CN114731289A

CN114731289A - User identification verification method and related equipment

Info

Publication number: CN114731289A
Application number: CN202080080556.XA
Authority: CN
Inventors: 杨明月; 王远; 周润泽
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2020-02-28
Filing date: 2020-02-28
Publication date: 2022-07-08
Also published as: WO2021168829A1

Abstract

The embodiment of the application provides a user identification verification method and related equipment, which are used in the technical field of communication. The method comprises the following steps: the first network element receives a user identification from an application function network element; the first network element acquires a first certificate from a second network element according to the user identification, wherein the first certificate is used for verifying the user account; the first network element acquires the identifiers of the one or more terminal devices, wherein the identifiers of the terminal devices are used for determining a target terminal; the first network element receives a second certificate from the target terminal, wherein the second certificate is an authentication certificate received by the target terminal; the first network element performs user authentication according to the first certificate and the second certificate; the third-party application program can determine the user login according to the verification result provided by the core network, so that the third-party application program can be prevented from being logged in by using the user identifier without verification, and the safety of the user account is ensured.

Description

User identification verification method and related equipment

Technical Field

The embodiment of the application relates to the technical field of communication, in particular to a user identification verification method and related equipment.

Background

In the current network architecture, an internet service provider provides a payment service for a user based on a Subscriber Identity Module (SIM) card of a terminal, for example, a certain user may subscribe to the payment service through the SIM card, when the user initiates a service request, a service server first needs to acquire and identify an identifier of the SIM card, then determines a payment service corresponding to the identifier of the SIM card according to the identifier of the SIM card, and provides the payment service to the terminal to which the SIM card belongs. Because the payment service subscribed by the user is bound with the SIM card, the coupling is strong, which limits the flexibility of user service migration, for example, when different users use the same terminal, the terminal wants to meet the requirements of different users, and the SIM cards of the services subscribed by different users need to be changed continuously. Meanwhile, with the advent of the fifth generation mobile communication technology (5G), each user will have multiple SIM cards and multiple terminals, which will cause the service defined by each terminal to be independent and discontinuous.

In the prior art, a 3GPP user account is established for each user on the third generation partnership project 3GPP core network side, and a user can subscribe to a payment service through the user account, and when the user sends a service request, an arbitrary SIM card can be bound with the user account, and then a service server can provide all service services corresponding to the user account to the current SIM card, that is, the user can obtain the corresponding service by using the arbitrary SIM card at an arbitrary terminal through the 3GPP user account. In addition, the operator may open the user account id to an external third party, that is, the user may register or log in the third party application program using the user account id.

At present, when a user account identifier is used for registering or logging in a third-party application program, a method for guaranteeing the safety of the user account is not available.

Disclosure of Invention

The embodiment of the application provides a user identification verification method and related equipment, which are used for guaranteeing the safety of a user account when the user account identification is used for registering or logging in a third-party application program.

A first aspect of an embodiment of the present application provides a method for verifying a user identifier:

user accounts are established on the core network side, different user accounts are distinguished by using different user identifications, each user account can be bound with a plurality of terminal devices, and a user can log in a third-party application program by using the user identifications. In the login process, when the first network element receives the user identifier sent by the application function network element, the first network element needs to acquire a first credential from the second network element, wherein the first credential is a verification credential of a user account corresponding to the user identifier. Then the first network element acquires the identifiers of one or more terminal devices and determines a target terminal according to the identifiers of the terminal devices; and the first network element acquires a second certificate from the target terminal, wherein the second certificate is an authentication certificate input by the user, and then the first network element performs user authentication according to the first certificate and the second certificate.

When the user identification of the core network side is used for logging in the third-party application program, the core network side verifies the second certificate input by the user by using the preset first certificate, so that the situation that the user identification can be used for logging in the third-party application program without verification is avoided, and the safety of a user account is ensured.

Based on the first aspect of the embodiments of the present application, an embodiment of the present application further provides a first implementation manner of the first aspect:

the first network element may compare the obtained first credential with the second credential, and if the first credential is the same as the second credential, the authentication is passed, and the first network element sends a first indication that the user authentication is successful to the application function network element; and if the first certificate and the second certificate are different, the authentication fails, and the first network element sends a second indication of the user authentication failure to the application function network element.

The first network element determines the validity of the user identity by comparing the first certificate with the second certificate, and when the first certificate is the same as the second certificate, the first network element determines that the user passes the verification and sends the verification result to the application function network element; thus, the application function network element can provide corresponding service according to the verification result, and the safety of the user account is ensured.

Based on the first aspect of the embodiment of the present application to the first implementation manner of the first aspect, an embodiment of the present application further provides a second implementation manner of the first aspect:

the first network element needs to determine a specific terminal device to obtain a second credential input by the user, that is, the user needs to perform user authentication through the terminal device; the first network element may determine the target terminal by receiving an identifier of the terminal device sent by the application function network element, and determining the target terminal according to the directly obtained identifier; the identifier of the terminal device may also be obtained from a third network element, where the third network element stores a mapping relationship between identifiers of one or more terminal devices corresponding to the user identifier, that is, the third network element stores a list of terminal devices bound to each user account.

Since the service of the user is subscribed through the user account of the core network, the user can perform user authentication on any terminal device; when the application function network element inputs the identifier of the terminal equipment to the first network element, the first network element determines a target terminal for verification according to the identifier; if the application function network element does not provide the identifier of the terminal device, the first network element needs to acquire the terminal device bound with the user account from the third network element and determine a target terminal, and a user can change the terminal device in a unbinding or binding mode; therefore, the user can log in the user account on any terminal equipment to complete the migration of the business service.

Based on the first aspect of the embodiment of the present application to the second implementation manner of the first aspect, the embodiment of the present application further provides a third implementation manner of the first aspect:

when the first network element performs user authentication according to the first credential and the second credential, the first network element may adopt multiple authentication strategies, i.e., different authentication modes or authentication algorithms, and the like, so that the first network element may not only provide the result of user authentication to the application function network element, but also evaluate the reliability of the authentication result, i.e., send an evaluation report to the application function network element; the evaluation report is used for evaluating the credibility of the verification result and evaluating the verification process from the aspects of the verification mode, the verification algorithm and the like.

The first network element not only sends the verification result to the application function network element, but also sends the reliability analysis of the verification result, so that the application function network element can further evaluate the validity of the user identity, and provides service according to the verification result and the evaluation report, and the user account is safer.

Based on the first aspect of the embodiments of the present application to the second implementation manner of the first aspect, an embodiment of the present application further provides a fourth implementation manner of the first aspect:

the first network element may analyze the reliability of the verification result by itself, and may also send an evaluation request to the fourth network element, which is analyzed by the fourth network element to generate an evaluation report; the evaluation report can comprehensively analyze the verification result, can evaluate the verification mode, the verification algorithm and other information, and then sends the evaluation report to the first network element, and the first network element forwards the evaluation report to the application function network element.

The fourth network element generates the evaluation report, so that the load of the first network element can be reduced, and a new implementation mode is provided for the generation of the evaluation report.

