CN114900833B - Authentication method and device, storage medium and electronic equipment - Google Patents

Authentication method and device, storage medium and electronic equipment Download PDF

Info

Publication number
CN114900833B
CN114900833B CN202210646161.2A CN202210646161A CN114900833B CN 114900833 B CN114900833 B CN 114900833B CN 202210646161 A CN202210646161 A CN 202210646161A CN 114900833 B CN114900833 B CN 114900833B
Authority
CN
China
Prior art keywords
authentication
entity
user terminal
access
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210646161.2A
Other languages
Chinese (zh)
Other versions
CN114900833A (en
Inventor
尹君
李思含
陈洁
李雪馨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202210646161.2A priority Critical patent/CN114900833B/en
Publication of CN114900833A publication Critical patent/CN114900833A/en
Priority to PCT/CN2022/140462 priority patent/WO2023236497A1/en
Application granted granted Critical
Publication of CN114900833B publication Critical patent/CN114900833B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L5/00Arrangements affording multiple use of the transmission path
    • H04L5/003Arrangements for allocating sub-channels of the transmission path
    • H04L5/0053Allocation of signaling, i.e. of overhead other than pilot signals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The disclosure provides an authentication method, an authentication device, a storage medium and electronic equipment, and relates to the technical field of communication. The authentication method comprises the following steps: receiving authentication request information sent by an access and mobility management functional entity, and sending the authentication request information to an authentication server functional entity so that the authentication server functional entity can acquire authentication data from an authentication data management entity based on the authentication request information; content analysis is carried out on the authentication data to obtain an authentication result; and sending the authentication result to the access and mobility management functional entity so that the access and mobility management functional entity can carry out authority authentication on the first user terminal corresponding to the authentication request information. The technical problem that the authentication convenience of the user terminal between the public network of the operator and the private network of the client is poor at present is solved, and the technical effect of improving the authentication convenience of the user terminal between the public network of the operator and the private network of the client is achieved.

Description

Authentication method and device, storage medium and electronic equipment
Technical Field
The disclosure relates to the technical field of communication, and in particular relates to an authentication method, an authentication device, a storage medium and electronic equipment.
Background
The operators have management requirements on the number card data in the mobile communication network and guarantee requirements on the security of the own network, and part of private network clients need to build UDM (Unified Data Management, unified data management function) entities in the private network, so that the requirements that the data of the signaling plane do not go out of a park, the network operates autonomously and the like are met.
However, the authentication data is generally deployed in a public network of an operator, the subscription data is deployed in a private network of an enterprise, the public network and the private network are mutually independent, and the private network cannot acquire an authentication state of a UE (User Equipment), and cannot perform validity authentication on the UE.
Therefore, the authentication convenience of the user terminal between the public network of the operator and the private network of the client is poor at present.
Disclosure of Invention
The present disclosure provides an authentication method, an apparatus, a storage medium, and an electronic device, thereby improving convenience of user terminal authentication between an operator public network and a client private network.
In a first aspect, an embodiment of the present disclosure provides an authentication method, including:
receiving authentication request information sent by an access and mobility management functional entity, and sending the authentication request information to an authentication server functional entity so that the authentication server functional entity can acquire authentication data from an authentication data management entity based on the authentication request information;
content analysis is carried out on the authentication data to obtain an authentication result;
and sending the authentication result to the access and mobility management functional entity so that the access and mobility management functional entity can carry out authority authentication on the first user terminal corresponding to the authentication request information.
In an optional embodiment of the disclosure, sending the authentication result to the access and mobility management function entity for the access and mobility management function entity to perform authority authentication on the first user terminal corresponding to the authentication request information, including:
if the authentication result is authentication failure, generating first indication information of authentication failure, and sending the first indication information to an access and mobility management functional entity to indicate the access and mobility management functional entity to reject the access of the first user terminal corresponding to the authentication request information;
if the authentication result is that the authentication is successful, generating second indication information of the authentication success, and sending the second indication information to the access and mobility management functional entity to indicate the access and mobility management functional entity to accept the first user terminal access corresponding to the authentication request information.
In an optional embodiment of the disclosure, if the authentication result is that the authentication is successful, the method further includes:
and sending the authentication result to the subscription data management entity to instruct the subscription data management entity to update the authority state of the first user terminal corresponding to the authentication request information.
In an alternative embodiment of the present disclosure, the method further comprises:
receiving a query request for the subscription data of the second user terminal sent by the target network element, and sending the query request to the subscription data management entity to instruct the subscription data management entity to query the subscription data of the second user terminal;
and receiving subscription feedback information sent by the subscription data management entity, and determining the validity of the query request according to the subscription feedback information.
In an alternative embodiment of the present disclosure, determining validity of a query request according to subscription feedback information includes:
if the subscription feedback information comprises subscription data of the second user terminal and the target network element corresponding to the query request is in a preset private network function entity list, the subscription data is sent to the target network element;
if the subscription feedback information does not contain subscription data or the target network element corresponding to the query request is not in the preset private network function entity list, generating rejection information aiming at the query request and sending the rejection information to the target network element.
In an alternative embodiment of the present disclosure, determining validity of a query request according to subscription feedback information includes:
if the subscription feedback information comprises subscription data of the second user terminal, the target network element corresponding to the query request is in a preset private network function entity list, and the current request time is within a preset validity period of the target network element authority, the subscription data is sent to the target network element;
if the subscription feedback information does not contain subscription data, or the target network element corresponding to the query request is not in a preset private network function entity list, or the current request time is not in the preset validity period of the target network element authority, generating refusing information aiming at the query request, and sending the refusing information to the target network element.
In an alternative embodiment of the present disclosure, the target network element is at least one of an access and mobility management function entity and a session management function entity.
In a second aspect, an embodiment of the present disclosure provides an authentication apparatus, including:
the first transceiver module is used for receiving the authentication request information sent by the access and mobility management functional entity and sending the authentication request information to the authentication server functional entity so that the authentication server functional entity can acquire authentication data from the authentication data management entity based on the authentication request information;
the analysis module is used for carrying out content analysis on the authentication data to obtain an authentication result;
and the second receiving and transmitting module is used for transmitting the authentication result to the access and mobility management functional entity so as to enable the access and mobility management functional entity to carry out authority authentication on the first user terminal corresponding to the authentication request information.
In a third aspect, one embodiment of the present disclosure provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method as above.
In a fourth aspect, one embodiment of the present disclosure provides an electronic device, including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the method as above via execution of the executable instructions.
The technical scheme of the present disclosure has the following beneficial effects:
according to the authentication method, the UDM is split into the A-UDM entity for storing authentication data and the S-UDM entity for storing subscription data, the A-UDM entity is configured in the operator large network, the S-UDM entity is configured in the 5G private network of the private network client, when the authority of the user terminal needs to be authenticated, only the authentication request information sent by the AMF entity is needed to be sent to the AUSF entity, the authentication data is acquired from the A-UDM, then the content of the authentication data is analyzed, the obtained authentication result is sent to the AMF entity, and the AMF entity can authenticate the authority of the first user terminal corresponding to the authentication request information in the private network, so that the technical problem that the authentication convenience of the user terminal between the public network of the operator and the private network of the client is poor at present is solved, and the technical effect of improving the authentication convenience is achieved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure. It will be apparent to those of ordinary skill in the art that the drawings in the following description are merely some embodiments of the present disclosure and that other drawings may be derived from these drawings without undue effort.
Fig. 1 shows an application scenario schematic of an authentication method in the present exemplary embodiment;
fig. 2 shows an application scenario diagram of an authentication method in the present exemplary embodiment;
fig. 3 shows a flowchart of an authentication method in the present exemplary embodiment;
fig. 4 shows an interaction diagram of an authentication method in the present exemplary embodiment;
fig. 5 shows a flowchart of an authentication method in the present exemplary embodiment;
fig. 6 shows an interaction diagram of an authentication method in the present exemplary embodiment;
fig. 7 is a schematic diagram showing the structure of an authentication apparatus in the present exemplary embodiment;
fig. 8 shows a schematic structural diagram of an electronic device in the present exemplary embodiment.
Detailed Description
Exemplary embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the exemplary embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the present disclosure. However, those skilled in the art will recognize that the aspects of the present disclosure may be practiced with one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present disclosure.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software or in one or more hardware modules or integrated circuits or in different networks and/or processor devices and/or microcontroller devices.
The flow diagrams depicted in the figures are exemplary only and not necessarily all steps are included. For example, some steps may be decomposed, and some steps may be combined or partially combined, so that the order of actual execution may be changed according to actual situations.
In the related art, an operator has a management requirement on number card data in a mobile communication network and a guarantee requirement on own network security, and part of private network clients need to build UDM (Unified Data Management, unified data management function) entities in the private network, so that the requirements that signaling surface data does not go out of a park, network autonomous operation and the like are met. However, the authentication data is generally deployed in a public network of an operator, the subscription data is deployed in a private network of an enterprise, the public network and the private network are mutually independent, and the private network cannot acquire an authentication state of a UE (User Equipment), and cannot perform validity authentication on the UE. Therefore, the authentication convenience of the user terminal between the public network of the operator and the private network of the client is poor at present.
Therefore, the embodiment of the disclosure provides an authentication method to improve the convenience of authentication of the user terminal between the public network of the operator and the private network of the client. The following briefly describes an application environment of an authentication method provided by an embodiment of the present disclosure:
referring to fig. 1, the authentication method provided by the embodiment of the present disclosure is applied to a communication system between an operator public network and a client private network, and a 5G core network of the communication system is shown in fig. 1, which includes:
UE: the User Equipment, the User terminal, can be a communication device such as a mobile phone which can be accessed to the 5G network.
NRF: network Repository Function, a network storage function entity, configured to perform NF (network function) registration, management, and status detection, to implement automatic management of all NFs, where each NF must register with an NRF to provide a service when started, and the registration information includes NF type, address, service list, and the like.
NSSF: the Network Slice Selection Function, the network slice selection entity determines the network slice that the UE is allowed to access according to the slice selection assistance information, subscription information, and the like of the UE.
AUSF: authentication Server Function, an authentication server function entity for implementing access authentication of 3GPP and non-3 GPP.
SMF: session Management function session management functional entity, responsible for tunnel maintenance, IP address allocation and management, UP (User Plane) function selection, policy enforcement and control in QoS (Quality of Service), charging data collection, roaming, etc.
AMF: access and Mobility Management Function, access and mobility management functions, perform registration, connection, reachability, mobility management. And providing a session management message transmission channel for the UE and the SMF, and providing authentication and authentication functions for the user when accessing, and providing a terminal and a wireless core network control plane access point.
PCF: policy Control function policy control function entity, unified policy framework for providing policy rules for control plane functions.
NEF: network Exposure Function, a network opening functional entity opens the capability of each NF, converts the internal and external information, and is used for the edge computing scene.
AMF: access and Mobility Management Function, access and mobility management functions, perform registration, connection, reachability, mobility management. And providing a session management message transmission channel for the UE and the SMF, and providing authentication and authentication functions for the user when accessing, and providing a terminal and a wireless core network control plane access point.
RAN: wireless access network, the radio access network entity refers to all or part of the fixed subscriber accessing the switch in a wireless manner. A radio access network is a radio implementation system consisting of a series of transport entities between a service node (e.g. a switch) interface and an associated user network interface, providing the required transport bearer capability for transporting telecommunications traffic.
UPF: the User plane function, the user plane functional entity is used for packet routing forwarding, policy enforcement, traffic reporting, qos handling, etc.
UDM: unified Data Management, a unified data management functional entity, configured to be responsible for management of user identification, subscription data, authentication data, and registration management of a service network element of a user (such as an AMF, an SMF, etc. that currently provides services for a user terminal, for example, when the user switches an visited AMF, the UDM may also initiate a logoff message to an old AMF, so as to require the old AMF to delete user related information). It should be explained that the embodiments of the present disclosure split the UDM entity into two parts: a-UDM (Authentication-UDM, authentication data management entity) and S-UDM (subscription-UDM, subscription data management entity).
Referring to fig. 2, the a-UDM is configured in the carrier large network for storing authentication data, and the S-UDM is configured in the customer private network for storing subscription data of the customer access user. With continued reference to fig. 2, the interaction architecture in the embodiment of the disclosure is divided into two parts, one part is a large network 5G core network of an operator, and the other part is a private network 5G core network of a private network client. An a-UDM entity for storing authentication data and an AUSF entity for performing authentication service are configured in the large network 5G core network. An AMF for user terminal access and management, a UPF for packet routing forwarding, a policy enforcement, an SMF entity for session management, and an S-UDM for storing user subscription data are configured in a private network 5G core network. The large network 5G core network and the private network 5G core network communicate through an IWF (Customer Premise Inter-working Function), and a user side (user side) network interconnection Function signaling intercommunication gateway).
The following describes an example in which the user side network interconnection function signaling interworking gateway IWF (hereinafter referred to as signaling interworking gateway) is used as an execution body, and the authentication method is applied to the signaling interworking gateway to authenticate user information. Referring to fig. 3, an authentication method provided in an embodiment of the present disclosure includes the following steps 301 to 303:
step 301, the signaling interworking gateway receives authentication request information sent by the AMF, and sends the authentication request information to the AUSF, so that the AUSF obtains authentication data from the a-UDM based on the authentication request information.
Wherein the authentication data is stored in an a-UDM entity in the operator's large network. Referring to fig. 4, for example, a first user terminal initiates a registration request, and sends the registration request to an AMF entity, where the registration request includes at least a terminal identifier of the first user terminal. The AMF entity may perform an authentication procedure based on the 3gpp33.501 standard. The AMF entity generates authentication request information, and sends the authentication request information to the IWF, and the IWF forwards the authentication request information to the AUSF entity. The AUSF entity is configured in the operator large network, and sends the authentication request information to the A-UDM entity for storing the authentication data so as to request the authentication data of the first user terminal to the A-UDM entity. The A-UDM entity inquires and obtains authentication data corresponding to the first user terminal based on information such as terminal identification of the first user terminal, and the authentication data is issued to the AUSF entity.
And 302, the signaling intercommunication gateway analyzes the content of the authentication data to obtain an authentication result.
The IWF entity analyzes the authentication data after obtaining the authentication data to determine the current authority of the first user terminal. For example, if the value of the AuthResult field in the AUTHENTICATION data nausf_ UE Authentication _ Authenticate Response is authresult_success, it represents that the AUTHENTICATION of the first ue is successful; if the value of the AuthResult field is authenticationfailed, it is represented that the AUTHENTICATION of the first user terminal fails.
Step 303, the signaling intercommunication gateway sends the authentication result to the AMF, so that the AMF performs authority authentication on the first user terminal corresponding to the authentication request information.
The AUSF entity communicates with the AMF entity through the IWF entity, and the IWF entity forwards the analyzed authentication result to the AMF entity so as to carry out authority authentication on the first user terminal corresponding to the authentication request information by the AMF. For example, a feedback message of authentication success or authentication failure is sent to the corresponding first user terminal.
According to the embodiment of the disclosure, the UDM is split into the A-UDM entity for storing authentication data and the S-UDM entity for storing subscription data, the A-UDM entity is configured in the operator large network, the S-UDM entity is configured in the 5G private network of the private network client, when the authority of the user terminal needs to be authenticated, the authentication request information sent by the AMF entity is only required to be sent to the AUSF entity, the authentication data is acquired from the A-UDM, then the content of the authentication data is analyzed, the acquired authentication result is sent to the AMF entity, and the AMF entity can authenticate the authority of the first user terminal corresponding to the authentication request information in the private network, so that the technical problem that the authentication convenience of the user terminal between the public network of the operator and the private network of the client is poor at present is solved, and the technical effect of improving the authentication convenience is achieved.
In an optional embodiment of the present disclosure, the step 303, the signaling interworking gateway sends the authentication result to the AMF, so that the AMF performs authority authentication on the first user terminal corresponding to the authentication request information, which includes the following two cases:
in the first case, if the authentication result is authentication failure, the signaling interworking gateway generates first indication information of authentication failure and sends the first indication information to the AMF to indicate the AMF to reject the first user terminal corresponding to the authentication request information to access.
In the second case, if the authentication result is that the authentication is successful, the signaling intercommunication gateway generates second indication information of successful authentication and sends the second indication information to the AMF to indicate the AMF to accept the first user terminal access corresponding to the authentication request information.
The authentication result generally comprises two cases of authentication failure and authentication success, and the embodiment of the disclosure generates different first indication information and second indication information according to different cases and sends the different first indication information and the different second indication information to the AMF entity so that the AMF entity can rapidly judge the current authentication result of the first terminal, and the efficiency is higher.
In an optional embodiment of the present disclosure, for the second case, if the authentication result is that the authentication is successful, the authentication method further includes the following step a:
and step A, the signaling intercommunication gateway sends the authentication result to the S-UDM so as to instruct the S-UDM to update the authority state of the first user terminal corresponding to the authentication request information.
The IWF entity may configure network element information of each network element in the private network, for example, including NF entity ID of each network element, and in case of successful authentication, the IWF sends an authentication result of successful authentication to the S-UDM entity in the private network, and carries the network element information of the private network, for example, AMF network element ID or SMF network element ID, in the authentication result. After receiving the authentication result, the S-UDM entity updates the authority status of the first user terminal corresponding to the authentication result, for example, updates the authority status to an identifier such as authenticated or authentication success, so that the corresponding data can be directly read later. Meanwhile, the S-UDM entity can also record the network function ID of the private network where the first user terminal is located, namely the network element ID, so that the accurate determination of the authority of the network element when the network element accesses the first user terminal next time can be realized.
Correspondingly, if the authentication fails, the IWF forwards the authentication result to the S-UDM entity after receiving the authentication result, and the S-UDM entity modifies the state of the corresponding first user terminal into unauthenticated state or failed authentication according to the terminal identification in the authentication result. Of course, if the S-UDM entity receives the status adjustment instruction for the first user terminal sent by the AMF entity, the permission status of the first user terminal may also be updated.
Referring to fig. 5, in an alternative embodiment of the present disclosure, the authentication method further includes the following steps 501 to 502:
step 501, the signaling interworking gateway receives a query request for subscription data of the second user terminal sent by the target network element, and sends the query request to the S-UDM to instruct the S-UDM to query subscription data of the second user terminal.
Referring to fig. 6, after authentication is completed, an access procedure is entered, and the AMF entity or the SMF entity sends a query request for subscription data of the second user terminal to the IWF entity, where the query request at least includes a terminal identifier of the second user terminal. The IWF entity transmits the query request to the S-UDM after receiving the query request, and the S-UDM queries the authority state of the second user terminal corresponding to the query request and the corresponding subscription data. It should be explained that the query request may be directly sent to the S-UDM entity by the AMF entity or the SMF entity without passing through the IWF, and the embodiment is not limited specifically.
Step 502, the signaling intercommunication gateway receives the subscription feedback information sent by the S-UDM, and determines the validity of the query request according to the subscription feedback information.
For example, the S-UDM entity first determines the authority status of the second user terminal, if the authority status of the second user terminal is authenticated, which means that the query request of the second user terminal is legal, then the S-UDM entity generates subscription feedback information including subscription data and feeds back the subscription feedback information to the corresponding network element, for example, an AMF entity or an SMF entity, through the IWF entity, so that the corresponding network element normally processes the request of the second user terminal; if the authority state of the second user terminal is not authenticated, the query request of the second user terminal is illegal, and the S-UDM entity generates subscription feedback information for rejecting the request and feeds the subscription feedback information back to the corresponding network element through the IWF entity. Of course, the S-UDM entity may directly send the subscription feedback information to the corresponding network element without the IWF entity, so as to save transmission time.
According to the method and the device for inquiring the subscription data of the private network, the subscription data of the second user terminal is inquired according to the inquiry request aiming at the subscription data of the second user terminal and sent to the S-UDM entity, and then the validity of the inquiry request is determined according to the subscription feedback information sent by the S-UDM entity, so that risks of constructing false information in the network to obtain the subscription data of the user can be avoided, the security of the subscription data of the private network is greatly improved, and the security of the data in enterprises is guaranteed.
In an optional embodiment of the present disclosure, the step 503, the signaling interworking gateway determines validity of the query request according to the subscription feedback information, including the following two cases:
in the first case, if the subscription feedback information includes subscription data of the second user terminal and the target network element corresponding to the query request is in a preset private network function entity list, the signaling interworking gateway sends the subscription data to the target network element;
in the second case, if the subscription feedback information does not contain subscription data or the target network element corresponding to the query request is not in the preset private network function entity list, the signaling interworking gateway generates rejection information for the query request and sends the rejection information to the target network element.
The preset private network function entity list is a private network NF list, which is equivalent to a legal network element white list, if the target network element is in the network element white list and the subscription feedback information sent by the S-UDM entity includes the subscription data of the second user terminal, it means that the subscription data request of the second user terminal is legal, and the IWF entity sends the corresponding subscription data to the target network element to instruct the target network element to feed back the subscription data to the second user terminal. If a condition is not satisfied, the IWF entity generates rejection information and feeds back the rejection information to the target network element, so that the target network element rejects the current query request of the second user terminal. By the method, the risk of acquiring the user subscription data by constructing false information in the network can be further avoided, the security of the user subscription data in the private network is greatly improved, and the data security in enterprises is ensured.
In an optional embodiment of the disclosure, the determining, by the signaling interworking gateway, validity of the query request according to the subscription feedback information in step 503 includes:
in the first case, if the subscription feedback information includes subscription data of the second user terminal, and the target network element corresponding to the query request is in a preset private network function entity list, and the current request time is within a preset validity period of the target network element authority, the signaling interworking gateway sends the subscription data to the target network element;
in the second case, if the subscription feedback information does not contain subscription data, or the target network element corresponding to the query request is not in the preset private network function entity list, or the current request time is not in the preset validity period of the target network element authority, the signaling intercommunication gateway generates rejection information aiming at the query request, and sends the rejection information to the target network element.
Different from the above embodiment, the present embodiment increases the limitation of the preset validity period, sets a validity period for each request of the user equipment, and can query and access the subscription data only when the query time is within the preset validity period, thereby avoiding illegal reading of the user subscription data at other illegal times, further improving the security of the user subscription data, and guaranteeing the security of the data in the enterprise.
Referring to fig. 7, in order to implement the above-mentioned authentication method, an authentication apparatus 700 is provided in one embodiment of the present disclosure. Fig. 7 shows a schematic architecture diagram of an authentication device 700, comprising a first transceiver module 710, a parsing module 720 and a second transceiver module 730, wherein:
the first transceiver module 710 is configured to receive authentication request information sent by the AMF, and send the authentication request information to the AUSF, so that the AUSF obtains authentication data from the a-UDM based on the authentication request information;
the parsing module 720 is configured to parse the content of the authentication data to obtain an authentication result;
the second transceiver module 730 is configured to send the authentication result to the AMF, so that the AMF performs authority authentication on the first user terminal corresponding to the authentication request information.
In an optional embodiment, the second transceiver module 730 is specifically configured to, if the authentication result is that the authentication fails, generate first indication information of the authentication failure, and send the first indication information to the AMF to indicate the AMF to reject the access of the first user terminal corresponding to the authentication request information; if the authentication result is that the authentication is successful, generating second indication information of the authentication success, and sending the second indication information to the AMF to indicate the AMF to accept the first user terminal access corresponding to the authentication request information.
In an alternative embodiment, if the authentication result is that the authentication is successful, the second transceiver module 730 is further configured to send the authentication result to the S-UDM to instruct the S-UDM to update the permission status of the first user terminal corresponding to the authentication request information.
In an optional embodiment, the second transceiver module 730 is further configured to receive a query request for subscription data of the second user terminal sent by the target network element, and send the query request to the S-UDM to instruct the S-UDM to query the subscription data of the second user terminal; and receiving subscription feedback information sent by the S-UDM, and determining the validity of the query request according to the subscription feedback information.
In an optional embodiment, the second transceiver module 730 is specifically configured to send the subscription data to the target network element if the subscription feedback information includes subscription data of the second user terminal and the target network element corresponding to the query request is in a preset private network function entity list; if the subscription feedback information does not contain subscription data or the target network element corresponding to the query request is not in the preset private network function entity list, generating rejection information aiming at the query request and sending the rejection information to the target network element.
In an optional embodiment, the second transceiver module 730 is specifically configured to send the subscription data to the target network element if the subscription feedback information includes subscription data of the second user terminal, the target network element corresponding to the query request is in a preset private network function entity list, and the current request time is within a preset validity period of the target network element authority; if the subscription feedback information does not contain subscription data, or the target network element corresponding to the query request is not in a preset private network function entity list, or the current request time is not in the preset validity period of the target network element authority, generating refusing information aiming at the query request, and sending the refusing information to the target network element.
In an alternative embodiment, the target network element is at least one of AMF and SMF.
Exemplary embodiments of the present disclosure also provide a computer readable storage medium, which may be implemented in the form of a program product comprising program code for causing an electronic device to carry out the steps according to the various exemplary embodiments of the disclosure as described in the above section of the "exemplary method" when the program product is run on the electronic device. In one embodiment, the program product may be implemented as a portable compact disc read only memory (CD-ROM) and includes program code and may be run on an electronic device, such as a personal computer. However, the program product of the present disclosure is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider). In the embodiments of the present disclosure, any of the steps in the authentication method as above may be implemented when the program code stored in the computer-readable storage medium is executed.
Referring to fig. 8, the exemplary embodiment of the present disclosure further provides an electronic device 800, which may be a background server of the information platform. The electronic device 800 is described below with reference to fig. 8. It should be understood that the electronic device 800 shown in fig. 8 is merely an example and should not be construed to limit the functionality and scope of use of embodiments of the present disclosure in any way.
As shown in fig. 8, the electronic device 800 is embodied in the form of a general purpose computing device. Components of electronic device 800 may include, but are not limited to: at least one processing unit 810, at least one memory unit 820, a bus 830 that connects the different system components, including the memory unit 820 and the processing unit 810.
Wherein the storage unit stores program code that is executable by the processing unit 810 such that the processing unit 810 performs steps according to various exemplary embodiments of the present invention described in the above section of the "exemplary method" of the present specification. For example, the processing unit 810 may perform the method steps shown in fig. 2, etc.
Storage 820 may include volatile storage such as Random Access Memory (RAM) 821 and/or cache memory 822, and may further include read-only memory (ROM) 823.
The storage unit 820 may also include a program/utility 824 having a set (at least one) of program modules 825, such program modules 825 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
Bus 830 may include a data bus, an address bus, and a control bus.
The electronic device 800 may also communicate with one or more external devices 2000 (e.g., keyboard, pointing device, bluetooth device, etc.) via an input/output (I/O) interface 840. Electronic device 800 may also communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet through network adapter 850. As shown, network adapter 850 communicates with other modules of electronic device 800 via bus 830. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 800, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
In the embodiments of the present disclosure, any step in the above authentication method may be implemented when the program code stored in the electronic device is executed.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with exemplary embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
Those skilled in the art will appreciate that the various aspects of the present disclosure may be implemented as a system, method, or program product. Accordingly, various aspects of the disclosure may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system. Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This disclosure is intended to cover any adaptations, uses, or adaptations of the disclosure following the general principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It is to be understood that the present disclosure is not limited to the precise arrangements and instrumentalities shown in the drawings, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (9)

1. An authentication method, comprising:
the signaling intercommunication gateway receives authentication request information sent by an access and mobility management function entity configured in a private network and sends the authentication request information to an authentication server function entity configured in a large network so that the authentication server function entity can acquire authentication data from an authentication data management entity in the large network based on the authentication request information;
the signaling intercommunication gateway analyzes the content of the authentication data to obtain an authentication result;
the signaling intercommunication gateway sends the authentication result to the access and mobility management functional entity so that the access and mobility management functional entity can carry out authority authentication on the first user terminal corresponding to the authentication request information;
if the authentication result is successful, the signaling intercommunication gateway sends the authentication result to a subscription data management entity configured in the private network, and carries network element information of the private network in the authentication result so as to instruct the subscription data management entity to update the authority state of the first user terminal corresponding to the authentication request information, and records the network element ID of the private network where the first user terminal is located.
2. The authentication method according to claim 1, wherein the sending the authentication result to the access and mobility management function entity for the access and mobility management function entity to perform authority authentication on the first user terminal corresponding to the authentication request information includes:
if the authentication result is authentication failure, generating first indication information of authentication failure, and sending the first indication information to the access and mobility management functional entity to indicate the access and mobility management functional entity to reject the first user terminal corresponding to the authentication request information to access;
if the authentication result is that the authentication is successful, generating second indication information of the authentication success, and sending the second indication information to the access and mobility management functional entity so as to indicate the access and mobility management functional entity to accept the first user terminal access corresponding to the authentication request information.
3. The authentication method of claim 1, wherein the method further comprises:
receiving a query request for second user terminal subscription data sent by a target network element, and sending the query request to the subscription data management entity to instruct the subscription data management entity to query the subscription data of the second user terminal;
and receiving the subscription feedback information sent by the subscription data management entity, and determining the validity of the query request according to the subscription feedback information.
4. The authentication method according to claim 3, wherein the determining the validity of the query request according to the subscription feedback information includes:
if the subscription feedback information comprises subscription data of the second user terminal and the target network element corresponding to the query request is in a preset private network function entity list, the subscription data is sent to the target network element;
if the subscription feedback information does not contain the subscription data or the target network element corresponding to the query request is not in a preset private network function entity list, generating rejection information aiming at the query request and sending the rejection information to the target network element.
5. The authentication method according to claim 3, wherein the determining the validity of the query request according to the subscription feedback information includes:
if the subscription feedback information comprises subscription data of the second user terminal, the target network element corresponding to the query request is in a preset private network function entity list, and the current request time is within a preset validity period of the target network element authority, the subscription data is sent to the target network element;
and if the subscription feedback information does not contain the subscription data, or the target network element corresponding to the query request is not in a preset private network function entity list, or the current request time is not in the preset validity period of the target network element authority, generating rejection information aiming at the query request, and sending the rejection information to the target network element.
6. An authentication method according to claim 3, characterized in that the target network element is at least one of the access and mobility management function entity, session management function entity.
7. An authentication device, the device comprising:
the first transceiver module is used for receiving authentication request information sent by an access and mobility management functional entity configured in a private network through a signaling intercommunication gateway, and sending the authentication request information to an authentication server functional entity configured in a large network so that the authentication server functional entity can acquire authentication data from an authentication data management entity in the large network based on the authentication request information;
the analysis module is used for carrying out content analysis on the authentication data through the signaling intercommunication gateway to obtain an authentication result;
the second transceiver module is used for sending the authentication result to the access and mobility management functional entity through the signaling intercommunication gateway so as to enable the access and mobility management functional entity to carry out authority authentication on the first user terminal corresponding to the authentication request information;
if the authentication result is that the authentication is successful, the second transceiver module is further configured to send the authentication result to a subscription data management entity configured in the private network through the signaling interworking gateway, and carry network element information of the private network in the authentication result, so as to instruct the subscription data management entity to update the authority state of the first user terminal corresponding to the authentication request information, and record a network element ID of the private network where the first user terminal is located.
8. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the method of any one of claims 1 to 6.
9. An electronic device, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the method of any one of claims 1 to 6 via execution of the executable instructions.
CN202210646161.2A 2022-06-08 2022-06-08 Authentication method and device, storage medium and electronic equipment Active CN114900833B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202210646161.2A CN114900833B (en) 2022-06-08 2022-06-08 Authentication method and device, storage medium and electronic equipment
PCT/CN2022/140462 WO2023236497A1 (en) 2022-06-08 2022-12-20 Authentication method and apparatus, storage medium, and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210646161.2A CN114900833B (en) 2022-06-08 2022-06-08 Authentication method and device, storage medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN114900833A CN114900833A (en) 2022-08-12
CN114900833B true CN114900833B (en) 2023-10-03

Family

ID=82728632

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210646161.2A Active CN114900833B (en) 2022-06-08 2022-06-08 Authentication method and device, storage medium and electronic equipment

Country Status (2)

Country Link
CN (1) CN114900833B (en)
WO (1) WO2023236497A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114900833B (en) * 2022-06-08 2023-10-03 中国电信股份有限公司 Authentication method and device, storage medium and electronic equipment

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20200019057A (en) * 2018-08-13 2020-02-21 삼성전자주식회사 Apparatus and method for registering network in wireless communication system
CN110891271A (en) * 2018-09-10 2020-03-17 大唐移动通信设备有限公司 Authentication method and device
CN112423301A (en) * 2020-11-02 2021-02-26 中国联合网络通信集团有限公司 Private network registration management method and AMF network element
CN113438647A (en) * 2020-03-05 2021-09-24 大唐移动通信设备有限公司 Method for accessing public network user to private network, call service processing method and equipment
CN113453213A (en) * 2021-06-02 2021-09-28 中国联合网络通信集团有限公司 Authentication data synchronization method and device
CN113573346A (en) * 2021-07-12 2021-10-29 中国联合网络通信集团有限公司 Data processing method and device
CN113938874A (en) * 2021-09-28 2022-01-14 中国联合网络通信集团有限公司 Data processing method, device, equipment and system
CN113950051A (en) * 2020-07-17 2022-01-18 大唐移动通信设备有限公司 Authentication deduction method and device
CN114363029A (en) * 2021-12-28 2022-04-15 中国电信股份有限公司 Differentiated network access authentication method, device, equipment and medium

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11304170B2 (en) * 2018-08-13 2022-04-12 Samsung Electronics Co., Ltd Apparatus and method for registration on network in wireless communication system
KR20210055075A (en) * 2018-10-05 2021-05-14 삼성전자주식회사 Apparatus and method for supporting access to private mobile communication network and operator mobile communication network
CN112672336B (en) * 2019-09-30 2024-04-30 华为技术有限公司 Method, communication device and communication system for realizing external authentication
CN114554474A (en) * 2020-11-18 2022-05-27 中国电信股份有限公司 Access method, system and network intercommunication function entity for NSA user roaming to SA
CN112654033B (en) * 2020-12-15 2023-02-17 中国联合网络通信集团有限公司 Service opening method and device
CN114900833B (en) * 2022-06-08 2023-10-03 中国电信股份有限公司 Authentication method and device, storage medium and electronic equipment

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20200019057A (en) * 2018-08-13 2020-02-21 삼성전자주식회사 Apparatus and method for registering network in wireless communication system
CN110891271A (en) * 2018-09-10 2020-03-17 大唐移动通信设备有限公司 Authentication method and device
CN113438647A (en) * 2020-03-05 2021-09-24 大唐移动通信设备有限公司 Method for accessing public network user to private network, call service processing method and equipment
CN113950051A (en) * 2020-07-17 2022-01-18 大唐移动通信设备有限公司 Authentication deduction method and device
CN112423301A (en) * 2020-11-02 2021-02-26 中国联合网络通信集团有限公司 Private network registration management method and AMF network element
CN113453213A (en) * 2021-06-02 2021-09-28 中国联合网络通信集团有限公司 Authentication data synchronization method and device
CN113573346A (en) * 2021-07-12 2021-10-29 中国联合网络通信集团有限公司 Data processing method and device
CN113938874A (en) * 2021-09-28 2022-01-14 中国联合网络通信集团有限公司 Data processing method, device, equipment and system
CN114363029A (en) * 2021-12-28 2022-04-15 中国电信股份有限公司 Differentiated network access authentication method, device, equipment and medium

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Ericsson España S.A..S3-203388 "Draft TR 33.846 v0.9.0 Study on authentication enhancements in the 5G System (5GS)".3GPP tsg_sa\wg3_security.2020,(第tsgs3_101e期),全文. *
Study on Core Network Security Enhancement Strategies in 5G Private Network;Yiming Guo等;《IEEE》;全文 *
威海联通固网智能化改造专网用户数据管理;夏俊蓉;;山东通信技术(第01期);全文 *
面向5G专网的轻量化核心网技术研究;陈丰等;《邮电设计技术》;全文 *

Also Published As

Publication number Publication date
WO2023236497A1 (en) 2023-12-14
CN114900833A (en) 2022-08-12

Similar Documents

Publication Publication Date Title
US11425225B2 (en) Method, apparatus, and equipment for exposing edge network capability, and storage medium
US10440558B1 (en) Embedded SIM profile download and management system
EP2648392A1 (en) Application programming interface routing system and method of operating the same
US8621572B2 (en) Method, apparatus and system for updating authentication, authorization and accounting session
US11917718B2 (en) Local area network communication management method and apparatus
CN114900833B (en) Authentication method and device, storage medium and electronic equipment
CN114285736A (en) SUPI number segment configuration system, method, apparatus, network device and medium
WO2022121589A1 (en) Data information acquisition methods and apparatus, related device, and medium
CN114691734A (en) Cache control method and device, computer readable medium and electronic device
WO2021031738A1 (en) Location acquisition method and apparatus, hss, udm device and storage medium
CN113613279A (en) Routing strategy generation method and related equipment
CN115086956A (en) Network access method, network access device, medium, and electronic device for communication network
CN116545777B (en) User category switching method and device, storage medium and electronic equipment
CN115065995B (en) Associated information management method, device, electronic equipment and storage medium
US20220038869A1 (en) Systems and methods for improved access to user data
CN115209522B (en) Network function registration method, discovery method, device, equipment and medium
US11876866B2 (en) Method for assisting unregistered user device to access end-to-end call service of private network and communication system
WO2024032226A1 (en) Communication method and communication apparatus
CN114786142B (en) Calling method, calling device, computer readable storage medium and electronic equipment
CN117997756A (en) Data subscription method and device, computer readable storage medium and electronic equipment
US20220182823A1 (en) Control apparatus, radio communication system, control method, and program
WO2024094047A1 (en) Communication method and communication apparatus
KR100455040B1 (en) Method For Identifying Home RADIUS Server
US20210234928A1 (en) Setup of communication session
CN117676490A (en) Communication method, device, related equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant