CN115996378A - Authentication method and device - Google Patents
Authentication method and device Download PDFInfo
- Publication number
- CN115996378A CN115996378A CN202111223393.9A CN202111223393A CN115996378A CN 115996378 A CN115996378 A CN 115996378A CN 202111223393 A CN202111223393 A CN 202111223393A CN 115996378 A CN115996378 A CN 115996378A
- Authority
- CN
- China
- Prior art keywords
- authentication
- application
- information
- network element
- application information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 169
- 238000001514 detection method Methods 0.000 claims abstract description 80
- 238000012545 processing Methods 0.000 claims description 37
- 238000004590 computer program Methods 0.000 claims description 33
- 230000005540 biological transmission Effects 0.000 claims description 29
- 238000004891 communication Methods 0.000 abstract description 50
- 230000006870 function Effects 0.000 description 73
- 238000007726 management method Methods 0.000 description 41
- 230000004044 response Effects 0.000 description 40
- 238000010586 diagram Methods 0.000 description 23
- 238000013461 design Methods 0.000 description 21
- 238000013475 authorization Methods 0.000 description 14
- 230000008569 process Effects 0.000 description 9
- 101150053844 APP1 gene Proteins 0.000 description 6
- 101100189105 Homo sapiens PABPC4 gene Proteins 0.000 description 6
- 102100039424 Polyadenylate-binding protein 4 Human genes 0.000 description 6
- 230000000694 effects Effects 0.000 description 6
- 101100055496 Arabidopsis thaliana APP2 gene Proteins 0.000 description 5
- 101100016250 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) GYL1 gene Proteins 0.000 description 5
- 238000013523 data management Methods 0.000 description 5
- 230000001976 improved effect Effects 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 238000010295 mobile communication Methods 0.000 description 4
- 230000008093 supporting effect Effects 0.000 description 4
- 230000001360 synchronised effect Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000000977 initiatory effect Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 230000000712 assembly Effects 0.000 description 2
- 238000000429 assembly Methods 0.000 description 2
- 230000003190 augmentative effect Effects 0.000 description 2
- 235000019800 disodium phosphate Nutrition 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 238000001228 spectrum Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 101100264195 Caenorhabditis elegans app-1 gene Proteins 0.000 description 1
- 102100038359 Xaa-Pro aminopeptidase 3 Human genes 0.000 description 1
- 101710081949 Xaa-Pro aminopeptidase 3 Proteins 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 238000013144 data compression Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- GVVPGTZRZFNKDS-JXMROGBWSA-N geranyl diphosphate Chemical compound CC(C)=CCC\C(C)=C\CO[P@](O)(=O)OP(O)(O)=O GVVPGTZRZFNKDS-JXMROGBWSA-N 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 239000010410 layer Substances 0.000 description 1
- 239000002346 layers by function Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 239000000047 product Substances 0.000 description 1
- 238000010187 selection method Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
Abstract
The application provides an authentication method and device, which can solve the problem that APP information is easy to be stolen or tampered, thereby improving network security and operation efficiency, and can be applied to communication systems such as the Internet of vehicles, V2X, 5G, 6G and the like. The method comprises the following steps: the first network element receives the application information from the terminal equipment, forwards the application information to the authentication equipment, and then receives an authentication result from the authentication equipment, thereby completing secondary authentication based on the application information. The authentication result is determined according to the application information and used for generating a detection rule, and the detection rule is used for executing forwarding or discarding operation on the data of the application corresponding to the application information.
Description
Technical Field
The present disclosure relates to the field of communications, and in particular, to an authentication method and apparatus.
Background
When multiple Applications (APP) associated with one network slice (network slice) are running, a new Packet Data Unit (PDU) session (session) may be established or an existing PDU session may be selected to be associated with the network slice based on user equipment routing policy (user equipment route selection policy, urs) rules. For example, assuming that APP1 and APP2 are both allowed (allowed) to use network slice 1, APPs 1 have been authenticated through network slice-specific authentication and authorization (NSSAA), and APP1 can be associated with network slice 1 through PDU session 1 by newly created PDU session 1 without any further authentication operations on APP 2.
In this case, various information of the APP is easily stolen or tampered, resulting in problems of misuse of network slice resources/data network resources, poor network security, and low operation efficiency.
Disclosure of Invention
The embodiment of the application provides an authentication method and device, which can solve the problem that APP information is easy to steal or tamper, thereby improving network security and operation efficiency.
In order to achieve the above purpose, the present application adopts the following technical scheme:
in a first aspect, an authentication method is provided, applied to a first network element. The method comprises the following steps: and receiving application information from the terminal equipment, sending the application information to the authentication equipment, and then receiving an authentication result from the authentication equipment. The authentication result is determined according to the application information, and is used for generating a detection rule, wherein the detection rule is used for executing forwarding or discarding operation on the data of the application corresponding to the application information.
Based on the authentication method described in the first aspect to the third aspect, the authentication device may perform the authentication operation on the applications corresponding to any one of the application information one by one according to the application information. Therefore, the first network element can customize the detection rule for each application one by one based on the authentication result, instruct each network node on the data transmission path, and respectively execute forwarding or discarding operations on the data of each application corresponding to different application information based on the customized detection rule, such as forwarding the data of the application with successful authentication and discarding the data of the application with failed authentication, so as to ensure that even if the application information is stolen or tampered, network resources are not abused, thereby improving network security and operation efficiency.
In one possible embodiment, the application information includes application identification information, and the authentication result includes application identification information. Wherein the application identification information may include one or more of the following: application identification, internet protocol (internet protocol, IP) quintuple, application name, etc. may be used to perform authentication operations on applications and customize detection rules for applications one by one based on authentication results to perform differentiated data transfer services on data of different applications, such as forwarding data of authenticated applications or discarding data of applications that do not pass authentication, thereby improving network security and operating efficiency.
Optionally, the application information further comprises application authentication information. Wherein the application authentication information may include one or more of the following: the user name, the password, the certificate information and the like can be used together with the application identification information for the authentication equipment to execute the authentication operation on the application, so that the reliability of the authentication result is improved, and the network security and the running efficiency are further improved.
In this application, the authentication result may be indicated implicitly or explicitly. The following is an example.
Illustratively, the authentication result further includes authentication indication information for indicating whether an authentication operation of the application corresponding to the application information is successful.
Alternatively, the authentication result does not include authentication instruction information but includes application identification information. At this time, the application identification information in the authentication result can be understood as one of the following: all applications corresponding to the application identification information are defaulted to pass the authentication, all applications corresponding to the application identification information are defaulted to fail the authentication, or a part of applications corresponding to the application identification information are defaulted to pass the authentication, and another part of applications corresponding to the application identification information are defaulted to fail the authentication. The two parts of application identification information can be carried in different positions in the authentication result, such as different fields (fields) or cells (information element, IE), and are distinguished.
In one possible design, the first network element may be an access and mobility management network element. Accordingly, the method of the first aspect may further include: the access and mobility management network element sends an authentication result to the session management network element so that the session management network element can determine the detection rule by itself, or can request the policy control network element to determine the detection rule, thereby realizing the provision of differentiated data transmission services for applications corresponding to different application information.
In another possible design, the first network element may be a session management network element. Accordingly, the method of the first aspect may further include: and the session management network element determines a detection rule according to the authentication result and sends the detection rule to the user plane network element.
Similarly, the session management network element may determine the detection rule by itself, or may request the policy control network element to determine the detection rule, so as to implement providing differentiated data transmission services for applications corresponding to different application information.
Optionally, the session management network element determines a detection rule according to the authentication result, which specifically includes: the session management network element sends the authentication result to the policy control network element and receives the detection rule from the policy control network element, thereby realizing the provision of differentiated data transmission services for the applications corresponding to different application information.
In a second aspect, an authentication method is provided, which is applied to an authentication device. The method comprises the following steps: and acquiring application information. Wherein the application information is used to determine the authentication result. And sending the authentication result to the first network element. The authentication result is used for determining a detection rule, and the detection rule is used for executing forwarding or discarding operation on the data of the application corresponding to the application information.
In one possible embodiment, the application information includes application identification information, and the authentication result includes application identification information.
Optionally, the application information further comprises application authentication information.
Optionally, the authentication result further includes authentication indication information, where the authentication indication information is used to indicate whether the authentication operation of the application corresponding to the application information is successful.
In one possible design, the method for obtaining the application information specifically includes: application information is received from a first network element.
In a third aspect, an authentication method is provided and applied to a terminal device. The method comprises the following steps: and sending the application information to the first network element. The application information is used for determining an authentication result, the authentication result is used for generating a detection rule, and the detection rule is used for executing forwarding or discarding operation on the data of the application corresponding to the application information.
In one possible embodiment, the application information includes application identification information, and the authentication result includes application identification information.
Optionally, the application information further comprises application authentication information.
Optionally, the authentication result further includes authentication indication information, where the authentication indication information is used to indicate whether the authentication operation of the application corresponding to the application information is successful.
In a possible design, the method of the third aspect further includes: and receiving an authentication result from the first network element.
In addition, the technical effects of the authentication method described in the second aspect to the third aspect may refer to the technical effects of the authentication method described in the first aspect, and are not described herein.
In a fourth aspect, an authentication apparatus is provided, the apparatus being applicable to a first network element. The device comprises: a receiving module and a transmitting module. The receiving module is used for receiving the application information from the terminal equipment. And the sending module is used for sending the application information to the authentication equipment. And the receiving module is also used for receiving the authentication result from the authentication equipment. The authentication result is determined according to the application information, and is used for generating a detection rule, wherein the detection rule is used for executing forwarding or discarding operation on the data of the application corresponding to the application information.
In one possible embodiment, the application information includes application identification information, and the authentication result includes application identification information.
Optionally, the application information further comprises application authentication information.
Optionally, the authentication result further includes authentication indication information, where the authentication indication information is used to indicate whether the authentication operation of the application corresponding to the application information is successful.
In one possible design, the first network element may be an access and mobility management network element. Correspondingly, the sending module is further used for sending the authentication result to the session management network element.
In another possible design, the first network element may be a session management network element. Correspondingly, the device according to the fourth aspect further comprises: and a processing module. The processing module is used for determining a detection rule according to the authentication result. And the sending module is also used for sending the detection rule to the user plane network element.
Optionally, the sending module is further configured to send an authentication result to the policy control network element. And the receiving module is also used for receiving the detection rule from the strategy control network element.
Alternatively, the receiving module and the transmitting module may be integrated into one module, such as a transceiver module. Wherein, the transceiver module is configured to implement the transceiver function of the apparatus described in the fourth aspect.
Optionally, the authentication device according to the fourth aspect may further include a storage module, where the storage module stores a computer program or instructions. The computer program or instructions, when executed by a processing module, enable the authentication device to perform the authentication method according to the first aspect.
Optionally, the authentication device according to the fourth aspect may be a first network element, such as an access and mobility management network element, or a session management network element, or may be a chip (system) or other parts or components that may be disposed in the first network element, or may be a device or system including the first network element, which is not limited in this application.
In a fifth aspect, an authentication apparatus is provided, which is applied to an authentication device. The device comprises: the device comprises an acquisition module and a sending module. The acquisition module is used for acquiring the application information. Wherein the application information is used to determine the authentication result. And the sending module is used for sending the authentication result to the first network element. The authentication result is used for determining a detection rule, and the detection rule is used for executing forwarding or discarding operation on the data of the application corresponding to the application information.
In one possible embodiment, the application information includes application identification information, and the authentication result includes application identification information.
Optionally, the application information further comprises application authentication information.
Optionally, the authentication result further includes authentication indication information, where the authentication indication information is used to indicate whether the authentication operation of the application corresponding to the application information is successful.
In a possible design, the device of the fifth aspect further includes: and a receiving module. The receiving module is configured to receive application information from the first network element.