Based on the first aspect of the embodiments of the present application to the fourth implementation manner of the first aspect, an embodiment of the present application further provides a fifth implementation manner of the first aspect:

when the application function network element notifies the core network to perform user authentication, the application function network element may also instruct the core network to perform different levels of authentication, for example, when a financial third-party application program needs to be logged in, the application function network element may instruct the core network to perform a high-level authentication mode, that is, an authentication mode with higher security. The application program network element sends a verification grade to a first network element, the first network element formulates a verification strategy according to the verification grade, the verification strategy can comprise a verification mode, a verification algorithm and the like, then the first network element screens a first certificate corresponding to the user identification according to the verification strategy, the type of the first certificate to be verified by the user is determined, then a second certificate is obtained according to the first certificate, the first certificate and the second certificate are compared according to the verification strategy, and finally a verification result is obtained.

The first network element formulates the verification strategy according to the verification level sent by the application function network element, and can provide an individualized verification mode for each verification, so that the core network resources can be more reasonably utilized, and the waste of the core network resources is avoided.

A second aspect of an embodiment of the present application provides a method for verifying a user identifier:

when a user logs in a third-party application program through a user account of a core network, an application function network element needs to send a user identifier to a first network element, the user identifier is used for indicating the first network element to carry out identity verification on the user account corresponding to the user identifier, and the user account can be bound with a plurality of terminal devices; and after the core network verifies the user account, the application function network element receives the verification result sent by the first network element, and then provides corresponding service according to the verification result.

When a user logs in a third-party application program by using a user account, a third-party server is not needed to verify the user account, but the core network verifies the user account, so that a new verification mode is provided for the user account.

Based on the second aspect of the embodiments of the present application, the embodiments of the present application further provide a first implementation manner of the second aspect:

the application function network element needs to send the identifiers of one or more terminals to the first network element, the first network element determines a target terminal according to the terminal identifiers, then the first network element obtains an identity verification identifier at the target terminal, user verification is carried out, a verification result is fed back to the application function network element, and the application function network element provides services according to the verification result.

The first network element determines the target terminal according to the identifier of the terminal device sent by the application function network element, so that the core network can perform user authentication on any terminal device, and service in a user account can be conveniently migrated on different terminals.

Based on the second aspect of the embodiments of the present application to the first implementation manner of the second aspect, the embodiments of the present application further provide a second implementation manner of the second aspect:

the application function network element may further receive an evaluation report sent by the first network element, where the evaluation report is an evaluation of the core network on the verification mode and is used to indicate the reliability of the verification result, and the application function network element may provide a service according to the verification result and the evaluation report.

The application function network element not only receives the verification result sent by the first network element, but also can receive the reliability analysis of the verification result by the first network element, so that the application function network element can further evaluate the validity of the user identity, provide service according to the verification result and the evaluation report, and ensure that the user account is safer.

Based on the second aspect of the embodiments of the present application to the second implementation manner of the second aspect, the embodiments of the present application further provide a third implementation manner of the second aspect:

the application function network element may further send the authentication level to the first network element, for instructing the first network element to determine the authentication policy according to the authentication level; for example, a simple verification algorithm is selected when the verification level is low, and a verification mode with high reliability and a verification algorithm with high security level are selected when the verification level is high, so that the core network can provide an individualized verification mode for each user verification, and the utilization rate of network resources is improved.

A third aspect of an embodiment of the present application provides a network element device, including:

a receiving module, configured to receive a user identifier from an application function network element, where the user identifier is used to indicate a user account, and the user account is associated with identifiers of one or more terminal devices;

an obtaining module, configured to obtain a first credential from a second network element according to the user identifier, where the first credential is used to verify the user account;

the obtaining module is further configured to obtain identifiers of the one or more terminal devices, where the identifiers of the terminal devices are used to determine a target terminal;

the receiving module is further configured to receive a second credential from the target terminal, where the second credential is an authentication credential received by the target terminal;

and the verification module is used for performing user verification according to the first certificate and the second certificate.

Based on the third aspect of the embodiments of the present application, the embodiments of the present application further provide a first implementation manner of the third aspect:

the authentication module is specifically configured to send a first indication to the application function network element if the first credential is the same as the second credential, where the first indication is used to indicate that user authentication is successful; and if the first certificate and the second certificate are different, the verification module sends a second instruction to the application function network element, wherein the second instruction is used for indicating that the user verification fails.

Based on the third aspect of the embodiments of the present application to the first implementation manner of the third aspect, the embodiments of the present application further provide a second implementation manner of the third aspect:

the obtaining module is specifically configured to receive the terminal identifier from the application function network element; or acquiring the identifiers of the one or more terminal devices corresponding to the user identifier from the third network element, where the third network element stores a mapping relationship between the user identifier and the identifiers of the one or more terminal devices.

Based on the third aspect of the embodiments of the present application to the second implementation manner of the third aspect, the embodiments of the present application further provide a third implementation manner of the third aspect:

the network element equipment also comprises a sending module;

the sending module is configured to send an evaluation report to the application function network element, where the evaluation report is used to indicate a reliability of a verification result, and the reliability is related to a verification manner of the user verification.

Based on the third aspect of the embodiments of the present application to the second implementation manner of the third aspect, the embodiments of the present application further provide a fourth implementation manner of the third aspect:

the network element equipment also comprises a sending module;

the sending module is configured to send an evaluation request to a fourth network element, where the evaluation request is used to instruct the fourth network element to generate an evaluation report, and the evaluation report is used to instruct a credibility of a verification result, where the credibility is related to a verification manner of the user verification;

the sending module is further configured to send the evaluation report to the application function network element.

Based on the third aspect of the embodiments of the present application to the fourth implementation manner of the third aspect, the embodiments of the present application further provide a fifth implementation manner of the third aspect:

the network element equipment also comprises a determining module;

the obtaining module is further configured to obtain the verification level sent by the application program network element;

the determining module is specifically configured to determine a verification policy according to the verification level;

the determining module is further configured to determine a type of the first credential according to the verification policy;

the verification module is specifically configured to verify the first credential and the second credential according to the verification policy.

A fourth aspect of the present embodiment provides an application function network element, including:

a sending module, configured to send a user identifier to a first network element, where the user identifier is used to instruct the first network element to perform identity authentication on a user account corresponding to the user identifier, and the user account is associated with identifiers of one or more terminal devices;

a receiving module, configured to receive a verification result sent by the first network element;

and the processing module is used for providing service according to the verification result.

Based on the fourth aspect of the embodiments of the present application, the embodiments of the present application further provide a first implementation manner of the fourth aspect:

the sending module is further configured to send the identifier of the one or more terminal devices to the first network element;

and the processing module is specifically configured to provide a service to a terminal corresponding to the identifier of the terminal device according to the verification result.

Based on the fourth aspect of the embodiments of the present application to the first implementation manner of the fourth aspect, the embodiments of the present application further provide a second implementation manner of the fourth aspect:

the receiving module is further configured to receive an evaluation report sent by the first network element; the evaluation report is used for indicating the credibility of the verification result, and the credibility is related to the verification mode of the user verification;

the processing module provides service according to the verification result and/or the evaluation report.

Based on the fourth aspect of the embodiments of the present application and the second implementation manner of the fourth aspect, the embodiments of the present application further provide a third implementation manner of the fourth aspect:

the sending module is further configured to send a verification level to the first network element, where the verification level is used to instruct the first network element to determine a verification policy according to the verification level.

A fifth aspect of the present application provides a network element device, including: at least one processor and a memory, the memory storing computer-executable instructions executable on the processor, the network element device performing the method according to the first aspect or any one of the possible implementations of the first aspect when the computer-executable instructions are executed by the processor.

A sixth aspect of the present application provides an application function network element, including: at least one processor and a memory, the memory storing computer-executable instructions executable on the processor, the application function network element performing the method according to the second aspect or any one of the possible implementations of the second aspect when the computer-executable instructions are executed by the processor.

A seventh aspect of the present application provides a system for verifying a user identifier, including: a network element device and an application function network element, where the network element device is the network element device in any one of the possible implementation manners of the third aspect to the third aspect; the application function network element is the application function network element described in any one of the possible implementation manners of the fourth aspect to the fourth aspect.

An eighth aspect of the embodiments of the present application provides a computer storage medium, where the computer storage medium is used to store computer software instructions for the network element device or the application function network element, and includes a program for executing a program designed for the network element device or the application function network element.

The network element device may be as described in the previous third aspect.

The application function network element may be as described in the fourth aspect above.

A ninth aspect of the present application provides a chip or a chip system, where the chip or the chip system includes at least one processor and a communication interface, the communication interface and the at least one processor are interconnected by a line, and the at least one processor is configured to execute a computer program or instructions to perform the method for verifying a user identifier described in any one of any possible implementation manners of the first aspect to the first aspect;

the communication interface in the chip may be an input/output interface, a pin, a circuit, or the like.

In one possible implementation, the chip or chip system described above in this application further comprises at least one memory having instructions stored therein. The memory may be a storage unit inside the chip, such as a register, a cache, etc., or may be a storage unit of the chip (e.g., a read-only memory, a random access memory, etc.).

A tenth aspect of the present application provides a chip or a chip system, where the chip or the chip system includes at least one processor and a communication interface, the communication interface and the at least one processor are interconnected by a line, and the at least one processor is configured to execute a computer program or instructions to perform the method for verifying a user identifier described in any one of any possible implementation manners of the second aspect to the second aspect;

An eleventh aspect of embodiments of the present application provides a computer program product, where the computer program product includes computer software instructions, and the computer software instructions are loadable by a processor to implement a flow in a method for verifying a user identifier according to any one of the first aspect and a flow in a method for verifying a user identifier according to any one of the second aspect.

A twelfth aspect of embodiments of the present application provides a computer program product, where the computer program product includes computer software instructions, and the computer software instructions are loadable by a processor to implement a flow in the method for verifying a user identifier according to any one of the first aspect and a flow in the method for verifying a user identifier according to any one of the second aspect and the third aspect.

According to the technical scheme, when the user identification on the core network side is used for logging in the third-party application program, the core network verifies the user identification and sends the verification result to the third-party application program, the third-party application program determines user login according to the verification result, the situation that the user identification can be used for logging in the third-party application program without verification is avoided, the safety of a user account is guaranteed, meanwhile, the user verification is performed by the core network in a unified mode, the network structure is simplified, and the network performance is improved.

Drawings

Fig. 1 is a network architecture diagram of a core network in an embodiment of the present application;

fig. 2 is a schematic view of a scenario in which multiple users share the same terminal in a time-sharing manner in this embodiment of the application;

fig. 3 is a schematic flowchart of a method for verifying a user identifier according to an embodiment of the present application;

fig. 4 is another schematic flow chart of a method for verifying a user identifier according to an embodiment of the present application;

fig. 5 is a schematic structural diagram of a network element device in an embodiment of the present application;

fig. 6 is a schematic structural diagram of an application function network element in an embodiment of the present application;

fig. 7 is a schematic structural diagram of another network element device in the embodiment of the present application;

fig. 8 is a schematic structural diagram of another application function network element in this embodiment.

Detailed Description

The embodiment of the application provides a user identification verification method and related equipment, which are used for user identity verification at a core network side.

Fig. 1 is a network architecture diagram of a core network of the present application; as shown in fig. 1, the core network functions under the 5G network architecture are divided into a user plane network function (UPF) and a control plane network function (CPF).

In fig. 1, a User Equipment (UE), a (wireless) access network (R) AN, a User Plane Function (UPF) network element, and a Data Network (DN) are generally referred to as a user layer network function or entity, and are mainly responsible for forwarding of a packet data packet, QoS control, accounting information statistics, and the like, and data traffic of a user may be transmitted through a data transmission channel established between the UE and the DN.

Wherein, the UE can include: a handheld terminal, a notebook computer, a subscriber unit (subscriber unit), a cellular phone (cellular phone), a smart phone (smart phone), a wireless data card, a Personal Digital Assistant (PDA) computer, a tablet computer, a wireless modem (modem), a handheld device (hand held), a laptop computer (laptop computer), a cordless phone (cordless phone) or a Wireless Local Loop (WLL) station, a Machine Type Communication (MTC) terminal or other network accessible devices. The UE and the access network equipment communicate with each other by adopting a certain air interface technology.

The RAN device is mainly responsible for functions of radio resource management, quality of service (QoS) management, data compression and encryption, etc. on the air interface side. The access network equipment may include various forms of base stations, such as: macro base stations, micro base stations (also known as small stations), relay stations, access points, etc. In systems using different radio access technologies, the names of devices with base station functionality may differ, for example, in a 5G system, referred to as a gNB.

The control plane network element function is mainly responsible for user registration authentication, mobility management, data packet forwarding strategy and QoS control strategy issued to the user plane, and is used for realizing reliable and stable transmission of user layer flow. The Session Management Function (SMF) is mainly used for user plane network element selection, user plane network element redirection, Internet Protocol (IP) address allocation, bearer establishment, modification, release, and the like; an access and mobility management function (AMF) mainly responsible for a signaling processing part, such as functions of access control, mobility management, attach and detach, network element selection, and the like; a Policy Control Function (PCF) network element, which mainly supports providing a unified policy framework to control network behavior, providing policy rules to a control layer network function, and meanwhile, is responsible for acquiring user subscription information related to policy decision. Application function network element (AF): support interaction with the 3rd generation partnership project (3 GPP) core network to provide services, such as influencing data routing decisions, policy control functions or providing some services of a third party to the network side; a Network Slice Selection Function (NSSF) network element, which is mainly used for selecting a network slice; an AUSF (authentication server function) network element mainly providing authentication and authorization functions; unified Data Management (UDM), which can be used for location management and subscription management; the UDR (unified data repository) network element has a unified data warehouse function; a network data analysis function (NWDAF) represents a network analysis logic function managed by an operator, and provides network analysis information for a core network, and an nef (network exposure function) network element is mainly used for collecting, analyzing and recombining network capabilities and opening the network capabilities.

A User Authentication Function (UAF) network element, a user account management function (UPMF) network element, and a user account database (UDR) network element are network elements that are logically independent, and in particular network element deployment, the UAF network element may be merged with the AUSF network element, the UPMF network element may be merged with the UDM network element, and the UPR network element may be merged with the UDR network element.

The UAF network element is responsible for authentication and verification of the user identifier and security evaluation, the UPMF network element is responsible for management of the user account, including acquisition, updating, activation, deletion and the like of the user account, and the UDR network element is responsible for storing relevant information of the user identifier.

Fig. 2 is a schematic view of a scenario of sharing the same terminal by multiple users in a time-sharing manner. As shown in fig. 2, the car renters provide shared car terminals, which users a and B need to share in a time-sharing manner, for example, user a uses in the morning and user B uses in the afternoon; due to different personalized requirements of users, paid service items subscribed by the users also have a gap, for example, a user a subscribes to an automatic driving service and an eMBB service, but a user B only requires that a terminal 1 only provides the automatic driving service, and since service providers all perform flow charging or provide subscription services through a terminal SIM card, an automobile renter needs to continuously change the SIM card in the terminal to meet the requirements of different users, which brings extra management task load and management difficulty for the automobile renter.

For a user, subscribed payment services are all bound with a specific SIM card, the SIM card must be migrated to transfer the payment services from one terminal to another terminal, and by the age of 5G, the same user will have multiple terminals, each terminal has an independent SIM card and an account, user account management is very difficult, and multiple terminals cannot share a certain charging service at the same time, for example, a certain SIM card of the user subscribes a data traffic service, and when two terminals owned by the user need to be connected to the internet at the same time, the data traffic service subscribed by the user cannot meet the user's requirement.

In view of the above problems, the user identification problem arises, and the core of the user identification problem is to establish a uniquely marked 3GPP user account for each user on the 3GPP core network side, where the user identification is independent of all existing identifications, and the service parameters subscribed by the user are stored in the user account.

The user account is used for recording one or more of the following items: a user name and password of the user, a group to which the user belongs, accessible network resources, or a personal file and setting of the user, etc. For example, each user corresponds to a user account on the core network side, and then the user account makes a contract with each service provider, and the service provider provides service for the user account. The user account may be used to subscribe to a plurality of services, for example, to sign up with a third party application for which the third party application provides payment; and the mobile communication operator signs a contract and provides data flow for the mobile communication operator, performs charging service and the like.

The user identifier may be a digital code allocated by the core network to each user account, or may be a user name defined by the user, the specific form is not limited, the user identifier is used for distinguishing a unique user account, and the user identifier may be used to manage the corresponding user account.

The identifier of the terminal device is used to distinguish different terminals, and may be a general public user identifier GPSI, a number of a SIM card of the terminal device, or a user-defined name, such as "xx phone", for uniquely identifying a terminal device, and the specific form is not limited.

The user identity and the user account can be dynamically associated with one or more user permanent identifier, SUPI, subscriptions, and the network side can activate, suspend, or deactivate the association between the user account and the SUPI. The user can subscribe the exclusive mobile payment service through the user account, and the user can inform the core network side to associate the specific terminal SUPI with the user account by changing the user account information when the user wants to use any terminal, and then the network side provides the service subscribed by the user account for the terminal corresponding to the SUPI; namely, the user can log in own 3GPP user account through different terminals, and the core network provides the exclusive service subscribed by the user account for the terminal after a series of authentication, thereby achieving the flexibility of service migration of user subscription, namely, the user can enjoy the same subscription service through different terminals without repeated subscription or card changing operation, and bringing great operation convenience for the user.

At present, when a user registers or logs in a third-party application program, a third-party server performs authentication, and in a future scene of internet of everything, each application program holds an independent account, which is not beneficial to constructing a stable and uniform network ecological environment. Therefore, a network operator needs to open a user account identifier to an external third party, that is, a user can register by using the user account identifier when registering or logging in a third-party app, and how a core network opens a user identifier verification function to the third party provides a user identifier verification result for the third-party app, which is a problem that needs to be solved urgently.

Referring to fig. 3, fig. 3 is a schematic diagram illustrating an embodiment of a method for verifying a user identifier according to an embodiment of the present application. As shown in fig. 3, an embodiment of a method for verifying a user identifier provided in the present application includes:

301. and the UE sends a login request to the AF network element.

The login request is used for requesting the AF network element to log in a user account, and providing corresponding services in the user account for the user.

When a user logs in or registers a third-party application by using a 3GPP user identifier, the 3GPP user identifier can be provided for the third-party application program through an application layer page; wherein, the 3GPP subscriber identity is used to indicate a subscriber account in the core network, the subscriber account is associated with one or more terminal identities, and the terminal identity may be a SUPI of the terminal; the user account completes service migration between different terminals by associating a plurality of terminal identifications.

For example, before the UE initiates a login request to the AF network element, the user may bind the terminal identifier corresponding to the UE and the 3GPP user identifier, so as to obtain the service of the user identifier.

302. And the AF network element sends the user identification to the NEF network element.

Optionally, when the application function network element, that is, the AF network element receives the login request, it may determine whether to perform user authentication through the core network according to a policy formulated by the application function network element, for example, some non-financial or third-party application programs with low requirements on account security may not initiate user authentication, so as to reduce occupation of resources of the core network, and when the third-party application programs have high requirements on security, user authentication may be initiated.

Optionally, the AF network element may send a user authentication request, where the request includes a user identifier, so as to instruct a core network to authenticate the user identifier; the request may also include a user identity and a generic public user identifier, GPSI, of the current terminal, which GPSI is used to instruct the core network to obtain authentication-related information by the current terminal.

303. The NEF network element sends a user verification request to the UAF network element.

For example, the NEF network element may forward the user authentication request sent by the AF network element to the UAF network element; when the verification request further includes a GPSI of the current terminal, the NEF network element may query the UDM network element, obtain the SUPI corresponding to the GPSI, and forward the SUPI to the UAF network element.

It should be understood that the NEF network element may also send only the user identifier without sending the user authentication request to the UAF network element, which is an optional step.

304. And the UAF network element sends a query request to the UPMF network element.

For example, when the UAF network element receives the authentication request forwarded by the NEF network element, the identity of the user needs to be authenticated. Optionally, the UAF network element may determine the authentication manner first, where the authentication manner may include the type of the identity, an algorithm used in the authentication, and the like, and is not limited specifically.

Optionally, the UPMF network element stores in advance an identity corresponding to the user account, for example, when the user creates a 3GPP user account, one or more corresponding identities are preset, the types of the multiple identities may also be multiple, and the multiple identities include face information, fingerprint information, iris information, or a password, and are not limited specifically, and all the identities may be used as an authentication credential.

When the first network element, that is, the UAF network element, performs identity authentication, it needs to query the first credential in the UPMF network element, optionally, the query request includes a user identifier, and when the UPMF network element receives the user identifier, it searches for one or more corresponding first credentials according to the user identifier.

It can be understood that the UAF network element may also directly send the user identifier to the UPMF network element without sending the query request to the UPMF network element, and the UPMF network element returns the first credential corresponding to the user identifier, which is an optional step.

305. And the UPMF network element sends the first certificate to the UAF network element.

And the UPMF network element sends the one or more first certificates to the UAF network element.

306. And the UAF network element determines the target terminal.

For example, the UAF network element may determine that the current terminal is the target terminal according to the terminal identifier sent by the NEF network element. For example, the terminal identity may be a SUPI sent by the NEF network element.

For example, step 306 and steps 304 and 305 are not in chronological order, the UAF network element may first determine that the target terminal sends the query request to the UPMF network element, may also first send the query request to the UPMF network element, and then determine the target terminal, or may also perform the steps at the same time, which is not limited specifically.

307. And the UAF network element sends an acquisition message to the AMF network element.

And after the UAF network element determines the target terminal, acquiring a second certificate input by the user through the target terminal, wherein the second certificate is the same as the first certificate in type and is an identity certificate input by the user according to the indication. Then the UAF network element carries out verification according to the second certificate and the first certificate; the UAF network element may determine the AMF network element according to the received SUPI, and then complete the process of receiving the second credential through the AMF network element, and optionally, the UAF network element sends an acquisition message to the AMF network element, where the acquisition message may include the SUPI of the target terminal.

308. And the AMF network element sends an acquisition instruction to the UE.

When receiving the SUPI of the target terminal, the AMF network element sends a collection instruction to the target terminal according to the SUPI, and the collection instruction is used for indicating a user to input related information;

illustratively, when receiving a verification request of a certain user identifier, the UAF network element searches for a first credential corresponding to the terminal from the UPMF network element. For example, the UAF network element acquires the first credential as the preset fingerprint, then the UAF network element sends a collecting message to the AMF network element corresponding to the terminal, the AMF network element sends a collecting instruction to the terminal according to the collecting message, the collecting instruction is used for instructing the terminal to send a second credential, namely, instructing the user to input the fingerprint, and then the input fingerprint is compared with the original preset fingerprint to complete the verification process.

For example, the first credential may also be multiple, for example, the first credential is a preset fingerprint and a preset password, the UAF network element acquires the two credentials, and then sends an acquisition message to the AMF network element corresponding to the terminal, the AMF network element sends an acquisition instruction to the terminal according to the acquisition message, so as to instruct the terminal to send multiple second credentials, the user may input the fingerprint and the password according to the instruction, and the UAF network element compares the corresponding first credential and second credentials respectively according to the received second credentials, thereby completing the authentication process.

309. And the UE sends the second certificate to the AMF network element.

For example, the user may input the second credential according to the instruction, and the UE forwards the second credential to the AMF network element, where the second credential is an authentication credential collected by the target terminal.

310. And the AMF network element forwards the second certificate to the UAF network element.

311. And the UAF network element performs user authentication according to the first certificate and the second certificate.

For example, when the UAF network element receives the first credential and the second credential, it needs to compare them according to the authentication algorithm, and if the first credential and the second credential are the same, it indicates that the user authentication is successful; and if the first certificate and the second certificate are different, indicating that the user authentication fails.

312. And the UAF network element sends a verification result and/or an evaluation report to the AF network element.

Illustratively, when the user authentication is successful, the first network element, that is, the UAF network element may send a first indication to the AF network element, where the first indication is used to indicate that the user authentication is successful; when the user authentication fails, the first network element, that is, the UAF network element, may send a second indication to the AF network element, where the second indication is used to indicate that the user authentication fails.

Optionally, the UAF network element may further perform accuracy evaluation on the verification process, and the UAF network element may collect relevant information of the user identifier verification this time according to an instruction, for example, a key length used for the user verification, an encryption algorithm, an adopted mechanism (such as SMS verification, fingerprint verification, faceID verification, blockchain verification …), and the like, and then give an evaluation report based on the information, which is used to indicate reliability of a verification result. For example, the evaluation report may include evaluation of the reliability of the verification type, the accuracy of the verification algorithm, the reliability of the message source, and the like, and may further include rating the trustworthiness of the verification result, and the like, to indicate the accuracy of the verification result.

Illustratively, a first credential corresponding to a certain user account has a preset fingerprint and iris information, and the UAF network element uses a fingerprint identification verification method in a certain verification process, so that the reliability of the verification result is low, and uses an iris verification method in a certain verification process, so that the reliability of the verification result is high.

Illustratively, a first credential corresponding to a certain user account has a preset fingerprint, and in a certain verification process, the UAF network element uses a verification algorithm that only needs to verify seventy percent of the area of the fingerprint, so that the confidence level of the verification result is low, while in another verification process, the used verification algorithm needs to verify ninety percent of the area of the fingerprint, so that the confidence level of the verification result is high.

313. And the AF network element provides service according to the verification result and/or the evaluation report.

When the UAF network element sends the verification result and/or the evaluation report to the AF network element, the AF network element can provide service according to the self strategy; illustratively, an AF network element sends a verification request of a certain user identifier to a core network, if the obtained verification result is that verification is successful, the AF network element allows the account to log in a third-party application program, and if the verification result is that verification is failed, the account is not allowed to log in; if the verification result obtained by the AF network element is successful, but the feasibility of the verification result indicated by the evaluation report is low, the AF network element may not allow the account to log in the third-party application.

In this embodiment, when the user identifier on the core network side is used to log in the third-party application program, the core network verifies the user identifier and sends the verification result to the third-party application program, and the third-party application program determines user login according to the verification result, so that the user identifier can be used to log in the third-party application program without verification, and the safety of a user account is ensured. Meanwhile, the user identification is verified on the core network side, the verification result is opened to the third-party application program, the third party can directly provide business service according to the verification result of the core network, a plurality of third-party servers are not needed to verify respective accounts, the network structure is simplified, network resources are integrated, and the network performance is improved.

Referring to fig. 4, fig. 4 is a schematic diagram illustrating another embodiment of a method for verifying a user identifier according to an embodiment of the present application. As shown in fig. 4, another embodiment of a method for verifying a user identifier provided in the present application includes:

401. and the UE initiates a login request to the AF network element.

Step 401 is similar to step 301 in the embodiment shown in fig. 3, and is not described herein again.

402. And the AF network element sends the user identification and the verification level to the NEF network element.

Optionally, when the AF network element initiates a user authentication process to the core network, the AF network element may send an authentication level to the core network, where the authentication level is used to indicate the core network to determine a user authentication manner according to the authentication level.

Optionally, the AF network element may further determine the verification level through its own policy, for example, when the AF network element determines that the third-party network element is the financial application program, the AF network element determines that the verification level is high, and sends the user identifier and the verification level to the NEF network element, which is used to instruct the core network to use a relatively complex and accurate verification algorithm for verification, and if the AF network element determines that the third-party network element is the video application program, the AF network element determines that the verification level is low, which is used to instruct the core network to use a relatively simple verification algorithm for verification, so that the verification policy may be adjusted in a personalized manner, and network resources are fully utilized.

403. And the NEF network element sends verification information to the UPMF network element.

For example, the NEF network element may forward the user identifier sent by the AF network element to the UPMF network element.

404. And the UPMF network element sends verification information to the UAF network element.

For example, the 3GPP ue may be bound to multiple terminals, a mapping relationship between the 3GPP ue and the terminal identifier may be stored in the UPMF network element, and when the UPMF network element receives the ue identifier sent by the NEF network element, the ue identifier corresponding to the ue identifier may be determined according to the ue identifier, for example, the SUPI of the terminal corresponding to the ue identifier may be determined, and then authentication information may be sent to the UAF network element to invoke an authentication function of the UAF network element, where the authentication information may include the ue identifier and one or more SUPIs corresponding to the ue identifier.

Optionally, the UPMF network element may not send the one or more SUPIs corresponding to the user identifier, and after the UAF network element determines the verification policy, the UAF network element sends the query information to the UPMF network element, and the UPMF network element sends the one or more SUPIs corresponding to the user identifier to the UPMF network element.

405. And the UAF network element determines an authentication strategy according to the authentication level.

When the UAF network element verifies the user identifier, the authentication policy needs to be determined according to the received authentication level, and optionally, the authentication policy may include an authentication type, an authentication algorithm, and the like. The authentication types may include fingerprint authentication, iris authentication, voice authentication, and the like. The authentication algorithms may include different algorithms for each authentication type, for example: a small-area fingerprint verification algorithm, a password verification encryption algorithm and the like, and the specific form is not limited.

For example, if the authentication level is high, iris authentication may be selected, and if the authentication level is low, fingerprint authentication may be selected, i.e., the UAF network element may determine the first credential according to the authentication level. For example, in terms of password authentication, if the authentication level is high, the first credential may be a full password, and if the authentication level is low, the first credential may be the last few bits of the password; the UAF network element may determine different authentication policies according to the authentication level to meet different requirements.

406. And the UAF network element determines the target terminal.

For example, the UAF network element may determine that the current terminal is the target terminal according to the UPMF network element sending the terminal identifier, which may be the SUPI sent by the UPMF network element.

For example, step 406 and step 405 are not sequential in time sequence, the UAF network element may determine the target terminal first and then determine the verification policy, or determine the verification policy first and then determine the target terminal, or may perform both, which is not limited specifically.

407. And the UAF network element sends an acquisition message to the AMF network element.

For example, step 407 is similar to step 307 in the embodiment shown in fig. 3, and is not described herein again.

408. And the AMF network element sends an acquisition instruction to the UE.

For example, step 408 is similar to step 308 in the embodiment shown in fig. 3, and is not described herein again.

409. And the UE sends the second certificate to the AMF network element.

For example, step 409 is similar to step 309 in the embodiment shown in fig. 3, and is not described herein again.

410. And the AMF network element forwards the second certificate to the UAF network element.

For example, step 410 is similar to step 307 in the embodiment shown in fig. 3, and is not described herein again.

411. And the UAF network element performs user authentication according to the first certificate and the second certificate.

For example, step 411 is similar to step 311 in the embodiment shown in fig. 3, and is not described herein again.

412. And the UAF network element sends a verification rating request to the NWDAF network element.

The NWDAF network element has a network data analysis function, which represents a network analysis logic function managed by an operator and provides network analysis information for a core network, so that the NWDAF network element can interact with a plurality of network elements to acquire a plurality of information in the verification process, and can acquire other information besides performing security evaluation on a verification mechanism and a verification algorithm used in the verification process, for example, current location information of the UE participating in user verification from the AMF network element, session service information of the UE from the SMF network element, and the like. To carry out comprehensive security evaluation on the verification; the UAF network element may instruct the NWDAF network element to perform the security evaluation.

413. The NWDAF network element determines an evaluation report.

The NWDAF network element determines an evaluation report indicating the credibility and security of the verification according to various information.

414. And the NWDAF network element sends an evaluation report to the UAF network element.

For example, step 415 is similar to step 312 in the embodiment shown in fig. three, and is not described herein again.

416. And the AF network element provides service according to the verification result and/or the evaluation report.

For example, step 416 is similar to step 313 in the embodiment shown in fig. three, and is not described herein.

In the embodiments provided in the present application, the schemes of the communication method provided in the embodiments of the present application are introduced from the perspective of each network element itself and from the perspective of interaction between each network element. It will be appreciated that the respective network elements and devices, such as the above-described radio access network device, access and mobility management function network element, user equipment, data management function network element and network slice selection function network element, for implementing the above-described functions, comprise corresponding hardware structures and/or software modules for performing the respective functions. Those of skill in the art would readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

For example, when the network element implements the corresponding functions through software modules. The network element device 500 may comprise a receiving module 501, an obtaining module 502 and a verifying module 503, as shown in fig. 5.

A receiving module 501, configured to receive a user identifier from an application function network element, where the user identifier is used to indicate a user account, and the user account is associated with identifiers of one or more terminal devices;

an obtaining module 502, configured to obtain a first credential from a second network element according to the user identifier, where the first credential is used to verify the user account;

the obtaining module 502 is further configured to obtain identifiers of the one or more terminal devices, where the identifiers of the terminal devices are used to determine a target terminal;

the receiving module 501 is further configured to receive a second credential from the target terminal, where the second credential is an authentication credential received by the target terminal;

and the verification module 503 performs user verification according to the first credential and the second credential.

The receiving module 501 executes the method according to step 303 and step 310 in the embodiment shown in fig. 3 or the method according to step 404 and step 410 in the embodiment shown in fig. 4, the obtaining module 502 executes the method according to step 305 and step 303 in the embodiment shown in fig. 3 or the method according to step 404 in the embodiment shown in fig. 4, and the verifying module 503 executes the method according to step 311 in the embodiment shown in fig. 3 or the method according to step 411 in the embodiment shown in fig. 4.

In another embodiment of the network element device 500 provided in the embodiment of the present application, the verifying module 503 is specifically configured to send a first indication to the application function network element if the first credential is the same as the second credential, where the first indication is used to indicate that the user is successfully verified; if the first credential is different from the second credential, the authentication module 503 sends a second indication to the application function network element, where the second indication is used to indicate that the user authentication fails.

The verification module 503 executes the method according to step 312 shown in fig. 3 or 415 shown in fig. 4.

In another embodiment of the network element device 500 provided in the embodiment of the present application, the obtaining module 502 is specifically configured to receive the terminal identifier from the application function network element; or acquiring the identifiers of the one or more terminal devices corresponding to the user identifier from the third network element, where the third network element stores a mapping relationship between the user identifier and the identifiers of the one or more terminal devices.

The obtaining module 502 executes the method according to step 303 in the embodiment shown in fig. 3 or 404 in the embodiment shown in fig. 4.

In another embodiment of the network element device 500 provided in the embodiment of the present application, the network element device 500 further includes a sending module 504;

the sending module 504 is configured to send an evaluation report to the application function network element, where the evaluation report is used to indicate a reliability of a verification result, and the reliability is related to a verification manner of the user verification.

The sending module 502 executes the method according to step 312 in the embodiment shown in fig. 3 or according to step 414 in the embodiment shown in fig. 4.

In another embodiment of the network element device 500 provided in the embodiment of the present application, the sending module 504 is configured to send an evaluation request to a fourth network element, where the evaluation request is used to instruct the fourth network element to generate an evaluation report, and the evaluation report is used to instruct a reliability of a verification result, where the reliability is related to a verification manner of the user verification;

the sending module 504 is further configured to send the evaluation report to the application function network element.

The sending module 504 is the method according to steps 412 and 414 in the embodiment described in fig. 4.

In another embodiment of the network element device 500 provided in the embodiment of the present application, the network element device 500 further includes a determining module 505;

the obtaining module 502 is further configured to obtain the verification level sent by the application program network element;

the determining module 505 is specifically configured to determine a verification policy according to the verification level;

the determining module 505 is further configured to determine a type of the first credential according to the verification policy;

the verifying module 503 is specifically configured to verify the first credential and the second credential according to the verifying policy.

The obtaining module 502 performs the method according to step 404 in the embodiment shown in fig. 4, the determining module 505 performs the method according to step 405 in the embodiment shown in fig. 4, and the verifying module 503 performs the method according to step 411 in the embodiment shown in fig. 4.

Referring to fig. 6, a schematic structural diagram of an application function network element 600 according to an embodiment of the present application is provided. As shown in fig. 6, the application function network element 600 includes:

a sending module 601, configured to send a user identifier to a first network element, where the user identifier is used to instruct the first network element to perform identity authentication on a user account corresponding to the user identifier, and the user account is associated with identifiers of one or more terminal devices;

a receiving module 602, configured to receive a verification result sent by the first network element;

the processing module 603 is configured to provide a service according to the verification result.

The sending module 601 executes the method according to the embodiment 302 shown in fig. 3 and the method according to the embodiment 402 shown in fig. 4, the receiving module 602 executes the method according to the embodiment 312 shown in fig. 3 and the method according to the embodiment 415 shown in fig. 4, and the processing module 603 executes the method according to the embodiment 313 shown in fig. 3 and the method according to the embodiment 416 shown in fig. 4.

In another embodiment of the application function network element 600 provided in the embodiment of the present application, the sending module 601 is further configured to send an identifier of the one or more terminal devices to the first network element;

the processing module 603 is specifically configured to provide a service to a terminal corresponding to the identifier of the terminal device according to the verification result.

The sending module 601 executes the method described in the embodiment step 302 in fig. 3, and the processing module 603 executes the method described in the embodiment step 313 in fig. 3 and the embodiment step 416 in fig. 4.

In another embodiment of the application function network element 600 provided in the embodiment of the present application, the receiving module 602 is further configured to receive an evaluation report sent by the first network element; the evaluation report is used for indicating the credibility of the verification result, and the credibility is related to the verification mode of the user verification;

the processing module 603 provides a service according to the verification result and/or the evaluation report.

Wherein, the receiving module 601 executes the method according to the embodiment step 312 shown in fig. 3 and the embodiment step 415 shown in fig. 4, and the processing module 603 executes the method according to the embodiment step 313 shown in fig. 3 and the embodiment step 416 shown in fig. 4.

In another embodiment of the network element 600 with application function provided in the embodiment of the present application, the sending module 601 is further configured to send an authentication level to the first network element, where the authentication level is used to instruct the first network element to determine an authentication policy according to the authentication level.

Wherein, the sending module 601 executes the step 402 of the embodiment shown in fig. 4.

Referring to fig. 7, a schematic structural diagram of another network element device according to an embodiment of the present application is shown, where the network element device 700 includes: a processor 701, a memory 702, and a communication interface 703.

The processor 701, the memory 702, and the communication interface 703 are connected to each other by a bus; the bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 7, but this is not intended to represent only one bus or type of bus.

The memory 702 may include volatile memory (volatile memory), such as random-access memory (RAM); the memory may also include a non-volatile memory (non-volatile memory), such as a flash memory (flash memory), a Hard Disk Drive (HDD) or a solid-state drive (SSD); the memory 702 may also comprise a combination of the above types of memory.

The processor 701 may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP. The processor 702 may further include a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof.

The communication interface 703 may be a wired communication interface, such as an ethernet interface, a wireless communication interface, or a combination thereof. The ethernet interface may be an optical interface, an electrical interface, or a combination thereof. The wireless communication interface may be a WLAN interface, a cellular network communication interface, a combination thereof, or the like.

Optionally, the memory 702 may also be configured to store program instructions, and the processor 701 invokes the program instructions stored in the memory 702, and may perform one or more steps of steps 304, 306, 307, 311, 312 or steps 405, 406, 407, 411, 412, 415 in the method embodiment shown in fig. 3 or fig. 4, or an optional implementation manner therein, so that the network element device 700 implements the functions of the network element device in the foregoing method, which is not described herein again in detail.

Referring to fig. 8, a schematic structural diagram of an application function network element according to an embodiment of the present application is provided, including a processor 801, a memory 802, and a communication interface 803.

The memory 802 may be transient storage or persistent storage. Still further, the central processor 801 may be configured to communicate with the memory 802 to perform a series of instruction operations in the memory 802 on a transmitting device.

In this embodiment, the central processing unit 801 may perform the operations performed by the application function network element in the embodiments shown in fig. 3 and fig. 4, which are not described herein again specifically.

In this embodiment, the specific functional module division in the central processing unit 801 may be similar to the functional module division manner of the sending unit, the receiving unit, and the processing unit described in fig. 6, and is not described herein again.

An embodiment of the present application further provides a system for verifying a user identifier, including: a network element device as shown in fig. 5 or fig. 7, an application function network element as shown in fig. 6 or fig. 8.

An embodiment of the present application further provides a chip or a chip system, where the chip or the chip system includes at least one processor and a communication interface, the communication interface is interconnected with the at least one processor through a line, and the at least one processor executes an instruction or a computer program to perform one or more steps in the method embodiment shown in fig. 3 or fig. 4, or in an alternative implementation manner, so as to implement a function of a network element device in the foregoing method.

In a possible implementation, the chip or chip system described above further comprises at least one memory, in which instructions are stored. The memory may be a storage unit inside the chip, such as a register, a cache, etc., or may be a storage unit of the chip (e.g., a read-only memory, a random access memory, etc.).

An embodiment of the present application further provides a chip or a chip system, where the chip or the chip system includes at least one processor and a communication interface, the communication interface and the at least one processor are interconnected by a line, and the at least one processor is configured to execute a computer program or an instruction to perform the execution method of the application function network element described in any one of the possible implementation manners of the embodiments shown in fig. 3 and fig. 4;

The embodiment of the present application further provides a computer storage medium, in which computer program instructions for implementing the functions of the network element device in the method for verifying the user identifier provided in the embodiment of the present application are stored.

The embodiment of the present application further provides a computer storage medium, where computer program instructions for implementing the network element with application function in the user identifier verification method provided in the embodiment of the present application are stored in the computer storage medium.

An embodiment of the present application further provides a computer program product, where the computer program product includes computer software instructions, and the computer software instructions may be loaded by a processor to implement the flow in the method for verifying a user identifier shown in fig. 3 or fig. 4.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and the like.

Claims

A method for verifying a user identifier, the method comprising:

the method comprises the steps that a first network element receives a user identification from an application function network element, wherein the user identification is used for indicating a user account, and the user account is associated with identifications of one or more terminal devices;

the first network element acquires a first certificate from a second network element according to the user identification, wherein the first certificate is used for verifying the user account;

the first network element acquires the identifiers of the one or more terminal devices, wherein the identifiers of the terminal devices are used for determining a target terminal;

the first network element receives a second certificate from the target terminal, wherein the second certificate is an authentication certificate received by the target terminal;

and the first network element performs user authentication according to the first certificate and the second certificate.
The method of claim 1, wherein the first network element performs user authentication according to the first credential and the second credential, comprising:

if the first credential is the same as the second credential, the first network element sends a first indication to the application function network element, where the first indication is used to indicate that user authentication is successful;

and if the first certificate is different from the second certificate, the first network element sends a second indication to the application function network element, wherein the second indication is used for indicating that the user authentication fails.
The method according to any of claims 1 to 2, wherein the obtaining, by the first network element, the identity of the one or more terminal devices comprises:

the first network element receives the terminal identification from the application function network element; alternatively, the first and second electrodes may be,

and the first network element acquires the identifiers of the one or more terminal devices corresponding to the user identifier from the third network element, wherein the mapping relationship between the user identifier and the identifiers of the one or more terminal devices is stored in the third network element.
The method according to any one of claims 1 to 3, further comprising:

and the first network element sends an evaluation report to the application function network element, wherein the evaluation report is used for indicating the credibility of the verification result, and the credibility is related to the verification mode of the user verification.
The method of any of claims 1 to 3, further comprising:

the first network element sends an evaluation request to a fourth network element, wherein the evaluation request is used for indicating the fourth functional network element to generate an evaluation report, the evaluation report is used for indicating the credibility of a verification result, and the credibility is related to a verification mode of the user verification;

and the first network element sends the evaluation report to the application function network element.
The method according to any one of claims 1 to 5, wherein before the first network element obtains the first credential corresponding to the subscriber identity from the second network element according to the subscriber identity, the method further comprises:

the first network element acquires the verification level sent by the application program network element;

the first network element determines a verification strategy according to the verification grade;

the first network element determines the type of the first certificate according to the verification strategy;

the first network element performs user authentication according to the first credential and the second credential, including:

and the first network element verifies the first certificate and the second certificate according to the verification strategy.
A method of verifying a user identity, the method comprising:

an application function network element sends a user identifier to a first network element, wherein the user identifier is used for indicating the first network element to carry out identity verification on a user account corresponding to the user identifier, and the user account is associated with identifiers of one or more terminal devices;

the application function network element receives a verification result sent by the first network element;

and the application function network element provides service according to the verification result.
The method of claim 7, wherein before the application function network element receives the verification result sent by the first network element, the method further comprises:

the application function network element sends the identification of the one or more terminal devices to the first network element;

the application function network element providing service according to the verification result, comprising:

and the application function network element provides service for the terminal corresponding to the identifier of the terminal equipment according to the verification result.
The method according to any one of claims 7 to 8, further comprising:

the application function network element receives an evaluation report sent by the first network element; the evaluation report is used for indicating the credibility of the verification result, and the credibility is related to the verification mode of the user verification;

the application function network element provides service according to the verification result, and the method comprises the following steps:

and the application function network element provides service according to the verification result and/or the evaluation report.
The method according to any of claims 7 to 9, wherein before the application function network element receives the verification result sent by the first network element, the method further comprises:

and the application function network element sends a verification grade to the first network element, wherein the verification grade is used for indicating the first network element to determine a verification strategy according to the verification grade.
A network element device, wherein the network element device comprises:

a receiving module, configured to receive a user identifier from an application function network element, where the user identifier is used to indicate a user account, and the user account is associated with identifiers of one or more terminal devices;

an obtaining module, configured to obtain a first credential from a second network element according to the user identifier, where the first credential is used to verify the user account;

the acquisition module is further configured to acquire identifiers of the one or more terminal devices, where the identifiers of the terminal devices are used to determine a target terminal;

the receiving module is further configured to receive a second credential from the target terminal, where the second credential is an authentication credential received by the target terminal;

and the verification module is used for performing user verification according to the first certificate and the second certificate.
The network element device of claim 11, wherein the authentication module is specifically configured to send a first indication to the application function network element if the first credential is the same as the second credential, where the first indication is used to indicate that user authentication is successful; and if the first certificate and the second certificate are different, the verification module sends a second instruction to the application function network element, wherein the second instruction is used for indicating that the user verification fails.
The network element device according to any one of claims 11 to 12, wherein the obtaining module is specifically configured to receive the terminal identifier from the application function network element; or acquiring the identifiers of the one or more terminal devices corresponding to the user identifier from the third network element, where the third network element stores a mapping relationship between the user identifier and the identifiers of the one or more terminal devices.
The network element device according to any of claims 11 to 13, wherein the network element device further comprises a sending module;

the sending module is configured to send an evaluation report to the application function network element, where the evaluation report is used to indicate a reliability of a verification result, and the reliability is related to a verification manner of the user verification.
The network element device according to any of claims 11 to 13, wherein the network element device further comprises a sending module;

the sending module is configured to send an evaluation request to a fourth network element, where the evaluation request is used to instruct the fourth network element to generate an evaluation report, and the evaluation report is used to instruct a credibility of a verification result, where the credibility is related to a verification manner of the user verification;

the sending module is further configured to send the evaluation report to the application function network element.
The network element device according to any of claims 11 to 15, wherein the network element device further comprises a determining module;

the obtaining module is further configured to obtain the verification level sent by the application program network element;

the determining module is specifically configured to determine a verification policy according to the verification level;

the determining module is further configured to determine a type of the first credential according to the verification policy;

the verification module is specifically configured to verify the first credential and the second credential according to the verification policy.
An application function network element, wherein the application function network element comprises:

a sending module, configured to send a user identifier to a first network element, where the user identifier is used to instruct the first network element to perform identity authentication on a user account corresponding to the user identifier, and the user account is associated with identifiers of one or more terminal devices;

a receiving module, configured to receive a verification result sent by the first network element;

and the processing module is used for providing service according to the verification result.
The network element of claim 17, wherein the sending module is further configured to send the identifier of the one or more terminal devices to the first network element;

and the processing module is specifically configured to provide a service to a terminal corresponding to the identifier of the terminal device according to the verification result.
The network element according to any of claims 17 to 18, wherein the receiving module is further configured to receive an evaluation report sent by the first network element; the evaluation report is used for indicating the credibility of the verification result, and the credibility is related to the verification mode of the user verification;

the processing module provides service according to the verification result and/or the evaluation report.
The network element of any of claims 17 to 19, wherein the sending module is further configured to send an authentication level to the first network element, and the authentication level is used to instruct the first network element to determine an authentication policy according to the authentication level.
A network element device, comprising: at least one processor, a memory, the memory storing computer-executable instructions executable on the processor, the processor performing a method according to any one of the possible implementations of the above claims 1 to 6 when the computer-executable instructions are executed by the processor.
An application function network element comprising: at least one processor, a memory, the memory storing computer-executable instructions executable on the processor, the processor performing a method according to any one of the possible implementations of claims 7 to 10 when the computer-executable instructions are executed by the processor.
A system for authenticating a user identifier, comprising: a network element device according to any one of claims 11 to 16 and an application function network element according to any one of claims 17 to 20.
A computer-readable storage medium storing one or more computer-executable instructions, wherein when the computer-executable instructions are executed by a processor, the processor performs the method of any one of claims 1 to 10.