of the ME, the NAS security context that is established by the terminal device with the PLMN-B and that corresponds to the non-3GPP access network and a PLMN-B identifier.

    [0246] Step 53: The terminal device registers to the PLMN-A over the non-3GPP access network.

    [0247] In response to the terminal device registering to the PLMN-A again over the non-3GPP access network, the terminal device performs one of the following operations.

    [0248] Operation 1: In response to the USIM or the non-volatile storage medium of the terminal device storing the NAS security context that corresponds to the non-3GPP access network and the PLMN-A identifier, the terminal device obtains, based on the PLMN-A identifier, a security context that is established by the terminal device with the PLMN-A and that corresponds to the non-3GPP access network. The terminal device protects a second registration request message by using the NAS security context that corresponds to the non-3GPP access network.

    [0249] Operation 2: In response to a volatile storage medium of the terminal device including a common NAS security context established by the terminal device with the PLMN-A, and the non-volatile storage medium of the terminal device or the USIM includes a NAS security context that is established by the terminal device with the PLMN-A and that corresponds to the non-3GPP access network, the terminal device obtains, based on the PLMN-A identifier, the NAS security context that is established by the terminal device with the PLMN-A and that corresponds to the non-3GPP access network in the non-volatile storage medium of the terminal device or the USIM, and protects a second registration request message by using the NAS security context that corresponds to the non-3GPP access network.

    [0250] Operation 3: In response to a volatile storage medium of the terminal device including a common NAS security context established by the terminal device with the PLMN-A, and the non-volatile storage medium of the terminal device or the USIM includes a NAS security context that is established by the terminal device with the PLMN-A and that corresponds to the non-3GPP access network, and the NAS security context that corresponds to the non-3GPP access network is valid, the terminal device obtains, based on the PLMN-A identifier, the NAS security context that is established by the terminal device with the PLMN-A and that corresponds to the non-3GPP access network in the non-volatile storage medium of the terminal device or the USIM, and protects a second registration request message by using the NAS security context that corresponds to the non-3GPP access network.

    [0251] Operation 4: In response to a volatile storage medium of the terminal device including a common NAS security context established by the terminal device with the PLMN-A, and the non-volatile storage medium of the terminal device or the USIM includes a NAS security context that is established by the terminal device with the PLMN-A and that corresponds to the non-3GPP access network, but the NAS security context that corresponds to the non-3GPP access network is invalid, the terminal device obtains the common NAS security context in the volatile storage medium of the terminal device based on the PLMN-A identifier, and protects a second registration request message by using the common NAS security context, and an uplink NAS count and a downlink NAS count whose values are 0.

    [0252] Operation 5: In response to a volatile storage medium of the terminal device including a common NAS security context established by the terminal device with the PLMN-A, but the non-volatile storage medium of the terminal device or the USIM does not include a NAS security context that is established by the terminal device with the PLMN-A and that corresponds to the non-3GPP access network, the terminal device obtains the common NAS security context in the volatile storage medium of the terminal device based on the PLMN-A identifier, and protects a second registration request message by using the common NAS security context, and an uplink NAS count and a downlink NAS count whose values are 0.

    [0253] Operation 6: In response to a volatile storage medium of the terminal device not having a NAS security context established by the terminal device with the PLMN-A, but the non-volatile storage medium of the terminal device or the USIM includes a NAS security context that is established by the terminal device with the PLMN-A and that corresponds to the non-3GPP access network, and the NAS security context that corresponds to the non-3GPP access network is valid, the terminal device obtains, based on the PLMN-A identifier, the NAS security context that corresponds to the non-3GPP access network, and protects a second registration request message by using the NAS security context that corresponds to the non-3GPP access network.

    [0254] In some embodiments, a common NAS security context established by the terminal device with a PLMN includes one or more of the following: a key Kamf, a key identifier ngKSI, selected NAS cipher and integrity algorithms (or algorithm identifiers), a NAS cipher key, and a NAS integrity key. For example, the common NAS security context established by the terminal device with the PLMN includes the key identifier ngKSI, the selected NAS cipher and integrity algorithms (or algorithm identifiers), the NAS cipher key, and the NAS integrity key. For another example, the common NAS security context established by the terminal device with the PLMN includes the key Kamf, the key identifier ngKSI, and the selected NAS cipher and integrity algorithms (or algorithm identifiers).

    [0255] Because the PLMN-A stores the NAS security context that is established by the terminal device with the PLMN-A and that corresponds to the non-3GPP access network, after the terminal device protects the registration request message by using the non-3GPP NAS security context that corresponds to the PLMN-A identifier, the PLMN-A processes the registration request message based on a non-3GPP NAS security context stored in the PLMN-A. This avoids that the PLMN-A performs primary authentication due to inconsistency between the NAS security context stored in the PLMN-A and the NAS security context stored in the terminal device, and therefore, additional signaling overheads are avoided.

    [0256] For another example, in a non-multi-registration scenario, the terminal device first registers to the PLMN-A over the access network 1, and then deregisters from the PLMN-A. In this case, the terminal device stores a NAS security context that is established in response to the terminal device registering to the PLMN-A and a PLMN-A identifier. The PLMN-A stores the NAS security context established in response to the terminal device registering to the PLMN-A over the access network 1.

    [0257] Then, the terminal device registers to the PLMN-B over the access network 1, and then deregisters from the PLMN-B. In this case, a storage medium of the terminal device stores a NAS security context established in response to the terminal device registering to the PLMN-B over the access network 1 and a PLMN-B identifier. The PLMN-B stores the NAS security context established in response to the terminal device registering to the PLMN-B over the access network 1.

    [0258] In response to the terminal device re-registering to the PLMN-A over the access network 1, the terminal device obtains, based on the PLMN-A identifier, the NAS security context that is stored in the terminal device and that is established by the terminal device with the PLMN-A, and the PLMN-A still stores the NAS security context that is established in response to the terminal device registering to the PLMN-A over the access network 1. In this way, after the terminal device protects a registration request message by using the NAS security context that corresponds to the PLMN-A identifier, the PLMN-A processes the registration request message based on the NAS security context stored in the PLMN-A. This avoids that the PLMN-A performs primary authentication due to inconsistency between the NAS security context stored in the PLMN-A and the NAS security context stored in the terminal device, and therefore, additional signaling overheads are avoided.

    [0259] The following further describes the solution of the foregoing technical problem 2.

    [0260] Some embodiments provide a method for processing a non-access stratum context. As shown in FIG. 4, the method includes the following steps.

    [0261] 401: A terminal device sends a first registration request message to a first PLMN over a first access network, and the terminal device receives a first GUTI allocated by the first PLMN, where the first GUTI is used to identify the terminal device, and the first GUTI includes a first PLMN identifier.

    [0262] 402: In response to the terminal device deregistering from the first PLMN over the first access network, the terminal device stores the first GUTI in a storage medium of the terminal device.

    [0263] In this case, in response to a USIM of the terminal device supporting storage of a registration management parameter, the terminal device stores the first GUTI in the USIM, or in response to a USIM not supporting storage of a registration management parameter, the terminal device stores the first GUTI in a non-volatile memory.

    [0264] In some embodiments, in response to the terminal device storing the first GUTI in the storage medium of the terminal device, in response to the storage medium of the terminal device already storing a second GUTI, the terminal device deletes the second GUTI and stores the first GUTI, or replaces the second GUTI with the first GUTI.

    [0265] In some embodiments, the second GUTI is sent by the first PLMN to the terminal device before the first PLMN allocates the first GUTI. In other words, in response to the terminal device already storing, in the storage medium, the second GUTI allocated by the first PLMN, the terminal device deletes the second GUTI, or the terminal device replaces the second GUTI with the first GUTI.

    [0266] For example, in response to the first access network being a 3GPP access network, the first GUTI is stored in a file used to store location information or a GUTI of the 3GPP access network. In addition, in response to the second GUTI already existing in a file used to store location information or a GUTI of a non-3GPP access network access, and the second GUTI is also allocated by the first PLMN, the terminal device deletes the second GUTI, and/or replaces the second GUTI with the first GUTI.

    [0267] For example, in response to the first access network being a non-3GPP access network, the first GUTI is stored in a file used to store location information or a GUTI of the non-3GPP access network. In addition, in response to the second GUTI already existing in a file used to store location information or a GUTI of a 3GPP access network access, and the second GUTI is also allocated by the first PLMN, the terminal device deletes the second GUTI, and/or replaces the second GUTI with the first GUTI.

    [0268] In some embodiments, in response to the terminal device storing the first GUTI in the storage medium of the terminal device, in response to the storage medium of the terminal device not storing a second GUTI (that is, the storage medium of the terminal device does not store a GUTI allocated by the first PLMN), the terminal device stores the first GUTI. The second GUTI is sent by the first PLMN to the terminal device before the first GUTI.

    [0269] For example, in response to the first access network being a 3GPP access network, in response to the storage medium of the terminal device not storing the second GUTI allocated by the first PLMN to the terminal device, and the second GUTI is allocated in response to the terminal device registering to the first PLMN over a non-3GPP access network, the terminal device stores the first GUTI in the storage medium.

    [0270] In some embodiments, the terminal device stores the first GUTI in the storage medium of the terminal device in the following manner.

    [0271] The terminal device determines an earliest GUTI stored in the storage medium of the terminal device, and the terminal device deletes the stored earliest GUTI, and/or stores the first GUTI in a file used to store the earliest GUTI. The stored earliest GUTI is an invalid GUTI. Therefore, the terminal device replaces the stored earliest GUTI with the newly allocated first GUTI.

    [0272] In some embodiments, the terminal device stores the first GUTI after the terminal device receives the first GUTI sent by the first PLMN, or after the terminal device deregisters from the first PLMN over the first access network (that is, after the terminal device is in a deregistered state on a NAS connection that is between the terminal device and the first PLMN and that is established over the first access network).

    [0273] Alternatively, in some embodiments, in response to the terminal device deregistering from the first PLMN over access networks, the terminal device determines to store the first GUTI in the storage medium of the terminal device.

    [0274] In some embodiments, the method further includes: The terminal device further stores second time information in the storage medium of the terminal device, where the second time information is a moment at which the first PLMN allocates the first GUTI or a moment at which the terminal device stores the first GUTI.

    [0275] The second time information is used by the terminal device in response to registering to the first PLMN. The terminal device selects, based on the second time information, a GUTI newly allocated by the first PLMN, a GUTI that is allocated by the first PLMN and that is recently used by the terminal device or the first PLMN, or a GUTI that is allocated by the first PLMN and that is recently stored by the terminal device, and includes the selected GUTI in a registration request message sent by the terminal device to the first PLMN. In this way, the GUTI selected based on the second time information is consistent with a GUTI stored in the first PLMN in response to the terminal device registering to the first PLMN again.

    [0276] In response to the terminal device re-registering to the first PLMN after deregistering from the first PLMN, the method further includes the following step.

    [0277] 403: Possibly, in response to registering to the first PLMN again, the terminal device obtains the first GUTI on the storage medium of the terminal device, and sends a second registration request message to the first PLMN, where the second registration request message carries the first GUTI.

    [0278] For example, in response to the terminal device registering to the first PLMN over the first access network (for example, the 3GPP access network or the non-3GPP access network), the terminal device sends the second registration request message to the first PLMN. Before sending the second registration request message, the terminal device first obtains the first GUTI allocated by the first PLMN to the terminal device and a NAS security context that is stored by the terminal device and that is established with the first PLMN over the first access network, includes the first GUTI in the second registration request message, and protects the second registration request message by using the NAS security context.

    [0279] In some embodiments, before the terminal device sends the second registration request message, a manner of obtaining the first GUTI is as follows: The terminal device reads GUTIs stored in the storage medium, selects a GUTI allocated by the first PLMN, and includes the GUTI in the second registration request message. The GUTI allocated by the first PLMN is the first GUTI.

    [0280] In response to the storage medium of the terminal device storing multiple GUTIs allocated by the first PLMN, the terminal device selects, based on time information that corresponds to each GUTI, a GUTI recently allocated by the first PLMN. Alternatively, the terminal device selects a GUTI based on a type of an access network. The meaning of the time information herein is similar to that of the second time information.

    [0281] For example, in response to the storage medium of the terminal device storing multiple GUTIs allocated by the first PLMN, the terminal device selects, from the multiple GUTIs, a GUTI that corresponds to the first access network, and includes the GUTI that corresponds to the first access network in the second registration request message. In this case, the determined GUTI that corresponds to the first access network is understood as the selected first GUTI. For example, in response to the first access network being the 3GPP access network, the terminal device selects a GUTI stored in the file used to store the location information or the GUTI of the 3GPP access network as the first GUTI. In response to the first access network being the non-3GPP access network, the terminal device selects a GUTI stored in the file used to store the location information or the GUTI of the non-3GPP access network as the first GUTI.

    [0282] For another example, in response to the storage medium of the terminal device storing multiple GUTIs allocated by the first PLMN, the terminal device determines, based on the time information that corresponds to each GUTI, the GUTI recently allocated by the first PLMN or a GUTI that is recently stored in the terminal device and that is allocated by the first PLMN. The terminal device includes the most recently stored GUTI or the recently allocated GUTI in the second registration request message, where the most recently stored GUTI or the recently allocated GUTI is the first GUTI.

    [0283] In some embodiments, before the terminal device sends the second registration request message, a manner in which the terminal device selects the first GUTI further is as follows.

    [0284] The terminal device sequentially reads, from the storage medium, multiple files that store GUTIs. In response to a read GUTI being allocated by the first PLMN, that is, the read GUTI includes the first PLMN identifier of the first PLMN, the terminal device stops reading the file of the GUTI, and includes the GUTI in the second registration request message.

    [0285] The following describes a scenario by using an example in which the first access network is the 3GPP access network. An implementation in this scenario includes the following steps.

    [0286] Step 61: A terminal device registers to a PLMN-A over a 3GPP access network. The PLMN-A allocates a GUTI denoted as a GUTI-1 to the terminal device. Then, the terminal device deregisters from the PLMN-A over the 3GPP access network.

    [0287] The terminal device stores the GUTI-1 in a USIM or a non-volatile memory, and store a PLMN-A identifier.

    [0288] Step 62: The terminal device registers to a PLMN-B over the 3GPP access network. The PLMN-B allocates a GUTI denoted as a GUTI-2 to the terminal device. Then, the terminal device deregisters from the PLMN-B over the 3GPP access network.

    [0289] The terminal device stores the GUTI-2 in the USIM or the non-volatile memory, and stores a PLMN-B identity. In this case, because the GUTI-1 and the GUTI-2 are allocated by different PLMNs, the GUTI-1 that is allocated by the PLMN-A to the terminal device and the PLMN-A identifier are still stored in the 3GPP access network, and the terminal device further stores the GUTI-2 in the 3GPP access network. In other words, in response to a GUTI being stored in some embodiments, because a PLMN identifier is further stored, not a type of an access network is considered, but also a PLMN is considered. In response to a GUTI that the terminal device currently intends to store and a stored GUTI being not allocated by a same PLMN, although the GUTI that the terminal device currently intends to store and the stored GUTI are allocated in response to the terminal device registering to PLMNs over a same access network type, the GUTI allocated by the next PLMN still needs to be stored, and the GUTI previously stored in a file of the same access network type is unable to be overwritten.

    [0290] Step 63: The terminal device registers to the PLMN-A over the 3GPP access network. In this case, in step 63, after the terminal device deregisters from the PLMN-A over the 3GPP access network in step 61, the terminal device re-registers to the PLMN-A over the 3GPP access network.

    [0291] In this case, the terminal device obtains, from the USIM or the non-volatile memory, a GUTI allocated by the PLMN-A to the terminal device over the 3GPP access network, where the GUTI is the GUTI-1. In this way, in response to the terminal device sending a registration request message to the PLMN-A over the 3GPP access network, the GUTI-1 is included. After receiving the registration request message, the PLMN-A (or an access and mobility management node of the PLMN-A) obtains a context of the terminal device based on the GUTI-1 carried in the registration request message. Because the GUTI-1 in the registration request message is allocated by the PLMN-A, the PLMN-A identifies the GUTI-1, and the PLMN-A obtains, based on the GUTI-1, a NAS security context in response to the terminal device registering to the PLMN-A over the 3GPP access network. This avoids additional signaling overheads caused in response to the PLMN-A initiating primary authentication because the PLMN-A is unable to identify the GUTI sent by the terminal device, and therefore, a speed of using a service by the terminal device is increased. Further, impact on some IoT devices is reduced.

    [0292] The following scenario is also used as an example.

    [0293] Step 71: A terminal device registers to a PLMN-A over a 3GPP access network. The PLMN-A allocates a GUTI denoted as a GUTI-1 to the terminal device. The terminal device deregisters from the PLMN-A over the 3GPP access network.

    [0294] In this case, the terminal device stores the GUTI-1 in a USIM or a non-volatile memory. The GUTI-1 allocated by the PLMN-A is stored in a file of the 3GPP access network. In this case, an assumption is made that the file of the 3GPP access network does not store another GUTI allocated by the PLMN-A before.

    [0295] Step 72: The terminal device registers to the PLMN-A over a non-3GPP access network. The PLMN-A allocates a GUTI denoted as a GUTI-2 to the terminal device. The terminal device deregisters from the PLMN-A over the non-3GPP access network.

    [0296] In this case, the terminal device stores the GUTI-2 in the USIM or non-volatile memory. Different from a conventional technology, the terminal device deletes the GUTI-1 stored in the file of the 3GPP access network, and store the GUTI-2 in a file of the non-3GPP access network. Alternatively, the terminal device deletes the GUTI-1 stored in the file of the 3GPP access network, and store the GUTI-2 in the file of the 3GPP access network. In this case, the terminal device stores the GUTI-2 newly allocated by the PLMN-A, and at the same time, the PLMN-A side also replaces the GUTI-1 with the GUTI-2.

    [0297] Alternatively, in response to time information of the GUTI being stored, both the GUTI-1 and the GUTI-2 is stored in a file. Because both the GUTI-1 and the GUTI-2 are allocated by the PLMN-A, the terminal device alternatively selects, based on the time information, the GUTI-2 recently allocated by the PLMN-A.

    [0298] Step 73: The terminal device registers to the PLMN-A over the 3GPP access network.

    [0299] During the registration, in response to the terminal device obtaining a GUTI from the USIM, the file of the non-3GPP access network or the file of the 3GPP access network stores the newly allocated GUTI-2, or the terminal device selects the newly allocated GUTI-2 based on the time information. In response to a registration request message being sent by the terminal device to the PLMN-A carries the GUTI-2, because the PLMN-A also stores the GUTI-2, the PLMN-A determines a context of the terminal device based on the GUTI-2. Therefore, this avoids primary authentication caused by that the PLMN-A is unable to identify the GUTI sent by the terminal device, and thus, additional signaling overheads are avoided, impact on some IoT devices is reduced, and impact on service continuity is further reduced.

    [0300] The following further describes the solution of the foregoing technical problem 3.

    [0301] Some embodiments provide a method for processing a non-access stratum context. As shown in FIG. 5, the method includes the following steps.

    [0302] 501: After a terminal device sends a first registration request message to a first public land mobile network PLMN over a first access network, the terminal device receives, from the first PLMN, a second PLMN identifier of a second PLMN equivalent (equivalent) to the first PLMN.

    [0303] 502: The terminal device stores the second PLMN identifier in a storage medium.

    [0304] In response to the received second PLMN identifier of the equivalent PLMN (namely, the second PLMN) being stored:

    [0305] In response to a USIM of the terminal device supporting storage of the equivalent PLMN, the terminal device stores the second PLMN identifier on the USIM. In response to a USIM not supporting storage of the equivalent PLMN, the terminal device stores the second PLMN identifier in a non-volatile memory.

    [0306] 503: The terminal device deregisters from the first PLMN.

    [0307] The deregistration process is initiated by the terminal device, or is initiated by the first PLMN.

    [0308] In response to the terminal device needing to initiate registration with a third PLMN after step 503, the terminal device sends a registration request message to the third PLMN, where the registration request message includes a first GUTI. Before sending the registration request message, the terminal device obtains the first GUTI from the storage medium of the terminal device. The third PLMN is the first PLMN in step 501, or is a different PLMN.

    [0309] 504: The terminal device obtains the first GUTI stored in the storage medium of the terminal device.

    [0310] In some embodiments, the terminal device obtains, from the storage medium, a fourth PLMN identifier of a PLMN (namely, a fourth PLMN) equivalent to the third PLMN, and obtains, from the storage medium based on the fourth PLMN identifier, a GUTI allocated by the fourth PLMN, that is, a GUTI including the fourth PLMN identifier. The GUTI is the first GUTI. Possibly, in response to the storage medium of the terminal device having multiple GUTIs allocated by the PLMN equivalent to the third PLMN:

    [0311] the terminal device randomly selects a GUTI allocated by the PLMN equivalent to the third PLMN, where the GUTI is the first GUTI;

    [0312] the terminal device selects a GUTI recently allocated by the PLMN equivalent to the third PLMN or a GUTI that is recently stored in the terminal device and recently allocated by the PLMN equivalent to the third PLMN, where the GUTI is the first GUTI, and meaning of time information herein is similar to the meaning of the second time information in some embodiments; or

    [0313] the terminal device selects, based on an access network accessing the third PLMN, a GUTI that is allocated by the PLMN equivalent to the third PLMN over the access network, where the GUTI is the first GUTI.

    [0314] In this way, the terminal device identifies, based on an equivalent PLMN identifier, that a GUTI is allocated by an equivalent PLMN. In response to a GUTI including an identifier of an equivalent PLMN of a PLMN to which the terminal device intends to be registered, the terminal device selects the GUTI, where the selected GUTI includes the identifier of the equivalent PLMN. In response to the PLMN to which the terminal device intends to be registered receiving the GUTI, the terminal device obtains a NAS security context of the terminal device from the equivalent PLMN based on the identifier of the equivalent PLMN in the GUTI. This avoids additional signaling overheads caused by primary authentication performed by a PLMN because the terminal device is unable to determine whether a GUTI is allocated by an equivalent PLMN and is unable to select a GUTI allocated by the equivalent PLMN in a conventional technology.

    [0315] In some embodiments, in response to the storage medium of the terminal device not having a GUTI allocated by the third PLMN or a GUTI allocated by the equivalent network of the third PLMN, the terminal device selects a GUTI allocated by another PLMN (a PLMN other than the third PLMN and the PLMN equivalent to the third PLMN). Possibly, in response to the storage medium of the terminal device including a plurality of GUTIs allocated by another PLMN:

    [0316] the terminal device selects any GUTI allocated by the another PLMN, where the GUTI is the first GUTI;

    [0317] the terminal device selects, based on the access network accessing the third PLMN, a GUTI that is allocated by the another PLMN over the access network, where the GUTI is the first GUTI;

    [0318] the terminal selects a GUTI recently allocated by the another PLMN; or

    [0319] the terminal device generates a subscription concealed identifier (Subscription Concealed Identifier, SUCI), and the SUCI is used as the first GUTI. The SUCI is a temporary identifier used to hide a subscription permanent identifier (subscription permanent identifier, SUPI). The SUCI encrypts the SUPI to prevent the SUPI from being transmitted over an air interface. In this way, in response to receiving the SUCI, the first PLMN obtains the SUPI based on the SUCI, to identify the terminal device based on the SUPI and find the NAS security context that corresponds to the terminal device.

    [0320] In the foregoing descriptions, that the terminal device selects the GUTI recently allocated by the another PLMN, or that the terminal device selects the GUTI recently allocated by the PLMN equivalent to the third PLMN is selecting a GUTI recently allocated based on time information. The time information herein is a moment at which a PLMN allocates a GUTI or a moment at which the terminal device stores a GUTI. That the terminal device selects the GUTI recently allocated by the PLMN equivalent to the third PLMN is that the terminal device selects a GUTI based on a tag. The tag indicates a GUTI recently allocated by a PLMN or a GUTI recently stored in the terminal device. In this manner, in response to the terminal device storing the first GUTI, the terminal device adds a tag to the first GUTI, to indicate that the first GUTI is a GUTI recently allocated by a PLMN or a GUTI recently stored in the terminal device.

    [0321] In some embodiments, the terminal device reads a GUTI that is stored in the storage medium and that is allocated by using a 3GPP access network or a non-3GPP access network. In response to the two GUTIs being the same, the terminal device selects a stored GUTI that is allocated by using the access network accessing the third PLMN, where the GUTI is the first GUTI.

    [0322] In some embodiments, after the terminal device obtains the first GUTI according to the foregoing descriptions, in response to the first GUTI being allocated by using the access network accessing the third PLMN, the terminal device protects the registration request message by using a NAS security context that corresponds to the first GUTI. Otherwise, the terminal device protects the registration request message by using a NAS count whose value is 0.

    [0323] 505: The terminal device sends a fourth registration request message to the third PLMN, where the fourth registration request message includes the first GUTI.

    [0324] 506: The third PLMN obtains the NAS security context of the terminal device based on the received first GUTI, and processes, based on the NAS security context, the fourth registration request message sent by the terminal device.

    [0325] In some embodiments, in response to the terminal device performing the deregistration, the terminal device stores the equivalent PLMN identifier of the equivalent PLMN, and the terminal device determines whether a GUTI is allocated by the equivalent PLMN. Therefore, the terminal device selects the GUTI allocated by the equivalent PLMN, and the network side further obtains the context of the terminal device from the equivalent network. In this way, a primary authentication process that is performed because the network side is unable to obtain the context of the terminal device is avoided, and additional signaling overheads is avoided.

    [0326] In some embodiments, to implement the foregoing functions, the terminal device includes a corresponding hardware and/or software module for performing each function. In combination with example algorithm steps described in some embodiments disclosed, some embodiments are implemented by hardware or a combination of hardware and computer software. Whether a function is performed by hardware or hardware driven by computer software depends on a particular application and a design constraint of the technical solutions. A person skilled in the art is able to use different methods to implement the described functions for each particular application with reference to embodiments, but consideration that the implementation goes beyond the scope of the embodiments is unrealistic.

    [0327] In some embodiments, the terminal device is divided into functional modules based on the foregoing method examples, for example, each functional module is obtained through division based on each corresponding function, or two or more functions are integrated into one processing module. The integrated module is implemented in a form of hardware. In some embodiments, division into the modules is an example, and is logical function division. During implementation, another division manner is used.

    [0328] In response to each functional module being obtained through division based on each corresponding function, FIG. 6 is a possible schematic composition diagram of a terminal device 60 in the foregoing embodiments. As shown in FIG. 6, the terminal device 60 includes a sending unit 601, a receiving unit 602, a storage unit 603, and a processing unit 604.

    [0329] The sending unit 601 is configured to support the terminal device 60 in performing step 301, step 304, step 401, step 501, step 505, and the like, and/or another process of the technology described in some embodiments.

    [0330] The receiving unit 602 is configured to support the terminal device 60 in performing the foregoing step 502 and the like, and/or another process of the technology described in some embodiments.

    [0331] The storage unit 603 is configured to support the terminal device 60 in performing step 302, step 402, step 502, and the like, and/or another process of the technology described in some embodiments.

    [0332] The processing unit 604 is configured to support the terminal device 60 in performing step 303, step 403, step 503, step 504, step 506, and the like, and/or another process of the technology described in some embodiments.

    [0333] In some embodiments, related content of the steps in the foregoing method embodiments are cited in function description of corresponding functional modules. Details are not described herein again.

    [0334] The terminal device 60 provided in some embodiments is configured to perform the foregoing method for processing a non-access stratum context, and therefore achieves a same effect as the foregoing implementation method.

    [0335] In response to an integrated unit being used, the terminal device 60 includes a processing module, a storage module, and a communication module. The processing module is configured to control and manage an action of the terminal device 60, for example, is configured to support the terminal device 60 in performing the steps performed by the processing unit 604. The storage module is configured to support the terminal device 60 in storing program code, data, and the like, and is further configured to support the terminal device 60 in performing an action of the storage unit 603. The communication module is configured to support communication between the terminal device 60 and another device, and includes the sending unit 601 and the receiving unit 602. For example, the communication module is configured to support communication with a PLMN.

    [0336] The processing module is a processor or a controller. The processing module implements or execute various example logical blocks, modules, and circuits described with reference to content disclosed in some embodiments. The processor alternatively is a combination for implementing a computing function, for example, a combination including one or more microprocessors or a combination of a digital signal processor (digital signal processing, DSP) and a microprocessor. The storage module is a memory. The communication module is a device, for example, a radio frequency circuit, a Bluetooth chip, or a Wi-Fi chip, that interacts with another electronic device.

    [0337] In an embodiment, in response to the processing module being a processor, the storage module is a memory, and the communication module is a transceiver, the terminal device in some embodiments are an electronic device 70 having a structure shown in FIG. 7.

    [0338] Some embodiments further provide an electronic device, including one or more processors and one or more memories. The one or more memories are coupled to the one or more processors. The one or more memories are configured to store computer program code, and the computer program code includes computer instructions. In response to the one or more processors executing the computer instructions, the electronic device is enabled to perform the foregoing related method steps to implement the method for processing a non-access stratum context in the foregoing embodiments.

    [0339] Some embodiments further provide a computer storage medium. The computer storage medium stores computer instructions. In response to the computer instructions being run on an electronic device, the electronic device is enabled to perform the foregoing related method steps to implement the method for processing a non-access stratum context in the foregoing embodiments.

    [0340] Some embodiments further provide a computer program product. In response to the computer program product being run on a computer, the computer is enabled to perform the foregoing related steps to implement the method for processing a non-access stratum context performed by the electronic device in the foregoing embodiments.

    [0341] In addition, some embodiments further provide an apparatus. The apparatus is a chip, a component, or a module. The apparatus includes a processor and a memory that are connected to each other. The memory is configured to store computer-executable instructions. In response to the apparatus running, the processor executes the computer-executable instructions stored in the memory, so that the chip performs the method for processing a non-access stratum context performed by the electronic device in the foregoing method embodiments.

    [0342] The electronic device, the computer storage medium, the computer program product, or the chip provided in some embodiments is configured to perform the corresponding method provided above. Therefore, for beneficial effects that is achieved, refer to the beneficial effects of the corresponding method provided above. Details are not described herein again.

    [0343] Some embodiments provide a system. The system includes devices such as the terminal device and the AMF in the PLMN, and is configured to implement the foregoing method for processing a non-access stratum context.

    [0344] Based on the foregoing descriptions of the implementations, a person skilled in the art is able to understand that for the purpose of convenient and brief description, division into the foregoing functional modules is used as an example for illustration. During application, the foregoing functions is allocated to different functional modules for implementation based on a condition, that is, an inner structure of an apparatus is divided into different functional modules to implement all or a part of the functions described above.

    [0345] In the embodiments, the disclosed apparatus and method is implemented in another manner. For example, the described apparatus embodiment is an example. For example, division into the modules or units is logical function division. There is another division manner during implementation. For example, a plurality of units or components are combined or integrated into another apparatus, or some features are ignored or not performed. In addition, the displayed or discussed mutual couplings or direct couplings or communication connections are implemented through some interfaces. The indirect couplings or communication connections between the apparatuses or units are implemented in electronic, mechanical, or another form.

    [0346] The units described as separate components are or are unable to be physically separate, and components displayed as units are one or more physical units, that is, is located in one place, or is distributed on a plurality of different places. A part or all of the units are selected based on conditions to achieve the objectives of the solutions of embodiments.

    [0347] In addition, functional units in some embodiments are integrated into one processing unit, each of the units exists alone physically, or two or more units are integrated into one unit. The integrated unit is implemented in a form of hardware, or is implemented in a form of a software functional unit.

    [0348] In response to the integrated unit being implemented in the form of the software functional unit and sold or used as an independent product, the integrated unit is stored in a readable storage medium. Based on such an understanding, the technical solutions in some embodiments, or the part contributing to the conventional technology, or all or a part of the technical solutions are implemented in the form of a software product. The software product is stored in a storage medium and includes several instructions for instructing a device (which is a single-chip microcomputer, a chip, or the like) or a processor (processor) to perform all or a part of the steps of the methods described in some embodiments. The foregoing storage medium includes any medium that stores program code, for example, a USB flash drive, a removable hard disk, a read-only memory (read-only memory, ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disc.

    [0349] The foregoing descriptions are implementations of the embodiments, but are not intended to limit the protection scope of the embodiments. Any variation or replacement readily figured out by a person skilled in the art within the technical scope disclosed in the embodiments shall fall within the protection scope of the embodiments. Therefore, the protection scope of the embodiments shall be subject to the protection scope of the claims.