Alternatively, the acquisition module may have a receiving function, and the receiving function and the transmitting module may be integrated into one module, such as a transceiver module. Wherein, the transceiver module is configured to implement the transceiver function of the apparatus described in the fifth aspect.
Alternatively, the acquisition module may also have a processing function, such as accessing a local storage space, which may also be integrated into one module, such as a processing module, with other processing functions of the apparatus according to the fifth aspect. The processing module is used for realizing the processing function of the device.
Optionally, the authentication device according to the fifth aspect may further include a storage module, where the storage module stores a computer program or instructions. The computer program or instructions, when executed by a processing module, enable the authentication device to perform the authentication method of the second aspect.
Alternatively, the authentication apparatus according to the fifth aspect may be an authentication device, or may be a chip (system) or other parts or components that may be disposed in the authentication device, or may be an apparatus or system including the authentication device, which is not limited in this application.
In a sixth aspect, an authentication apparatus is provided, which is applicable to a terminal device. The device comprises: and a transmitting module. The sending module is used for sending the application information to the first network element. The application information is used for determining an authentication result, the authentication result is used for generating a detection rule, and the detection rule is used for executing forwarding or discarding operation on the data of the application corresponding to the application information.
In one possible embodiment, the application information includes application identification information, and the authentication result includes application identification information.
Optionally, the application information further comprises application authentication information.
Optionally, the authentication result further includes authentication indication information, where the authentication indication information is used to indicate whether the authentication operation of the application corresponding to the application information is successful.
In a possible design, the device of the sixth aspect further includes: and a receiving module. The receiving module is used for receiving the authentication result from the first network element.
Alternatively, the receiving module and the transmitting module may be integrated into one module, such as a transceiver module. Wherein, the transceiver module is configured to implement the transceiver function of the apparatus described in the sixth aspect.
Optionally, the apparatus of the sixth aspect may further include a processing module. The processing module is used for realizing the processing function of the device.
Optionally, the authentication device according to the sixth aspect may further include a storage module, where the storage module stores a computer program or instructions. The computer program or instructions, when executed by the processing module, enable the authentication apparatus to perform the authentication method according to the third aspect.
Alternatively, the authentication device according to the sixth aspect may be a terminal device, or may be a chip (system) or other parts or components that may be disposed in the terminal device, or may be a device or system including the terminal device, which is not limited in this application.
In a seventh aspect, an authentication apparatus is provided. The authentication apparatus is configured to perform the authentication method according to any one of the first to third aspects.
The authentication device of the seventh aspect includes a module, unit, or means (means) corresponding to the authentication method of any one of the first to third aspects, where the module, unit, or means may be implemented by hardware, software, or implemented by executing corresponding software by hardware. The hardware or software comprises one or more modules or units for performing the functions involved in the authentication method described above.
In an eighth aspect, an authentication apparatus is provided. The authentication device comprises: a processor configured to perform the authentication method according to any one of the first to third aspects.
In one possible embodiment, the authentication device according to the eighth aspect may further comprise a transceiver. The transceiver may be a transceiver circuit or an interface circuit. The transceiver may be adapted to communicate with other devices by means of the authentication device according to the eighth aspect.
In one possible embodiment, the authentication device according to the eighth aspect may further comprise a memory. The memory may be integral with the processor or may be separate. The memory may be used for storing computer programs and/or data related to the authentication method according to any of the first to third aspects.
In a ninth aspect, an authentication apparatus is provided. The authentication device comprises: a processor coupled to the memory, the processor being configured to execute a computer program stored in the memory to cause the authentication apparatus to perform the authentication method according to any one of the first to third aspects.
In one possible configuration, the authentication device according to the ninth aspect may further comprise a transceiver. The transceiver may be a transceiver circuit or an interface circuit. The transceiver may be for use in the authentication device of the ninth aspect to communicate with other devices.
In one possible embodiment, the authentication device according to the ninth aspect may further comprise a memory. The memory may be integral with the processor or may be separate. The memory may be used for storing computer programs and/or data related to the authentication method according to any of the first to third aspects.
In a tenth aspect, there is provided an authentication apparatus comprising: a processor and a memory; the memory is for storing a computer program which, when executed by the processor, causes the authentication apparatus to perform the authentication method according to any one of the first to third aspects.
In the alternative, the memory may be integral to the processor or may be separate. The memory may be used for storing computer programs and/or data related to the authentication method according to any of the first to third aspects.
In one possible embodiment, the authentication device according to the tenth aspect may further comprise a transceiver. The transceiver may be a transceiver circuit or an interface circuit. The transceiver may be adapted to communicate with other authentication devices as described in the tenth aspect.
In an eleventh aspect, there is provided an authentication apparatus comprising: a processor; the processor is configured to be coupled to the memory and to perform the authentication method according to any of the first to third aspects according to the computer program after reading the computer program in the memory.
In the alternative, the memory may be integral to the processor or may be separate. The memory may be used for storing computer programs and/or data related to the authentication method according to any of the first to third aspects.
In one possible configuration, the authentication device according to the eleventh aspect may further comprise a transceiver. The transceiver may be a transceiver circuit or an interface circuit. The transceiver may be for use in the authentication device of the eleventh aspect to communicate with other devices.
Optionally, the authentication apparatus in the seventh aspect to the eleventh aspect may be the first network element or the authentication device or the terminal device, or may be a chip (system) or other components or assemblies that may be disposed in the first network element or the authentication device or the terminal device, or may be an apparatus or a system that includes the first network element or the authentication device or the terminal device, which is not limited in this application.
The technical effects of the authentication apparatus according to the fourth aspect to the eleventh aspect may refer to the technical effects of the authentication method according to the first aspect, and are not described herein.
In a twelfth aspect, a communication system is provided. The communication system comprises a first network element, an authentication device and a terminal device.
In a thirteenth aspect, there is provided a computer readable storage medium storing a computer program or instructions; the computer program or instructions, when run on a computer, cause the computer to perform the authentication method of any one of the first to third aspects.
In a fourteenth aspect, there is provided a computer program product comprising a computer program or instructions which, when run on a computer, cause the computer to perform the authentication method of any of the first to third aspects.
Drawings
Fig. 1 is an example of a prior art PDU session selection;
fig. 2 is a schematic diagram of a conventional network slice-based authentication flow for secondary authentication;
fig. 3 is a second schematic diagram of a conventional network slice-based authentication procedure;
fig. 4 is a flow diagram of a conventional PDU session flow-based secondary authentication;
fig. 5 is a schematic diagram of a communication system according to an embodiment of the present application;
FIG. 6 is a schematic diagram of a 5G system;
FIG. 7 is a second schematic diagram of the architecture of the 5G system;
FIG. 8 is a third schematic diagram of the architecture of the 5G system;
FIG. 9 is a fourth schematic diagram of the architecture of the 5G system;
FIG. 10 is a fifth schematic diagram of a 5G system;
FIG. 11 is a diagram illustrating a sixth embodiment of a 5G system;
fig. 12 is a flowchart of an authentication method according to an embodiment of the present application;
fig. 13 is a second flowchart of an authentication method according to an embodiment of the present application;
fig. 14 is a flowchart of an authentication method according to an embodiment of the present application;
fig. 15 is a flow chart of an authentication method according to an embodiment of the present application;
fig. 16 is a flowchart fifth of an authentication method according to an embodiment of the present application;
fig. 17 is a schematic structural diagram of an authentication device according to an embodiment of the present application;
fig. 18 is a second schematic structural diagram of the authentication device according to the embodiment of the present application;
fig. 19 is a schematic structural diagram III of an authentication device according to an embodiment of the present application;
fig. 20 is a schematic structural diagram of an authentication device according to an embodiment of the present application.
Detailed Description
Technical terms related to the embodiments of the present application will be first described.
1、URSP
In the fifth generation (5th generation,5G) of mobile communications, user Equipment (UE) related policy information, such as a user routing policy (user equipment route selection policy, urs), is introduced, and the UE acts as an executor of the policy to select an appropriate PDU session for a traffic flow. In other words, certain services have certain requirements on Data Network (DN), network slice (network slice), session and service continuity mode (session and service continuity mode, SSC), etc. using PDU sessions, which the UE can use to determine whether a detected Application (APP) can be associated to an established PDU session, can offload non-3 GPP access outside of a PDU session, or can trigger operations such as establishment of a new PDU session.
The urs are typically issued to the UE based on the following paths: PCF- > AMF- > UE. Wherein the PCF is a policy control function (policy control function) network element and the AMF is an access and mobility management function (access and mobility management function) network element.
Specifically, the PCF may generate the above urs rules according to subscription information (whether a slice/DNN needs secondary authentication, whether an application needs a slice/DNN secondary authentication, etc.), or information reported by the AMF, SMF (whether a slice/DNN needs secondary authentication, whether an application needs a slice/DNN secondary authentication, etc.), and issue to the AMF.
Execution of the urs: performed by the UE, may trigger establishment or modification of the PDU session. For example, when there is no PDU session meeting the requirements, the UE initiates a PDU session establishment procedure; when there is a satisfactory session, it is possible to directly use the already existing PDU session.
The urs include one or more urs rules. One urs rule mainly includes two parts, traffic descriptor (traffic descriptor) and routing descriptor (route selection descriptor). The traffic descriptor includes names or identifiers of a plurality of APP, the routing descriptor includes network slice selection information corresponding to each APP, and general network slice selection information, such as network slice selection information which is not included in the traffic descriptor and which the APP can use. Wherein the urs may be referred to in table 1, the urs rules may be referred to in table 2, and the routing descriptors may be referred to in table 3.
TABLE 1
TABLE 2
TABLE 3 Table 3
When a new APP is detected, the UE determines routing description information (route selection descriptor, RSD) corresponding to the APP according to the urs p, and determines whether there is a PDU session satisfying the routing description information among the established PDU sessions. If yes, the UE associates the detected new APP to a PDU session meeting the routing description information, and transmits the data of the new APP through the PDU session. If not, the UE establishes a PDU session satisfying the route description information.
For example, fig. 1 is an example of existing PDU session selection. As shown in fig. 1, the UE establishes PDU session 1 for application B and selects an existing PDU session for application A, C, D, E, F, such as PDU session 2 for application a.
2. Secondary authentication
The 5G communication system includes an operator network. When a UE accesses an operator network, authentication (operator network authentication, first level authentication, first time authentication, one time authentication, master authentication) needs to be performed on the UE to determine whether the UE has access rights to the operator network, for example, whether the UE is a subscriber to the operator network or a roaming service agreement is signed between an operator to which the UE subscribes and an owner (another operator) of the operator network to which the UE wants to access.
Optionally, the 5G communication system may also comprise a provider network, i.e. the application content may be provided by a third party application provider. Similarly, when a UE accesses a provider network through an operator network, the provider network needs to authenticate the UE (provider network authentication, second level authentication, auxiliary authentication) in addition to the above primary authentication to determine whether the UE has access rights to the provider network, such as the UE being a subscriber to the provider network.
It should be noted that the secondary authentication may be performed by the carrier network in order to delegate network slice authentication performed by the carrier network as described below, or by the provider network in order to perform PDU session authentication performed by a Data Network (DN) deployed by the provider as described below, such as AAA-S in the DN.
3. Network slice authentication
Network slicing is to virtualize a plurality of end-to-end networks on the basis of one general hardware through slicing technology, wherein each network has different network functions so as to adapt to different types of service requirements. In other words, a network slice may be understood as a logical network based on a portion of the resources of a physical network to implement one or more specific functions. For example, after an operator deploys physical resources, an enhanced mobile broadband service (enhanced mobile broadband, ebmb) slice can be virtually formed by using the physical resources for mass machine type communication (massive machine type of communication, mctc) slices can be virtually formed by using the physical resources for intelligent meter reading requirements of certain manufacturers in the vertical industry, and an ultra-high reliability and low-delay communication (ultra reliable low latency communication, uRLLC) slice can be virtually formed by using the physical resources for intelligent driving, unmanned driving and other requirements. The three network slices respectively provide different types of services for different service scenes.
The network slice may be identified with single network slice selection assistance information (single network slice selection Assistance information, S-NSSAI). Depending on the operator' S operational or deployment needs, one S-nsai may be associated with one or more network slice instances, and one network slice instance may be associated with one or more S-nsais.
S-NSSAI includes two parts, SST and SD: slice/service type (SST) and slice difference (slice differentiator, SD). Where SST refers to the expected network slice behavior in terms of characteristics and services. The standard value range of SST is 1, 2, 3, with values 1 representing emmbb, 2 representing URLLC, 3 representing large-scale internet of things (massive internet of things, MIoT). SD is an optional information used to supplement SST to distinguish multiple network slices of the same slice/traffic type.
The SST and SD parts combine to represent a slice type and multiple slices of the same slice type. For example, S-NSSAI values of 0x01000000, 0x02000000, and 0x03000000 represent an eMBB type slice, a uRLLC type slice, and a MIoT type slice, respectively. And S-NSSAI values of 0x01000001 and 0x01000002 represent eMBB type slices serving user group 1 and user group 2, respectively.
The network slice selection assistance information (network slice selection Assistance information, NSSAI) is a set of S-NSSAIs. NSSAI used in 5G networks has a request NSSAI (requested NSSAI), an authorized NSSAI (allowed NSSAI), a configuration NSSAI (configured NSSAI), whose specific definitions are shown in table 4.
TABLE 4 Table 4
The network slice selection policy (network slice selection policy, NSSP) is sent by the PCF to the UE via the AMF as part of the UE routing policy (UE route selection policy, urs) rules, which the UE uses to associate the APP ID with the S-NSSAI. With respect to a specific implementation of network slice selection, reference may be made to existing schemes, such as implementing network slice selection in an attach procedure (attachment procedure).
Although the demands of various industries in the public internet service and vertical industry for network functions are various, these demands can be resolved into demands for network functions such as network bandwidth, connection number, time delay, reliability, etc. The 5G standard also summarizes the characteristics of the requirements of different services on network functions into three typical scenes, wherein the types of network slices corresponding to the three typical scenes are respectively an eMBB slice, an mMTC slice and a (ultra reliable low latency communication, uRLLC) slice.
ebb scene: based on breakthroughs in wireless-side spectrum utilization and spectrum bandwidth technology, 5G may provide transmission rates that are more than 10 times faster than 4G. For current popular AR/VR, high-definition video live broadcast, only 5G ultra-high rate can meet the requirement, and 4G transmission rate is not supportable. For example, when VR is used to watch high definition video or play a large interactive game, a network cable must be dragged to acquire data, and in the future, a wireless connection is performed through a 5G network, so that VR/AR can obtain a fast experience.
mctc scenario: through techniques such as multi-user shared access, ultra-dense heterogeneous network and the like, 5G can support 100 thousands of devices accessed per square kilometer, and the number of the devices is 10 times that of 4G. Recently, the rapid development of smart cities, and public facilities such as street lamps, well covers, water meters and the like have network connection capability, so that remote management can be performed, but 5G has more innovation. Based on the strong connection capability of the 5G network, public facilities in various industries of the city can be accessed to the intelligent management platform. The public facilities work cooperatively through the 5G network, and can be managed uniformly by a small amount of maintenance personnel, so that the operation efficiency of the city is greatly improved.
uRRLC scene: the most typical application in 5G is automatic driving, and the most common situations of automatic driving, such as sudden braking, vehicle-to-vehicle, vehicle-to-person, vehicle-to-infrastructure, and the like, are performed simultaneously, and a great deal of data processing and decision making are needed instantaneously. There is therefore a need for networks with large bandwidth, low latency and high reliability, 5G networks with the ability to cope with such scenarios.
In practical applications, application providers, such as various vertical industries, may purchase network slicing services of an operator to provide network services to users through an operator network. Accordingly, the application provider may delegate the operator to network slice authentication of the user. In other words, if the user authenticates through the network slice, it can be understood that the user has the right to use the network service provided by the application provider.
Specifically, when the UE registers in the network, in addition to performing the primary authentication procedure of the UE permanent identity, it may also determine whether to perform the network slice granularity authentication and authorization procedure (network slice specific authentication and authorization, nsaa) according to the nsai requested by the UE and the subscription data of the UE, which may also be simply referred to as the secondary authentication procedure of the network slice, and the steps of the procedure are shown in fig. 2 and fig. 3 below.
Fig. 2 is a schematic diagram illustrating a conventional network slice-based authentication procedure for secondary authentication. As shown in fig. 2, the secondary authentication flow includes the following steps:
s201, the UE sends a registration request message to the AMF.
Wherein the registration request (registration request) message carries the requested NSSAI. In other words, the UE may request the network to perform network slice authentication for a particular nsai in its initiated registration procedure.
S202, the AMF executes an authentication flow.
Wherein the authentication service function (authentication server function, AUSF) is used for one authentication of the UE permanent identity.
After successful execution of the permanent identification of the UE, the AMF obtains subscription data of the UE from the UDM (subscription data). The subscription data includes indication information of whether each S-nsai subscribed by the UE needs to perform the secondary authentication.
For example, the S-NSSAI subscribed to by the UE is shown in Table 5.
TABLE 5
S203, AMF determines S-NSSAI needed to perform secondary authentication.
Specifically, the AMF determines whether the S-nsai requiring the secondary authentication is included in the requested nsai according to the subscription data of the UE. If yes, the AMF judges that the UE needs to execute a secondary authentication process after the registration process.
Example 1, if the requested nsai carried by the UE includes S-nsai-1 and S-nsai-2 shown in table 5, S-nsai-1 needs to perform the secondary authentication procedure, and S-nsai-2 does not need to perform the secondary authentication procedure.
S204, the AMF sends a registration acceptance message to the UE.
Wherein the registration accept (registration accept) message carries the authorized nsai and/or the rejected nsai and its reject cause value. Wherein the authorized nsai only includes S-nsai that does not require secondary authentication, and the reject cause value of the rejected nsai is typically in a pending (pending) state, requiring secondary authentication to be performed.
With continued reference to example 1 above, the authorized NSSAI includes S-NSSAI-2, the rejected S-NSSAI includes S-NSSAI-1, and the reject cause value is S-NSSAI-1 in the suspended state, then a secondary authentication of S-NSSAI-1 is required, i.e., S205 described below is performed.
S205, AMF executes a secondary authentication procedure for S-NSSAI in a suspended state.
With continued reference to the above example 1, the amf may initiate a secondary authentication procedure for S-nsai-1, and specifically refer to the procedure shown in fig. 3, which is not described herein.
After the secondary authentication shown in fig. 3 is completed, the AMF may perform S206 described below based on the authentication result.
S206, the AMF updates the authorized NSSAI according to the secondary authentication result.
Specifically, if authentication is successful, the AMF will add the S-nsai to the authorized nsai, and if authentication fails, the AMF need not update the authorized nsai.
With continued reference to example 1 above, if the secondary authentication of S-nsai-1 is successful, the AMF sends an indication to the UE to update the authorized nsais to S-nsai-1 and S-nsai-2, and if the authentication fails, the AMF does not send an indication to the UE to update the authorized nsais.
Fig. 3 is a schematic diagram of a second conventional network slice-based authentication procedure. As shown in fig. 3, the authentication procedure may include the following steps:
S301, the AMF triggers the execution of a secondary authentication of the network slice.
S302, AMF sends a first NAS MM transmission request to UE.
Wherein the first non-access stratum (NAS) mobility management (mobility management, MM) Transport (NAS MM Transport) request carries: an extensible authentication protocol (extensible authentication protocol, EAP) Identity (ID) request (EAP ID R-request), and single network slice selection assistance information (single network slice selection assistanceinformation, S-nsai). The EAP ID request is used to request that a secondary authentication be performed on the network slice corresponding to the S-nsai.
S303, the UE sends a first NAS MM transmission response to the AMF.
Wherein the first NAS MM transport response carries an EAP ID response (EAP ID response), an S-NSSAI, and a UE identity (UE ID). Wherein the UE ID is used to identify the UE, such as a common public user identity (generic public subscription identifier, GPSI) that may be the UE, and the S-NSSAI refers to an identity of a network slice that provides network services for the UE.
Alternatively, the content of the EAP ID response and the EAP ID request in S302 may be carried in other NAS messages, which is not limited herein.
S304, the AMF sends a first NSSAA authentication request to the NSSAAF.
The first nsaaf is a network slice and SNPN authentication and authorization function (network slice & SNPN function), and the nsaa authentication request (nssaaf_nssaa_authentication Req) carries information such as EAP ID response, GPSI of the UE, S-nsai, and the like.
S305, NSSAAF sends a first AAA protocol request to AAA-P.
S306, the AAA-P sends a first AAA protocol request to the AAA-S.
The AAA-P is an authentication, authorization and accounting proxy server (and accounting proxy server), and the first AAA protocol request (AAA protocol request message) carries the EAP ID response, GPSI of the UE, S-nsai, and other information.
Specifically, if an AAA-P is deployed, NSSAAF may send a first AAA protocol request to the AAA-P (S305), and then forward the first AAA protocol request to the AAA-S by the AAA-P (S306). For example, when the AAA-S is deployed by a third party, there is no direct communication link between NSSAAF and AAA-S, then NSSAAF can send the AAA protocol message to AAA-S through AAA-P.
Alternatively, if direct communication is available between NSSAAF and AAA-S, S305 and S306 may be replaced by the following steps: NSSAAF sends a first AAA protocol request to AAA-S.
S307, the AAA-S sends a first AAA protocol request to the AAA-P.
S308, the AAA-P sends a first AAA protocol response to NSSAAF.
The first AAA protocol response carries EAP message, GPSI of UE, S-NSSAI and other information. The function and content of the EAP message are similar to those of the EAP ID request and the EAP ID response, and are not described herein.
Alternatively, if direct communication is available between NSSAAF and AAA-S, similar to S305-S306, S307-S308 may be replaced by the following steps: the AAA-S sends an AAA protocol message to the NSSAAF.
S309, the NSSAAF sends a first NSSAA authentication response to the AMF.
The first NSSAA authentication response (nnssaaf_nssaa_ Authenticate Resp) carries EAP messages, GPSI of the UE, S-NSSAI, and other information.
S310, the AMF sends a second NAS MM transmission request to the UE.
The second NAS MM transport request carries: EAP messages and S-NSSAI, etc.
S311, the UE sends a second NAS MM transmission response to the AMF.
The second NAS MM transport response carries: EAP messages and S-NSSAI, etc.
S312, the AMF sends a second NSSAA authentication request to the NSSAAF.
The second NSSAA authentication request (nnssaaf_nssaa_ Authenticate Resquest) carries EAP messages, GPSI of the UE, S-NSSAI, and other information.
S313, NSSAAF sends a second AAA protocol request to AAA-P.
And S314, the AAA-P sends a second AAA protocol request to the AAA-S.
The second AAA protocol carries EAP message, AAA-S address, GPSI, S-NSSAI information of the UE.
Alternatively, if direct communication is available between NSSAAF and AAA-S, similar to S305-S306, S313-S314 may be replaced by the following steps: NSSAAF sends a second AAA protocol request to AAA-S.
The above-mentioned S307-S314 are used to perform exchange of EAP messages, and the procedure may be performed once or multiple times, which is not limited herein.
After that, the AAA-S may perform the secondary authentication and return the authentication result to the UE, i.e., perform S315 to S318 described below.
S315, the AAA-S sends a second AAA protocol response to the AAA-P.
S316, the AAA-P sends a second AAA protocol response to NSSAAF.
The second AAA protocol response carries EAP authentication success/failure (EAP success/failure) indication, GPSI of the UE, authorized S-nsai, and so on.
Alternatively, if direct communication is available between NSSAAF and AAA-S, similar to S307-S308, S315-S316 may be replaced by the following steps: the AAA-S sends a second AAA protocol response to the NSSAAF.
And S317, the NSSAAF sends a second NSSAA authentication response to the AMF.
The second nsaa authentication response carries EAP authentication success/failure (success/failure) indication, GPSI of the UE, authorized S-nsai, and so on.
And S318, the AMF sends a second NAS MM transmission response to the UE.
Wherein the second NAS MM transport response carries an EAP authentication success/failure (success/failure) indication.
The AMF should store EAP authentication results for each S-nsai that performs the nsaa procedure in S301-S317. Thereafter, the UE and the network may perform a configuration update procedure, i.e., perform S319-S320 described below, according to the secondary authentication result.
S319, optionally, the AMF triggers the UE configuration update procedure.
Specifically, when there is a new authorized nsai, or a rejected nsai, or the AMF needs to return to a new AMF, the AMF may initiate a UE configuration update (UE Configuration update, UCU) procedure. Similarly, when there is a failure of the PDU session related S-nsai authentication, the AMF triggers the release of the PDU session.
S320, optionally, the AMF initiates a UE de-registration procedure.
Specifically, when no S-nsai authentication passes and no default S-nsai is available, the AMF initiates a deregistration procedure (network-initiated deregistration).
4. PDU session authentication
After the UE is accessed to the operator network and the primary authentication is successful, if the UE needs to be accessed to a certain DN, the UE and an authentication server arranged in the DN also need to be subjected to secondary authentication. The establishment of the PDU session may be triggered by the UE or a Core Network (CN) of the operator network, and a secondary authentication procedure is initiated by the operator network during or after the PDU session establishment. Specifically, the UE sends an authentication request to the operator network, and the operator network forwards the authentication request to an authentication server in the DN to complete the authentication of the DN to the UE. The UE Server corresponding to the DN may be an authentication, authorization, and accounting (AAA) Server, or AAA-S, and the result of the authentication and/or authorization of the UE by the authentication Server may be sent to the operator network, where the operator network determines whether to establish a corresponding PDU session for the UE based on the secondary authentication result.
Fig. 4 is a schematic flow diagram of a prior art PDU session flow based secondary authentication. As shown in fig. 4, the process may include the steps of:
s401, the UE sends a registration request to the AMF.
And S402, the UE performs one-time authentication with the operator network.
Specifically, after the AMF receives the registration request sent by the UE, the AUSF may be triggered to perform one authentication between the UE and the operator network.
Optionally, in the process of performing primary authentication between the UE and the operator network by the AUSF, authentication information required for primary authentication, such as subscription data of the UE, may be obtained from the UDM, so that primary authentication between the UE and the operator network may be implemented according to authentication information generated or stored by the UDM.
S403, establishing NAS security between the UE and the AMF.
Specifically, after one authentication pass between the UE and the operator network, the AMF may establish NAS (NAS) security with the UE. NAS exists in a radio communication protocol stack of a universal mobile telecommunications system (universal mobile telecommunications system, UMTS) as a functional layer between CN and UE. The NAS supports signaling and/or data transfer between both CN and UE.
S404, the UE sends a session establishment request to the AMF.
Specifically, after the UE establishes NAS security with the AMF, the UE may initiate a session establishment request to the AMF, where the session establishment request carries a NAS message. The session establishment request may be specifically used to request establishment of a PDU session.
S405, the AMF sends a session establishment request to the SMF.
Specifically, after the AMF receives the NAS message sent by the UE, the session establishment request in the NAS message may be decoded, and the session establishment request may be sent to the SMF. Wherein, the SMF is an SMF for managing the PDU session requested to be established by the session establishment request.
S406, SMF checks the subscription data.
Specifically, after receiving the session establishment request, the SMF obtains subscription data from the UDM, and if the subscription data indicates that the secondary authentication needs to be performed, the SMF performs S407 described below.
S407, the SMF starts the EAP authentication flow.
Alternatively, if the session establishment request carries information required for the secondary authentication, S408 and S409 described below may be skipped.
S408, the SMF sends an EAP ID request to the UE.
Wherein the EAP ID request is used to request identity information of the UE, such as GPSI of the UE.
S409, the UE sends an EAP ID response to the SMF.
The EAP ID response carries identity information of the UE, such as GPSI of the UE.
S410, SMF initiates an N4 session establishment flow to UPF.
Specifically, if there is no UPF for transmitting messages between the SMF and the AAA-S, the SMF initiates a UPF selection procedure and establishes an N4 session between the SMF and the selected UPF.
S411, the SMF sends the EAP ID response and the identity information of the UE to the AAA-S.
Wherein the SMF may send the EAP ID response and the identity information of the UE to the AAA-S through the UPF. Specifically, the SMF may transmit the EAP ID response and the identity information of the UE to the UPF through the N4 session established in S410 described above, and then the UPF transmits the received EAP ID response and the identity information of the UE to the AAA-S.
And S412, carrying out secondary authentication on the UE.
Specifically, the UE and the AAA-S may perform multiple EAP message interactions to complete the secondary authentication of the UE by the AAA-S.
Details of the message type, the interaction mode, and the like of the EAP message for interaction between the UE and the AAA-S depend on the specific EAP authentication method used, and are not limited herein.
S413, AAA-S sends the secondary authentication result to SMF.
Specifically, if the AAA-S authenticates the UE successfully, the AAA-S sends an authentication success message to the UPF, and then the UPF sends the authentication success message to the SMF through the N4 session.
Optionally, the AAA-S may also provide authorization information such as an index of DN authorization text, allowed media access control (media control access, MAC) address or virtual local area network identification (virtual local area network identifier, VID), aggregate maximum bit rate (aggregate maximum bit rate, AMBR) of DN-authorized sessions, etc.
S414, the SMF triggers the execution of the remaining steps of the PDU session establishment procedure.
After the AAA-S ends the EAP authentication for the UE, the SMF may continue to initiate the remaining steps in the PDU session establishment procedure as follows S415:
s415, the SMF initiates an N4 session setup/modification procedure to the UPF.
S416, the SMF sends a PDU session establishment success message to the UE.
Specifically, the SMF transmits a PDU session establishment success message to the AMF, and the AMF receives the PDU session establishment success message and transmits it to the UE.
However, the above-described secondary authentication based on the network slice authentication procedure and the PDU session have a problem of low security. Specifically, when two or more applications associated with one network slice are running, the UE will establish a new PDU session according to the urs rules or select an existing PDU session to be associated with that network slice. The URSP rules are exemplified as follows:
rule 1: priority = 1, APP ID = APP1, network slice selection = S-nsai-a;
rule 2: priority = 2, APP ID = APP2, network slice selection = S-nsai-a;
rule 3: priority = 3, APP ID = APP3, network slice selection = S-nsai-b;
wherein, both APP1 and APP2 can use network slice S-NSSAI-a.
Assuming that S-nsai-a is included in the allowed nsai, when APP1 is running, a secondary authentication has been successfully performed for APP1 and PDU session 1 is established for APP 1. Then, when APP2 is running, APP2 will directly use S-nsai-a by way of the UE selecting the existing PDU session 1 without any authentication operation on APP 2. In this case, it is easy to tamper with APP ID and misuse network slice/data network resources in the deployment, resulting in network security risks and inefficiency of operation.
The technical solutions in the present application will be described below with reference to the accompanying drawings.
The technical solution of the embodiments of the present application may be applied to various communication systems, such as a wireless fidelity (wireless fidelity, wiFi) system, a vehicle-to-object (vehicle to everything, V2X) communication system, an inter-device (D2D) communication system, a vehicle networking communication system, a 4th generation (4th generation,4G) mobile communication system, such as a long term evolution (long term evolution, LTE) system, a worldwide interoperability for microwave access (worldwide interoperability for microwave access, wiMAX) communication system, a fifth generation (5th generation,5G) mobile communication system, such as a new radio, NR) system, and future communication systems, such as a sixth generation (6th generation,6G) mobile communication system, and the like.
The present application will present various aspects, embodiments, or features about a system that may include multiple devices, components, modules, etc. It is to be understood and appreciated that the various systems may include additional devices, components, modules, etc. and/or may not include all of the devices, components, modules etc. discussed in connection with the figures. Furthermore, combinations of these schemes may also be used.
In addition, in the embodiments of the present application, words such as "exemplary," "for example," and the like are used to indicate an example, instance, or illustration. Any embodiment or design described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, the term use of an example is intended to present concepts in a concrete fashion.
In the embodiment of the present application, "information", "signal", "message", "channel", and "signaling" may be used in a mixed manner, and it should be noted that the meaning of the expression is consistent when the distinction is not emphasized. "of", "corresponding" and "corresponding" are sometimes used in combination, and it should be noted that the meaning of the expression is consistent when the distinction is not emphasized.
In the embodiments of the present application, sometimes subscripts such as W 1 May be misidentified as a non-subscripted form such as W1, the meaning it is intended to express being consistent when de-emphasizing the distinction.
The network architecture and the service scenario described in the embodiments of the present application are for more clearly describing the technical solution of the embodiments of the present application, and do not constitute a limitation on the technical solution provided in the embodiments of the present application, and those skilled in the art can know that, with the evolution of the network architecture and the appearance of the new service scenario, the technical solution provided in the embodiments of the present application is also applicable to similar technical problems.
To facilitate understanding of the embodiments of the present application, a communication system suitable for the embodiments of the present application will be described in detail first with reference to the communication system shown in fig. 5 as an example. Fig. 5 is a schematic diagram of a communication system to which the authentication method according to the embodiment of the present application is applicable.
As shown in fig. 5, the communication system includes a terminal device, a first network element, and an authentication device.
The terminal equipment is a terminal which can be accessed into the communication system and has wireless or wired receiving and transmitting functions or a chip system which can be arranged on the terminal. The terminal device may also be referred to as a user equipment, user Equipment (UE), handheld terminal, access terminal, subscriber unit, subscriber station, mobile station, remote terminal, mobile device, user terminal, wireless communication device, user agent, or user equipment. The terminal device in the embodiments of the present application may be a mobile phone (mobile phone), a tablet (Pad), a computer with a wireless transceiving function, a Virtual Reality (VR) terminal device, an augmented reality (augmented reality, AR) terminal device, a wireless terminal in industrial control (industrial control), a wireless terminal in unmanned aerial vehicle (self driving), a wireless terminal in remote medical (remote media), a wireless terminal in smart grid (smart grid), a wireless terminal in transportation security (transportation safety), a wireless terminal in smart city (smart city), a wireless terminal in smart home (smart home), a vehicle-mounted terminal, an RSU with a terminal function, a notebook computer, a subscriber unit (subscriber unit), a cellular phone (cell phone), a smart phone (smart phone), a wireless data card, a personal digital assistant (personal digital assistant, PDA), a computer, a tablet computer, a wireless modem (modem), a wireless terminal in smart phone (smart city), a wireless terminal in smart home (smart phone), a wireless phone (portable), a wireless phone (37 phone) or a wireless phone type (portable phone) of a wireless phone (portable phone) or a wireless phone type of a wireless phone (37). The terminal device of the application may also be a vehicle-mounted module, a vehicle-mounted component, a vehicle-mounted chip or a vehicle-mounted unit which are built in a vehicle as one or more components or units, and the vehicle may implement the authentication method provided by the application through the built-in vehicle-mounted module, vehicle-mounted component, vehicle-mounted chip or vehicle-mounted unit.
The first network element is a secondary authentication requester, and may be a core network element in an operator network, such as an AMF, an SMF, or the like, as shown in fig. 6-11.
The authentication device is a secondary authentication responder, and may be an authentication server deployed for an operator or a third party content provider, such as AAA-S, AAA-P deployed in NSSAAF, DN as shown in fig. 6-11 below.
Optionally, the communication system shown in fig. 5 may further include an access network device, where the access network device is a device located on the network side of the communication system and having a wireless transceiver function, or a chip system that may be disposed on the device. The access network device includes, but is not limited to: an Access Point (AP) in a wireless fidelity (wireless fidelity, wiFi) system, such as a home gateway, a router, a server, a switch, a bridge, etc., an evolved Node B (eNB), a radio network controller (radio network controller, RNC), a Node B (Node B, NB), a base station controller (base station controller, BSC), a base transceiver station (base transceiver station, BTS), a home base station (e.g., home evolved NodeB, or home Node B, HNB), a baseband unit (BBU), a wireless relay Node, a wireless backhaul Node, a transmission point (transmission and reception point, TRP, transmission point, TP), etc., may also be a 5G, such as a gbb in a new air interface (NR) system, or a transmission point (TRP, TP), one or a group of base stations (including multiple antenna panels) antenna panels in a 5G system, or may also be network nodes constituting a gbb or transmission point, such as a baseband unit (BBU), or a distributed base station unit (base station unit), a distributed unit (rsdu), etc., a base station unit (rsdu), etc.
The following describes in detail a communication system provided in the embodiment of the present application, taking a 5G system as an example.
Fig. 6-11 are examples one through six of the 5G system. Fig. 6 is a non-roaming architecture based on a service interface, fig. 7 is a non-roaming architecture based on a reference point, where the UE is located in a home public land mobile network (home public land mobile network, HPLMN), and offloading of traffic is performed by the HPLMN, i.e. both the UE and the DN are located in the HPLMN. Fig. 8 is a Local Breakout (LBO) roaming architecture based on a serving interface, fig. 9 is a reference point-based local breakout roaming architecture, the UE is located in a visited public land mobile network (visited public land mobile network, VPLMN), and traffic also needs to be offloaded in the VPLMN, i.e. both the UE and the DN are located in the VPLMN. Fig. 10 is a Home Routing (HR) roaming architecture based on a servitization interface, fig. 11 is a home routing roaming architecture based on a reference point, where the UE is located in the VPLMN, but traffic needs to be offloaded in the HPLMN, i.e. the DN is located in the HPLMN.
The system architecture is divided into an access network and a core network with reference to fig. 6-11,5G. The access network is used to implement radio access related functions. The core network mainly comprises the following key network elements: access and mobility management network elements (access and mobility management function, AMF), session management network elements (session management function, SMF), user plane network elements (user plane function, UPF), policy control network elements (policy control function, PCF), unified data management network elements (unified data management, UDM).
(R) AN apparatus: devices for providing access to terminal devices include radio access network (radio access network, RAN) devices and Access Network (AN) devices. The RAN device is mainly a 3GPP defined radio network device, and the AN may be a non-3GPP defined access network device. RAN device: mainly responsible for radio resource management, quality of service (quality of service, qoS) management, data compression, encryption, etc. functions on the air interface side. The RAN equipment may include various forms of base stations, such as: macro base stations, micro base stations (also referred to as small stations), relay stations, access points, and the like. In systems employing different radio access technologies, the names of base station-capable devices may vary, for example, in fifth generation (5th generation,5G) systems, referred to as RANs or gnodes (5 g nodeb, gnb); in the LTE system, it is called evolved NodeB (eNB or eNodeB); in the third generation (3rd generation,3G) system, it is called a Node B (Node B) or the like.
AN apparatus: allowing interworking between terminal devices and 3GPP core networks using non-3GPP technologies such as: wireless fidelity (wireless fidelity, wi-Fi), worldwide interoperability for microwave access (worldwide interoperability for microwave access, wiMAX), code division multiple access (code division multiple access, CDMA) networks, and the like.
AMF: is mainly responsible for mobility management in mobile networks, such as user location update, user registration network, user handover, etc.
SMF: is mainly responsible for session management in mobile networks, such as session establishment, modification, release. Specific functions are for example assigning IP addresses to users, selecting UPFs providing message forwarding functions, etc.
UPF: is responsible for forwarding and receiving user data in the terminal device. User data can be received from the data network and transmitted to the terminal equipment through the access network equipment; the UPF may also receive user data from the terminal device via the access network device and forward the user data to the data network. The transmission resources and scheduling functions in the UPF that serve the terminal device are managed and controlled by the SMF network element.
PCF: the method mainly supports the provision of a unified policy framework to control network behaviors, provides policy rules for a control layer network function, and is also responsible for acquiring user subscription information related to policy decisions.
Network open function (network exposure function, NEF): the method is mainly used for supporting the opening of the capability and the event.
Network slice admission control function (network slice admission control function, nsacp): the method is mainly used for supporting the following functions:
supporting monitoring and controlling the number of registered users of each network slice;
Supporting monitoring and controlling the number of PDU sessions established by each network slice;
support event-based network slice status notification and reporting to other NFs.
Application function (application function, AF): interaction with the 3GPP core network is mainly supported to provide services, such as influencing data routing decisions, policy control functions or providing some services of third parties to the network side.
Unified data management (unified data management, UDM): for generating authentication credentials, user identification processes (e.g., storing and managing user permanent identities, etc.), access authorization control, and subscription data management, etc.
The Network Slice Selection Authentication and Authorization Function (NSSAAF) is mainly used for performing network slice and independent non-public network (SNPN) identity authentication and authorization functions, and specifically includes:
support for authentication, authorization, and accounting (AAA) server AAA-server, AAA-S) to authenticate and authorize specific identities for specified network slices. If the AAA-S belongs to a third party, NSSAAF may contact the AAA-S through an AAA proxy (AAA-proxy, AAA-P).
Support access to SNPN using AAA-S credentials. If the credential holder belongs to a third party, NSSAAF may contact AAA-S through AAA-P.
A Data Network (DN) refers to a service network that provides a data transmission service for a user, such as an IP Multimedia Service (IMS), the internet, etc. Specifically, the UE accesses the data network through a Packet Data Unit (PDU) session established between the UE and the DN.
In addition, embodiments of the present application relate to AAA-P, DN-AAA, AAA-S, which may be collectively referred to as an AAA server. The AAA server and NSSAAF may be collectively referred to as authentication devices/functions.
Note that the xx network elements in fig. 6-11 may also be referred to as xx functions or xx. For example, the AMF network element may also be referred to as an AMF or an AMF function, and the SMF network element may also be referred to as an SMF or an SMF function, which is not limited in this embodiment of the present application.
The authentication method provided in the embodiment of the present application may be applied to the communication system shown in any one of fig. 5 to 11, and the specific implementation of implementing the secondary authentication on the terminal device may refer to the following method embodiment, which is not described herein again.
It should be noted that the solution in the embodiments of the present application may also be applied to other communication systems, and the corresponding names may also be replaced by names of corresponding functions in other communication systems.
It should be appreciated that fig. 5-11 are simplified schematic diagrams that are merely exemplary for ease of understanding, and that other network devices, and/or other terminal devices, may also be included in the communication system, and are not shown in fig. 5-11.
The authentication method provided in the embodiment of the present application will be specifically described with reference to fig. 12 to 16.
Fig. 12 is a schematic flow chart of an authentication method according to an embodiment of the present application. The authentication method can be applied to the communication system shown in fig. 1, and performs a secondary authentication operation on the terminal device.
As shown in fig. 12, the authentication method includes the steps of:
s1201, the terminal device sends application information to the first network element.
In one possible embodiment, the application information includes application identification information. Wherein the application identification information may include one or more of the following: application identification, internet protocol (internet protocol, IP) five-tuple, application name, etc. may be used to perform the second authentication operation on the application, and for specific implementation, reference may be made to S1203 described below, which is not described herein.
Optionally, the application information further comprises application authentication information. Wherein the application authentication information may include one or more of the following: the user name, password, certificate information, etc. may be used together with the application identification information to perform the authentication operation on the application by the authentication device, and the specific implementation may refer to S1203 described below, which is not repeated herein.
Alternatively, referring to fig. 6-11, the first network element may be an AMF. Specifically, S1201 may be specifically implemented as: and the terminal equipment sends the application information to the AMF network element through the access network equipment.
Alternatively, referring to fig. 6-11, the first network element may be an SMF. Specifically, S1201 may be specifically implemented as: and the terminal equipment sends application information to the SMF network element through the access network equipment and the AMF.
S1202, the first network element sends application information to the authentication device.
In one possible design, referring to fig. 6-11, the first network element may be an AMF, and the authentication device may be an NSSAAF deployed by an operator. Accordingly, the AMF may send application information to the NSSAAF through the serviced interface or the N58 interface.
In another possible design, referring to fig. 6-11, the first network element may be an AMF, and the authentication device may be an NSSAAF deployed by an operator. Accordingly, the AMF may send application information to the NSSAAF through the serviced interface or the N58 interface.
In another possible design, referring to fig. 6, 8, and 10, the first network element may be an SMF, and the authentication device may be an NSSAAF deployed by an operator. Accordingly, the SMF may send application information to the NSSAAF through the serviced interface.
In yet another possible design, referring to fig. 6, 8, and 10, the first network element may be an SMF, and the authentication device may be an AAA-S deployed by a third party application provider. Accordingly, the AMF may send application information to the NSSAAF via the serviceization interface, and then forwarded by the NSSAAF to the AAA-S.
It should be noted that, if the third party application provider has authorized the operator to perform the secondary authentication operation instead, the NSSAAF may not forward the application information to the AAA-S, but perform the secondary authentication operation by itself according to the authorization.
S1203, the authentication device determines an authentication result according to the application information.
In one possible embodiment, the application information includes application identification information, and the authentication result includes application identification information.
Specifically, the authentication device may compare the application information provided by the terminal device with application information locally stored by the authentication device to determine whether the secondary authentication is successful. The application information locally stored by the authentication device may include: application information for authorized applications, such as whitelists, and/or application information for forbidden applications, such as blacklists. For example, if the application information provided by the terminal device exists in the white list, the secondary authentication is considered to pass (authentication is successful), otherwise the secondary authentication is considered to not pass (authentication failure). For another example, if the application information provided by the terminal device exists in the blacklist, the secondary authentication is considered to be failed (authentication failure), otherwise, the secondary authentication is considered to be passed (authentication success).
In addition, the authentication device may also determine the authentication result in combination with application authentication information, such as a user name, a password, certificate information, etc. Therefore, double authentication of the application information and the user information can be realized, so that the reliability of an authentication result is improved, and the network security and the operation efficiency are further improved.
In the embodiment of the application, the authentication result may be implicitly or explicitly indicated. The following is an example.
Illustratively, the authentication result further includes authentication indication information for indicating whether an authentication operation of the application corresponding to the application information is successful.
Alternatively, the authentication result may not include authentication instruction information but include application identification information. At this time, the application identification information in the authentication result can be understood as one of the following: all applications corresponding to the application identification information are defaulted to pass the authentication, all applications corresponding to the application identification information are defaulted to fail the authentication, or one part of applications corresponding to the application identification information are defaulted to pass the authentication, and the other part of applications corresponding to the application identification information are defaulted to fail the authentication. The two parts of application identification information can be carried in different positions in the authentication result, such as different fields (fields) or cells (information element, IE) for distinguishing.
And S1204, the authentication equipment sends an authentication result to the first network element.
The authentication result is determined according to the application information, and the authentication result is used for generating a detection rule, wherein the detection rule is used for executing forwarding or discarding operations on the data of the application corresponding to the application information, such as forwarding the data of the application with successful secondary authentication and discarding the data of the application with failed secondary authentication.
In one possible design, the first network element may be an access and mobility management network element, such as an AMF. Accordingly, the method shown in fig. 12 may further include the steps of: the access and mobility management network element sends the authentication result to the session management network element. Specifically, referring to fig. 6 to 11, the authentication device may send the authentication result to the AMF through the service interface or the N58 interface.
The AMF may then send the authentication result to the session management network element in order for the session management network element to determine the detection rules.
In another possible design, the first network element may be a session management network element, such as an SMF. Accordingly, the method shown in fig. 12 may further include the steps of: the authentication device sends an authentication result to the session management network element. Specifically, referring to fig. 6, 8 and 10, the authentication device may send an authentication result to the SMF through the server interface.
After the session management network element receives the authentication result, the following steps may be further performed: the session management network element determines a detection rule according to the authentication result and sends the detection rule to the user plane network element, so that the user plane network element executes forwarding operation on the data of the application with successful secondary authentication according to the detection rule, and executes discarding operation on the data of the application with failed secondary authentication, thereby realizing the provision of differentiated data transmission service for the application corresponding to different application information.
Optionally, the session management network element may determine the detection rule according to the authentication result, or may send the authentication result to the policy control network element, such as PCF, and receive the PCC rule determined by the policy control network element according to the authentication result, and then generate the detection rule according to the returned PCC rule.
The detection rules may include, for example, packet data detection rules (packet detection rule, PDR) and forwarding behavior rules (forwarding action rules, FAR).
The detection rule may be an N4 rule or a part of an N4 rule, which is not limited herein.
The authentication method provided in the embodiment of the present application is described in detail below with reference to several examples in fig. 13 to 16.
Fig. 13 is a second flowchart of an authentication method according to an embodiment of the present application. The authentication method is realized based on a network slice authentication flow. The terminal device in fig. 12 may be the UE in fig. 13, the first network element in fig. 12 may be the AMF in fig. 13, and the authentication device in fig. 12 may be the nsaaf in fig. 13. At this time, the AMF may determine whether the UE has access rights to the network slice purchased using the third party application provider based on the network slice authentication procedure, thereby completing the secondary authentication of the UE.
As shown in fig. 13, the authentication method may include the steps of:
s1301, the AMF triggers network slice authentication in the UE-initiated registration procedure.
Specifically, the UE sends a registration request to the AMF, and the AMF performs an authentication procedure, i.e., an operator network authentication procedure, in response to the registration request initiated by the UE. The registration request carries the NSSAI requested by the UE, and the requested NSSAI may include one or more S-NSSAIs. For specific implementation of the registration procedure, reference may be made to fig. 2 and the related text descriptions, which are not repeated here.
For S-nsai with successful primary authentication, if the AMF determines that secondary authentication needs to be performed according to subscription data acquired from the UDM, the following S1302 may be continued.
S1302, the UE sends application information to the AMF.
Specifically, the AMF may send a NAS MM transport request to the UE and receive a NAS MM transport response from the UE. The NAS MM transmission request is used for requesting application information of an application corresponding to the network slice requiring the secondary authentication, and the NAS MM transmission response carries the application information of the application corresponding to the network slice requiring the secondary authentication. For specific implementation of the NAS MM transmission request and the NAS MM transmission response, reference may be made to the first NAS MM transmission request in S302 and the first NAS MM transmission response in S303, which are not described herein.
Wherein the application information comprises application identification information and application authentication information. The application identification information may be an IP five-tuple, an application identifier, etc., and the application authentication information may be a user name, a password, certificate information, etc. of the application.
It should be noted that if the UE carries the application information corresponding to the requested nsai in the initiated registration request, S1302 may not be executed, that is, S1302 may be regarded as an optional step.
S1303, the AMF sends application information to the NSSAAF.
Specifically, the AMF may carry the application information in the nsaa authentication request and send the application information to the AMF, and the specific implementation may refer to the first nsaa authentication request and the second nsaa authentication request in S304, which are not described herein.
S1304, the nsaaf sends the authentication result to the UE through the AMF.
Specifically, NSSAAF can request AAA-S to complete secondary authentication or complete secondary authentication by itself, as appropriate. Alternatively, if the third party application provider has already achieved a delegation protocol for the secondary authentication with the network operator, the NSSAAF may complete the secondary authentication itself.
Alternatively, if the third party application provider does not delegate network operator to perform the secondary authentication instead, the NSSAAF may send application information to the AAA-S and receive the authentication result from the AAA-S. The authentication result at least includes application identification information, such as S-nsai for successful secondary authentication, and may be transmitted in the form of a container (container). Optionally, the authentication result may further include authentication indication information for indicating whether the secondary authentication for a certain S-nsai is successful.
It should be noted that, the AAA-S local may also pre-configure application information that may be used by the UE, and the UE may not be required to report the application information in S1301-S1303.
S1305, the UE sends a PDU session establishment request to the SMF through the AMF.
Specifically, the AMF receives a first PDU session establishment request from the UE and sends a second PDU session establishment request to the SMF. Wherein, the first PDU session establishment request may include an allowed NSSAI, and the second PDU session establishment request may include an authentication result of the S-NSSAI and application information corresponding to the S-NSSAI.
Optionally, the second PDU session establishment request may further include an identification of NSSAAF, an identification of UE, and an identification of network slice. Thus, the SMF may also obtain the authentication result directly from the NSSAAF, without forwarding to the SMF after the AMF receives the authentication result.
Another implementation may be: when PDU session is established, AMF sends SMF identification, UE identification and network slice identification to NSSAAF, NSSAF sends authentication result to SMF.
S1306, the SMF sends the detection rule to the UPF.
Specifically, the SMF may determine or request the PCF to determine the N4 rule by itself according to the S-nsai and the secondary authentication result of the application information corresponding to the S-nsai, and send the N4 rule to the UPF through the N4 session. The N4 rule comprises a detection rule, and the detection rule is used for indicating the UPF to forward or discard the data of the application corresponding to the application information. For specific implementation of the detection rule, reference may be made to S1204 above, which is not described herein.
Fig. 14 is a flowchart of an authentication method according to an embodiment of the present application. The authentication method is realized based on a network slice authentication flow. The terminal device in fig. 12 may be the UE in fig. 14, the first network element in fig. 12 may be the AMF in fig. 14, and the authentication device in fig. 12 may be the nsaaf in fig. 14. At this time, the AMF may determine whether the UE has access rights to the network slice purchased using the third party application provider based on the network slice authentication procedure, thereby completing the secondary authentication of the UE.
As shown in fig. 14, the authentication method may include the steps of:
s1401, the AMF triggers network slice authentication in the UE-initiated registration procedure.
S1402, the UE transmits application information to the AMF.
S1403, the AMF sends application information to the NSSAAF.
S1404, NSSAAF sends the authentication result to the UE through AMF.
For the specific implementation of S1401-S1404, reference may be made to S1301-S1304, which are not described here again.
At S1405, the UE sends a PDU session establishment request to the SMF through the AMF.
The PDU session request may include, among other things, an identification of a network slice, such as S-NSSAI, that the UE requests to establish the PDU session. At this time, the AMF may perform only a forwarding operation of the PDU session establishment request.
S1405 is different from S1305 in that: the AMF may send the second PDU session establishment request to the SMF without including the authentication result. At this time, the SMF may acquire the authentication result from the AMF after receiving the PDU session establishment request, i.e., perform S1406-S1407 described below.
S1406, the SMF obtains the authentication result from the AMF.
Specifically, the SMF may send an authentication result acquisition request to the AMF and receive an authentication result from the AMF. The authentication result acquisition request may include an S-nsai of a network slice carried by the PDU session request.
Alternatively, the SMF may determine, based on the subscription data in the UDM, whether the S-NSSAI requires a secondary authentication for each application. If yes, the authentication result is obtained from the AMF.
Alternatively, the SMF may subscribe to the AMF for authentication-passing application information. In this way, the SMF may receive an authentication result update notification of the AMF whenever there is an application authentication result update (or change).
S1407, the SMF sends the detection rule to the UPF.
For the specific implementation of S1407, reference may be made to S1306 above, which is not described here again.
Fig. 15 is a flowchart of an authentication method according to an embodiment of the present application. The authentication method is realized based on PDU session establishment procedure. The terminal device in fig. 12 may be the UE in fig. 15, the first network element in fig. 12 may be the SMF in fig. 15, and the authentication device in fig. 12 may be the DN-AAA in fig. 15, such as AAA-S deployed in DN. At this time, the SMF may determine whether the UE has access rights to the network slice purchased using the third party application provider based on the network slice authentication procedure, thereby completing the secondary authentication of the UE.
As shown in fig. 15, the authentication method may include the steps of:
s1501, the SMF sends a first authentication request to the DN-AAA.
Specifically, the SMF may trigger the secondary authentication by sending a first authentication request to the DN-AAA through the UPF in the procedure of the UE initiating PDU session establishment.
Wherein the first authentication request is for requesting the DN-AAA to initiate a secondary authentication.
S1502, the SMF receives a first authentication response from the DN-AAA.
Wherein the first authentication response is used to inform the SMF: whether DN-AAA allows the initiation of secondary authentication for the UE. If yes, the following S1503 is executed.
The SMF may then determine, based on the subscription data, whether the DN-AAA needs to perform a secondary authentication for the application. If yes, the SMF may send an application information acquisition request to the UE and receive application information from the UE, and may be specifically implemented as follows S1503-S1504:
in S1503, the SMF transmits an application information acquisition request to the UE.
The application information acquisition request carries an EAP ID request and identity information of the UE and is used for requesting application information requiring secondary authentication.
S1504, the SMF receives an application information acquisition response from the UE.
The application information acquisition response carries application information, an EAP ID response and identity information of the UE. For the content of the application information, reference may be made to S1201, and a detailed description thereof is omitted herein.
Note that, if the PDU session establishment request initiated in S1501 is already carried with application information, S1503-S1504 may not be executed, but S1505 may be executed, i.e., at this time, S1503-S1504 may be regarded as optional steps.
S1505, the SMF sends a second authentication request to the DN-AAA.
The second authentication request carries the application information acquired in S1504.
S1506, DN-AAA sends a second authentication response to SMF.
Wherein the second authentication response carries an authentication result. For the content of the authentication result, please refer to S1203-S1204, which will not be described herein.
S1507, the remaining steps in the PDU session establishment procedure and the secondary authentication procedure are performed.
S1508, the SMF determines an N4 rule according to the authentication result.
S1509, the SMF sends the N4 rule to the UPF.
The N4 rule includes a detection rule, and for specific implementation of the detection rule, reference may be made to S1306, which is not described herein.
It should be noted that the authentication method shown in fig. 15 may be implemented alone or in combination with the authentication method shown in fig. 13 or 14. For example, if the UE initiates an S-nsai of the established PDU session and the PDU session both require authentication, the SMF may integrate the application information in the authentication result obtained from the AMF and the application information in the authentication result obtained from the AAA-S, such as the intersection of the two types of application information, to generate the detection rule.
Fig. 16 is a flowchart of an authentication method according to an embodiment of the present application. The authentication method may be implemented in combination with the authentication method shown in any one of fig. 13 to 15. The terminal device in fig. 12 may be the UE in fig. 16, the first network element in fig. 12 may be the AMF or SMF in fig. 16, and the authentication device in fig. 12 may be the NSSAAF or AAA-S in fig. 16. At this point, the PCF may generate detection rules based on authentication results obtained from the AMF, and/or NSSAAF/AAA-S.
As shown in fig. 16, the authentication method may include the steps of:
s1601, a PDU session establishment procedure and a secondary authentication procedure are performed.
S1602, the SMF receives authentication results from the AMF and/or NSSAAF.
The authentication result at least comprises application identification information.
S1603, the SMF sends the authentication result to the PCF.
S1604, the PCF determines PCC rules based on the authentication result.
S1605, the PCF sends the PCC rule to the SMF.
S1606, the SMF sends the detection rule to the UPF.
Specifically, the SMF may generate a detection rule, such as an N4 rule, according to the PCC rule and send to the UPF. And then, the UPF can implement customized forwarding strategies according to the detection rules and the application data corresponding to the application identification information, for example, the gating of the PCC rule corresponding to the application passing authentication is defined as on, otherwise, the gating is defined as off, so that the data of the application with successful secondary authentication is forwarded or the data of the application with failed secondary authentication is discarded.
It should be noted that the authentication method shown in fig. 16 differs from the authentication method shown in any one of fig. 13 to 15 in that: in the authentication method shown in any one of fig. 13 to 15, the PCC rule is determined by the SMF, whereas in the authentication method shown in fig. 16, the PCC rule is determined by the PCF.
It should be understood by those skilled in the art that each network element or device shown in fig. 13-15 is an example, and should not be construed as limiting the scope of protection of the technical solutions provided in the present application. Taking the authentication device as an example, NSSAAF in FIGS. 13 and 14, DN-AAA in FIG. 15, NSSAAF and AAA-S in FIG. 16. In practical applications, there may be more than one device/network element for performing the secondary authentication function, and there may be more than one device/network element, and the embodiment of the present application does not limit the types and numbers of authentication devices.
Further, in the embodiments shown in fig. 13-16, the PCF may generate the urs rules from one or more of the following information: subscription information (such as whether slicing/DNN needs secondary authentication, whether an application needs slicing/DNN secondary authentication, etc.), authentication requirement information reported by AMF or SMF (such as whether slicing/DNN needs secondary authentication, whether an application needs slicing/DNN secondary authentication, etc.), secondary authentication result.
Wherein the routing descriptor of the urs rule is shown in table 6 below.
TABLE 6
Table 6 differs from table 3 in that: the rules of the application of the slice secondary authentication pass and the application of the DN secondary authentication pass are newly added. It is noted that the names in table 6 are merely examples and are not limited to use of other names in implementation.
In other words, the UE may determine that a certain urs p (or path selection descriptor, RSD) is not to be used based on the returned authentication result. Specifically, the UE considers the urs p rule (or RSD) of the DNN/S-nsai corresponding to the application to be legal only when the secondary authentication of the application passes. Only if the urs rule or RSD is legal, the UE will go to use the corresponding urs Rule (RSD), such as initiating a PDU session establishment request based on the corresponding urs rule.
The network side (such as AMF or SMF) may send the authentication result to the UE after (applying) the secondary authentication (as described in the above embodiments), and the UE may determine whether the above routing verification criteria are met according to the authentication result.
In addition, when the PCF uses the secondary authentication result as an input, specifically, as shown in table 6, a verification standard (validation criteria) field, such as a routing verification standard, may also be used to directly transmit the authentication result, such as adding corresponding indication information thereto. In this way, the UE may make a decision directly without having to send the authentication result additionally by the AMF or SMF.
Based on the authentication method shown in any one of fig. 12 to 16, the authentication device may perform secondary authentication operation on applications corresponding to any application information one by one according to the application information. Therefore, the first network element can determine the detection rule for each application one by one based on the authentication result, and instruct each network node on the data transmission path, and based on the detection rule, respectively execute forwarding or discarding operations on the data of the application corresponding to different application information, such as forwarding the data of the application with successful authentication and discarding the data of the application with failed authentication, so as to ensure that even if the application information is stolen or tampered, network resources are not abused, thereby improving network security and operation efficiency.
The authentication method provided in the embodiment of the present application is described in detail above in connection with fig. 12 to 16. An authentication apparatus for performing the authentication method provided in the embodiment of the present application is described in detail below with reference to fig. 17 to 20.
Fig. 17 is a schematic structural diagram of an authentication device according to an embodiment of the present application. As shown in fig. 17, the authentication apparatus 1700 includes: a receiving module 1701 and a transmitting module 1702. For convenience of explanation, fig. 17 shows only the main components of the authentication apparatus.
In some embodiments, the authentication apparatus 1700 may be adapted to perform the function of the first network element in the authentication method shown in fig. 12 in the communication system shown in fig. 4, or to perform the function of the AMF or SMF in the authentication method shown in fig. 13-16 in the communication system shown in any one of fig. 6-11.
Wherein, the receiving module 1701 is configured to receive application information from a terminal device.
A sending module 1702 configured to send application information to an authentication device.
The receiving module 1701 is further configured to receive an authentication result from the authentication device. The authentication result is determined according to the application information, and is used for generating a detection rule, wherein the detection rule is used for executing forwarding or discarding operation on the data of the application corresponding to the application information.
In one possible embodiment, the application information includes application identification information, and the authentication result includes application identification information.
Optionally, the application information further comprises application authentication information.
Optionally, the authentication result further includes authentication indication information, where the authentication indication information is used to indicate whether the authentication operation of the application corresponding to the application information is successful.
In one possible design, the sending module 1702 is further configured to send the authentication result to the session management network element.
In another possible design, authentication device 1700 further includes: a processing module 1703 (shown in dashed box in fig. 17). The processing module 1703 is configured to determine a detection rule according to the authentication result. The sending module 1702 is further configured to send a detection rule to a user plane network element.
Optionally, the sending module 1702 is further configured to send an authentication result to the policy control network element. The receiving module 1701 is further configured to receive a detection rule from a policy control network element.
Alternatively, the receiving module 1701 and the transmitting module 1702 may be integrated into one module, such as a transceiver module (not shown in fig. 17). The transceiver module is configured to implement a transceiver function of the authentication device 1700.
Optionally, the authentication apparatus 1700 may further comprise a memory module (not shown in fig. 17) storing a computer program or instructions. The processing module 1703, when executing the computer program or instructions, enables the authentication apparatus 1700 to perform the authentication method illustrated in any of figures 12-16.
Optionally, the authentication apparatus 1700 may be a first network element, such as an access and mobility management network element, or a session management network element, or may be a chip (system) or other components or assemblies that may be disposed in the first network element, or may be an apparatus or system including the first network element, which is not limited in this application.
It is to be appreciated that the processing modules involved in the authentication apparatus 1700 may be implemented by a processor or processor-related circuit components, which may be a processor or processing unit; the transceiver module may be implemented by a transceiver or transceiver related circuit components, and may be a transceiver or a transceiver unit.
Fig. 18 is a schematic structural diagram of an authentication device according to an embodiment of the present application. As shown in fig. 18, the authentication apparatus 1800 includes: an acquisition module 1801 and a transmission module 1802. For convenience of explanation, fig. 18 shows only the main components of the authentication apparatus.
In some embodiments, the authentication apparatus 1800 may be adapted to perform the functions of the authentication device in the authentication method shown in fig. 12 in the communication system shown in fig. 4, or to perform the functions of the NSSAAF or DN-AAA in the authentication method shown in fig. 13-16 in the communication system shown in any one of fig. 6-11.
The acquiring module 1801 is configured to acquire application information. Wherein the application information is used to determine the authentication result.
A sending module 1802, configured to send an authentication result to a first network element. The authentication result is used for determining a detection rule, and the detection rule is used for executing forwarding or discarding operation on the data of the application corresponding to the application information.
In one possible embodiment, the application information includes application identification information, and the authentication result includes application identification information.
Optionally, the application information further comprises application authentication information.
Optionally, the authentication result further includes authentication indication information, where the authentication indication information is used to indicate whether the authentication operation of the application corresponding to the application information is successful.
In a possible design, the authentication device 1800 further includes: a receiving module 1803. Wherein, the receiving module 1803 is configured to receive application information from the first network element.
Alternatively, the receiving module 1803 and the transmitting module 1802 may be integrated into one module, such as a transceiver module (not shown in fig. 18). The transceiver module is configured to implement a transceiver function of the authentication device 1800.
Alternatively, the acquisition module 1801 may be integrated with other processing functions of the authentication device 1800 into one processing module (not shown in fig. 18) for implementing the processing functions of the authentication device 1800.
Optionally, the authentication device 1800 may also include a memory module (not shown in fig. 18) storing computer programs or instructions. The computer programs or instructions, when executed by the processing module, enable the authentication apparatus 1800 to perform the authentication method illustrated in any of fig. 12-16.
Alternatively, the authentication apparatus 1800 may be an authentication device, such as NSSAAF, AAA-S, AAA-P, DN-AAA, etc., or may be a chip (system) or other parts or components that may be disposed in the authentication device, or may be an apparatus or system including the authentication device, which is not limited in this embodiment of the present application.
Fig. 19 is a schematic structural diagram of an authentication device according to an embodiment of the present application. As shown in fig. 19, the authentication apparatus 1900 includes: a transmission module 1901. For convenience of explanation, fig. 19 shows only major components of the authentication apparatus.
In some embodiments, the authentication apparatus 1900 may be adapted to perform the functions of the terminal device in the authentication method shown in fig. 12 in the communication system shown in fig. 4, or to perform the functions of the UE in the authentication method shown in fig. 13-16 in the communication system shown in any one of fig. 6-11.
The sending module 1901 is configured to send application information to the first network element. The application information is used for determining an authentication result, the authentication result is used for generating a detection rule, and the detection rule is used for executing forwarding or discarding operation on the data of the application corresponding to the application information.
In one possible embodiment, the application information includes application identification information, and the authentication result includes application identification information.
Optionally, the application information further comprises application authentication information.
Optionally, the authentication result further includes authentication indication information, where the authentication indication information is used to indicate whether the authentication operation of the application corresponding to the application information is successful.
In a possible design, the authentication device 1900 further includes: a receiving module 1902. The receiving module 1902 is configured to receive an authentication result from a first network element.
Alternatively, the transmitting module 1901 may be integrated with the receiving module 1902 as a single module, such as a transceiver module (not shown in fig. 19). The transceiver module is configured to implement a transceiver function of the authentication device 1900.
Optionally, the authentication device 1900 may further comprise a processing module 1903. The processing module is used for realizing the processing function of the device.
Optionally, the authentication device 1900 may further comprise a storage module (not shown in fig. 19) storing a computer program or instructions. The processing module 1903, when executing the computer program or instructions, enables the authentication apparatus 1900 to perform the authentication method illustrated in any of fig. 12-16.
Alternatively, the authentication apparatus 1900 may be a terminal device, or may be a chip (system) or other parts or components that may be disposed in the terminal device, or may be an apparatus or system including the terminal device, which is not limited in this application.
Fig. 20 is a schematic structural diagram of an authentication device according to an embodiment of the present application. The authentication device may be a terminal device or a network device, or may be a chip (system) or other parts or components that may be disposed in the terminal device or the network device. As shown in fig. 20, the authentication apparatus 2000 may include a processor 2001. Optionally, the authentication device 2000 may also include a memory 2002 and/or a transceiver 2003. The processor 2001 is coupled with the memory 2002 and the transceiver 2003, for example, by a communication bus.
The following describes the respective constituent elements of the authentication apparatus 2000 in detail with reference to fig. 20:
the processor 2001 is a control center of the authentication device 2000, and may be one processor or a generic name of a plurality of processing elements. For example, processor 2001 is one or more central processing units (central processing unit, CPU), but may also be an integrated circuit (application specific integrated circuit, ASIC), or one or more integrated circuits configured to implement embodiments of the present application, such as: one or more microprocessors (digital signal processor, DSPs), or one or more field programmable gate arrays (field programmable gate array, FPGAs).
Alternatively, the processor 2001 may perform various functions of the authentication device 2000 by running or executing a software program stored in the memory 2002, and invoking data stored in the memory 2002.
In a particular implementation, the processor 2001 may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 20, as an example.
In a specific implementation, as an embodiment, the authentication device 2000 may also include a plurality of processors, such as the processor 2001 and the processor 2004 shown in fig. 20. Each of these processors may be a single-core processor (single-CPU) or a multi-core processor (multi-CPU). A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
The memory 2002 is used for storing a software program for executing the solution of the present application, and is controlled by the processor 2001 to execute the program, and the specific implementation may refer to the above method embodiment, which is not described herein again.
Alternatively, memory 2002 may be a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (random access memory, RAM) or other type of dynamic storage device that can store information and instructions, or an electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), a compact disc read-only memory (compact disc read-only memory) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, without limitation. The memory 2002 may be integrated with the processor 2001, may exist separately, and may be coupled to the processor 2001 through an interface circuit (not shown in fig. 20) of the authentication device 2000, which is not specifically limited in this embodiment of the present application.
A transceiver 2003 for communication with other authentication devices. For example, the authentication apparatus 2000 is a terminal device, and the transceiver 2003 may be used to communicate with a network device or with another terminal device. As another example, the authentication apparatus 2000 is a network device, and the transceiver 2003 may be used to communicate with a terminal device or with another network device.
Alternatively, transceiver 2003 may include a receiver and a transmitter (not separately shown in fig. 20). The receiver is used for realizing the receiving function, and the transmitter is used for realizing the transmitting function.
Alternatively, the transceiver 2003 may be integrated with the processor 2001, or may exist separately, and be coupled to the processor 2001 through an interface circuit (not shown in fig. 20) of the authentication device 2000, which is not specifically limited in this embodiment of the present application.
It should be noted that the structure of the authentication device 2000 shown in fig. 20 does not limit the authentication device, and an actual authentication device may include more or less components than those shown, or may combine some components, or may be different in arrangement of components.
In addition, the technical effects of the authentication device shown in any one of fig. 17 to 20 may refer to the technical effects of the authentication method described in the foregoing method embodiment, and are not described herein again.
The embodiment of the application provides a communication system. The communication system comprises a terminal device, a first network element and an authentication device.
It should be appreciated that the processor in embodiments of the present application may be a central processing unit (central processing unit, CPU), which may also be other general purpose processors, digital signal processors (digital signal processor, DSP), application specific integrated circuits (application specific integrated circuit, ASIC), off-the-shelf programmable gate arrays (field programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It should also be appreciated that the memory in embodiments of the present application may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. The volatile memory may be random access memory (random access memory, RAM) which acts as an external cache. By way of example but not limitation, many forms of random access memory (random access memory, RAM) are available, such as Static RAM (SRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic Random Access Memory (SDRAM), double data rate synchronous dynamic random access memory (DDR SDRAM), enhanced Synchronous Dynamic Random Access Memory (ESDRAM), synchronous Link DRAM (SLDRAM), and direct memory bus RAM (DR RAM).
The above embodiments may be implemented in whole or in part by software, hardware (e.g., circuitry), firmware, or any other combination. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer instructions or computer programs. When the computer instructions or computer program are loaded or executed on a computer, the processes or functions described in accordance with the embodiments of the present application are all or partially produced. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center by wired (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more sets of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a solid state disk.
It should be understood that the term "and/or" is merely an association relationship describing the associated object, and means that three relationships may exist, for example, a and/or B may mean: there are three cases, a alone, a and B together, and B alone, wherein a, B may be singular or plural. In addition, the character "/" herein generally indicates that the associated object is an "or" relationship, but may also indicate an "and/or" relationship, and may be understood by referring to the context.
In the present application, "at least one" means one or more, and "a plurality" means two or more. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b, or c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or plural.
It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (29)
1. An authentication method, applied to a first network element, the method comprising:
receiving application information from terminal equipment;
transmitting the application information to authentication equipment;
receiving an authentication result from the authentication device; the authentication result is determined according to the application information, and is used for generating a detection rule which is used for executing forwarding or discarding operation on the data of the application corresponding to the application information.
2. The authentication method according to claim 1, wherein the application information includes application identification information, and the authentication result includes the application identification information.
3. The authentication method of claim 2, wherein the application information further comprises application authentication information.
4. An authentication method according to claim 2 or 3, wherein the authentication result further comprises authentication indication information, the authentication indication information being used to indicate whether an authentication operation of an application corresponding to the application information is successful.
5. The authentication method according to any of claims 1-4, wherein the first network element is an access and mobility management network element;
the method further comprises the steps of:
and the access and mobility management network element sends the authentication result to the session management network element.
6. The authentication method according to any of claims 1-4, wherein the first network element is a session management network element;
the method further comprises the steps of:
the session management network element determines the detection rule according to the authentication result;
and the session management network element sends the detection rule to a user plane network element.
7. The authentication method according to claim 6, wherein the session management network element determines the detection rule according to the authentication result, specifically including:
the session management network element sends the authentication result to a policy control network element;
the session management network element receives detection rules from the policy control network element.
8. An authentication method, applied to an authentication device, the method comprising:
acquiring application information; the application information is used for determining the authentication result;
transmitting the authentication result to a first network element; the authentication result is used for determining a detection rule, and the detection rule is used for executing forwarding or discarding operation on the data of the application corresponding to the application information.
9. The authentication method of claim 8, wherein the application information includes application identification information, and the authentication result includes the application identification information.
10. The authentication method according to claim 9, wherein the authentication result further includes authentication indication information indicating whether an authentication operation of the application corresponding to the application information is successful.
11. The authentication method according to any one of claims 8-10, wherein the obtaining application information specifically comprises:
and receiving the application information from the first network element.
12. An authentication method, applied to a terminal device, comprising:
transmitting application information to a first network element; the application information is used for determining an authentication result, the authentication result is used for generating a detection rule, and the detection rule is used for executing forwarding or discarding operation on data of an application corresponding to the application information.
13. The method according to claim 12, wherein the method further comprises:
and receiving the authentication result from the first network element.
14. An authentication device, the device comprising: a receiving module and a transmitting module; wherein,
the receiving module is used for receiving application information from the terminal equipment;
the sending module is used for sending the application information to the authentication equipment;
the receiving module is further used for receiving an authentication result from the authentication device; the authentication result is determined according to the application information, and is used for generating a detection rule which is used for executing forwarding or discarding operation on the data of the application corresponding to the application information.
15. The authentication apparatus of claim 14, wherein the application information comprises application identification information, and the authentication result comprises the application identification information.
16. The authentication device of claim 15, wherein the application information further comprises application authentication information.
17. The authentication apparatus according to claim 15 or 16, wherein the authentication result further includes authentication indication information for indicating whether an authentication operation of the application corresponding to the application information is successful.
18. Authentication means according to any of claims 14-17, characterized in that,
the sending module is further configured to send the authentication result to a session management network element.
19. The authentication device according to any of claims 14-17, characterized in that the device further comprises: a processing module; wherein,
the processing module is used for determining the detection rule according to the authentication result;
the sending module is further configured to send the detection rule to a user plane network element.
20. The authentication apparatus of claim 19, wherein,
the sending module is further configured to send the authentication result to a policy control network element;
the receiving module is further configured to receive a detection rule from the policy control network element.
21. An authentication device, the device comprising: an acquisition module and a transmission module; wherein,
the acquisition module is used for acquiring application information; the application information is used for determining the authentication result;
the sending module is used for sending the authentication result to the first network element; the authentication result is used for determining a detection rule, and the detection rule is used for executing forwarding or discarding operation on the data of the application corresponding to the application information.
22. The authentication apparatus of claim 21, wherein the application information comprises application identification information, and the authentication result comprises the application identification information.
23. The authentication apparatus according to claim 22, wherein the authentication result further includes authentication indication information indicating whether an authentication operation of the application corresponding to the application information is successful.
24. The authentication device according to any of claims 21-23, characterized in that the device further comprises: a receiving module; wherein,
the receiving module is configured to receive the application information from the first network element.
25. An authentication device, the device comprising: a transmitting module; wherein,
the sending module is used for sending application information to the first network element; the application information is used for determining an authentication result, the authentication result is used for generating a detection rule, and the detection rule is used for executing forwarding or discarding operation on data of an application corresponding to the application information.
26. The apparatus of claim 25, wherein the apparatus further comprises: a receiving module; wherein,
The receiving module is configured to receive the authentication result from the first network element.
27. An authentication apparatus, comprising: a processor coupled to the memory;
the processor configured to execute a computer program stored in the memory, to cause the authentication apparatus to perform the authentication method according to any one of claims 1-13.
28. A computer-readable storage medium, characterized in that a computer program or instructions is stored which, when run on a computer, causes the computer to perform the authentication method according to any one of claims 1-13.
29. A computer program product, comprising: computer program or instructions which, when run on a computer, cause the computer to perform the authentication method according to any one of claims 1-13.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111223393.9A CN115996378A (en) | 2021-10-20 | 2021-10-20 | Authentication method and device |
| PCT/CN2022/125734 WO2023066210A1 (en) | 2021-10-20 | 2022-10-17 | Authentication method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111223393.9A CN115996378A (en) | 2021-10-20 | 2021-10-20 | Authentication method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115996378A true CN115996378A (en) | 2023-04-21 |
Family
ID=85990833
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111223393.9A Pending CN115996378A (en) | 2021-10-20 | 2021-10-20 | Authentication method and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN115996378A (en) |
| WO (1) | WO2023066210A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117041969A (en) * | 2023-09-28 | 2023-11-10 | 新华三技术有限公司 | Access method, system and device of 5G dual-domain private network and electronic equipment |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019075848A1 (en) * | 2017-10-16 | 2019-04-25 | 华为技术有限公司 | Coordination of terminal slicing function and network slicing function |
| WO2020035732A1 (en) * | 2018-08-13 | 2020-02-20 | Lenovo (Singapore) Pte. Ltd. | Network slice authentication |
| EP3793136A1 (en) * | 2019-09-10 | 2021-03-17 | Orange | Network slicing application access control |
| CN112804679B (en) * | 2020-12-29 | 2023-07-14 | 中兴通讯股份有限公司 | Network slice connection method and device, storage medium and electronic device |
-
2021
- 2021-10-20 CN CN202111223393.9A patent/CN115996378A/en active Pending
-
2022
- 2022-10-17 WO PCT/CN2022/125734 patent/WO2023066210A1/en unknown
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117041969A (en) * | 2023-09-28 | 2023-11-10 | 新华三技术有限公司 | Access method, system and device of 5G dual-domain private network and electronic equipment |
| CN117041969B (en) * | 2023-09-28 | 2024-01-02 | 新华三技术有限公司 | Access method, system and device of 5G dual-domain private network and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2023066210A1 (en) | 2023-04-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7041212B2 (en) | Connecting to a virtualized mobile core network | |
| US11102828B2 (en) | User plane function selection for isolated network slice | |
| EP2810461B1 (en) | System and method for partner network sharing architecture | |
| CN107615732B (en) | Method for admitting session into virtual network and mobility management function entity | |
| US20210058771A1 (en) | Key generation method and related apparatus | |
| WO2020224622A1 (en) | Information configuration method and device | |
| WO2021223507A1 (en) | Communication method and apparatus, and chip | |
| WO2022159725A1 (en) | Federated identity management in fifth generation (5g) system | |
| US20230354463A1 (en) | State Transition of Wireless Device | |
| EP3913982A1 (en) | Network slicing with a radio access network node | |
| US20240073848A1 (en) | Network Slice in a Wireless Network | |
| US20240022952A1 (en) | Resource Allocation in Non-Public Network | |
| WO2023066210A1 (en) | Authentication method and apparatus | |
| WO2023011630A1 (en) | Authorization verification method and apparatus | |
| WO2022169693A1 (en) | Roaming between public and non-public 5g networks | |
| US20230422293A1 (en) | Network Slice Based Priority Access | |
| US20240031929A1 (en) | Connection Establishment | |
| US20240015630A1 (en) | Routing Between Networks Based on Identifiers | |
| US20240129793A1 (en) | Network Overload Control | |
| CN116980218A (en) | Building equipment life cycle control SaaS system and method | |
| CN116996985A (en) | Communication method and device based on edge network | |
| CN117641342A (en) | Communication method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |