KR20210138322A - Authentication server for 5g non public network connection control, method of the network connection control and connection method of terminal - Google Patents

Abstract

Provided are an authentication server for controlling connection to a non-public network (NPN), which allows a terminal to access a fifth-generation (5G) NPN by using a universal subscriber identity module (USIM) installed therein regardless of a subscribed public land mobile network (PLMN), a connection control method thereof, and a connection method for a terminal. According to the present invention, the authentication server comprises: a PLMN interface connected to a plurality of different PLMNs; an NPN interface connected to a plurality of different NPNs; a memory storing a program; and a processor executing the program. The program includes instructions of receiving a certificate issuance request from a terminal through any PLMN among the plurality of PLMNs and generating and transmitting a certificate to the terminal when a user authentication response is received from the NPN by sending a user authentication request to the NPN corresponding to a domain included in the certificate issuance request. The certificate is stored in the terminal to be used for authentication for connecting to the NPN.

Description

AUTHENTICATION SERVER FOR 5G NON PUBLIC NETWORK CONNECTION CONTROL, METHOD OF THE NETWORK CONNECTION CONTROL AND CONNECTION METHOD OF TERMINAL

The present invention relates to an authentication server for performing 5G non-public network access control, an access control method, and a terminal access method, in particular, a non-public network specified in the 3rd Generation Partnership Project (3GPP) 5G standard, that is, a Non Public Network (NPN). It relates to an authentication server for performing access control, an access control method, and a terminal access method.

As the broadband mobile communication market has been activated and the penetration rate of smartphones has increased, the demand for using broadband mobile communication and smartphones for corporate services has increased. In particular, due to the spread of Bring Your Own Device (BYOD) services, the number of companies using personal devices for business purposes is rapidly increasing. The Private Network service is a technology that reflects the needs of these companies.

The dedicated network service was widely used in the 4G mobile communication network. In addition, the dedicated network service has gained a lot of popularity as a B2B (Business to Business) product. The need for dedicated network services for security and convenience is high even at this point in the transition period from the 4th generation mobile communication network to the 5th generation mobile communication network. As such, companies want to manage their internal networks privately and securely, while simultaneously allowing convenient and safe access for employees.

However, the current dedicated network market is mostly limited to the corporate phone market. In the case of a corporate phone, the purpose of the corporate phone is that the company can occupy it by contracting with a specific telecommunication company at will, but the case of personal phone (BYOD) is different. This is because, in the case of terminals owned by employees belonging to a company, each carrier is different, and it is impossible to infringe on an individual's right to choose a carrier for the needs of the company.

In addition, the conventional dedicated network service is a technology for separating the public network and the private network from the core network of a specific PLMN (Public Land Mobile Network). For this dedicated network service, a specific PLMN operator contracts with corporate subscribers and builds it as a dedicated network for corporate subscribers.

However, a Non-IMSI (International Mobile Subscriber Identity)-based authentication method is required to accommodate all employee terminals of the enterprise in the PLMN of the dedicated network service provider.

However, according to the current 3GPP standard, the authentication method used in the PLMN is an Evolved Packet System (EPS)-Authentication and Key Agreement (AKA) authentication method. The EPS-AKA authentication method uses an authentication key (eg, LTE K value) embedded in the USIM (Universal Subscriber Identity Module) of the terminal, and only a specific PLMN subscriber can authenticate and use it. Other PLMN subscribers cannot access the dedicated network.

Therefore, from a technical point of view, the conventional dedicated network service has obvious limitations in accommodating BYOD.

Recently, according to the 3GPP 5G standard, the concept of a 5G dedicated network called NPN (Non Public Network) is defined. 5G NPN is largely defined in two ways, a completely isolated SNPN (Standalone Non Public Network) and a PNPN (Public Integrated Non Public Network) provided in a slice form by the PLMN. PNPN network construction cost is cheaper than SNPN from the point of view of corporate subscribers, but security is relatively low because corporate traffic is distributed to the internal network through a specific PLMN.

On the other hand, in SNPN, corporate subscribers independently build access, core networks, and in-house networks regardless of the existing PLMN (communication company). Therefore, although the cost of building a network is rather high, perfect security is an advantage because it is not a service through a specific telecommunication company, but by building an independent network.

However, since SNPN is an E2E (End To End) dedicated network, the 5G authentication system must also be built exclusively. Therefore, for USIM-based 5G-AKA authentication, an NPN-only USIM must also be provided.

However, in the current USIM structure, one USIM can be used to authenticate access to one PLMN (communication company). This is because only one authentication key (K value) is stored. In order to access another PLMN and receive service, you need to change the carrier or change the USIM. Accordingly, the employee belonging to the company has the inconvenience of having to replace the USIM of the terminal whenever using the PLMN and whenever using the NPN.

The problem to be solved by the present invention is to provide an authentication server, an access control method, and an access method of the terminal for controlling access to a 5G NPN (Non Public Network) using a USIM possessed by the terminal regardless of the PLMN to which the terminal is subscribed .

According to one feature of the present invention, the authentication server is a PLMN interface connected to a plurality of different PLMNs (Public Land Mobile Network), an NPN interface connected to a plurality of different NPNs (NON-PUBLIC NETWORK), and storing a program. a memory and a processor executing the program, wherein the program receives a certificate issuance request from a terminal through any PLMN among the plurality of PLMNs, and authenticates a user with an NPN corresponding to a domain included in the certificate issuance request When a user authentication response is received from the NPN by sending a request, it includes instructions for generating an NPN certificate and transmitting it to the terminal, wherein the NPN certificate is stored in the terminal so that the terminal accesses the NPN used for authentication.

The certificate issuance request may be received from the terminal using access information of the authentication server, and the access information may be included in a session establishment response message received by the terminal from the arbitrary PLMN.

The access information may be included in a protocol configuration option (PCO) field of the session establishment response message.

The program transmits a first subscriber authentication credential including an NPN certificate and a terminal identifier to the NPN, the NPN certificate is used for network authentication between the terminal and the NPN, and the terminal identifier is It can be used to determine whether the NPN has access rights.

The program includes instructions for transmitting a second subscriber authentication credential including an NPN certificate, a terminal identifier, and a trigger identifier to the terminal, and the trigger identifier may induce NPN connection of the terminal.

The program includes a terminal requesting NPN access and instructions for performing a user authentication procedure according to the request of the terminal and transmitting a user authentication result to the terminal, and if the user authentication result indicates authentication success, in the terminal After the session with the PLMN is released, a connection may be induced to the NPN.

The program may include commands for receiving a certificate renewal request from the terminal, extending the validity period of the corresponding NPN certificate, and transmitting the NPN certificate with the extended validity period to the terminal.

The authentication between the NPN and the terminal may include Extensible Authentication Protocol (EAP)-Transport Layer Security (TLS) authentication.

According to another feature of the present invention, the access control method is a method of controlling the access of a terminal in NPN (NON-PUBLIC NETWORK), and information of a terminal having NPN access authority and an NPN certificate issued to the terminal are received from an authentication server. and storing, receiving a registration request from the terminal, checking the NPN certificate issued to the terminal using the terminal information included in the registration request, and using the checked NPN certificate and the NPN certificate stored in the terminal performing an authentication procedure with the terminal, and when the authentication procedure is completed, establishing a session with the terminal.

The NPN includes a Security Anchor Function (SEAF), an Authentication Server Function (AUSF), and a User Data Management (UDM), and the NPN certificate is stored in the terminal and the AUSF and used for the authentication procedure, the terminal's The information may be included in the subscriber profile of the UDM, and the registration request may be transmitted to the SEAF, and may generate an authentication request to the AUSF.

The NPN further includes a local authentication device, wherein the local authentication device performs a user authentication procedure using user authentication information received from the terminal before the terminal transmits a registration request to SEAF, and the registration request may be transmitted after completing the user authentication procedure.

According to another feature of the present invention, the access method is a method in which a terminal accesses a NON-PUBLIC NETWORK (NPN), and the terminal establishes a session received from an Access and Mobility Function (AMF) of a Public Land Mobile Network (PLMN). Obtaining access information of the authentication server from the response message, accessing the authentication server using the access information, requesting the authentication server to issue a certificate of the NPN to be accessed, and receiving the NPN certificate from the authentication server and storing, performing an authentication procedure with the NPN using the certificate, and when the authentication procedure is completed, accessing the NPN.

The storing may include receiving a subscriber authentication credential including the NPN certificate, a trigger identifier, and a terminal identifier from the authentication server, and mapping the NPN certificate to the trigger identifier and the terminal identifier to obtain a Universal Subscriber (USIM) Identity Module).

The trigger identifier includes a network identification (NID) list or an application package name list, and the NID is broadcast by a base station in a zone located in a specific area and forming a predetermined coverage, and accessing the NPN includes: When the NID received from the base station is included in the NID list or the cell ID received from the base station is included in the NID list, determining the NPN area and connecting to the NPN, and the package name of the executed application is the application When included in the package name list, one of the steps of accessing the NPN may be performed.

The step of accessing the NPN includes checking whether the NPN certificate is possessed, if there is no NPN certificate, accessing the authentication server and requesting a certificate issuance, if there is an NPN certificate, checking whether the NPN certificate has expired; If the NPN certificate has expired, accessing the authentication server to request an extension of the NPN certificate, and performing an authentication procedure using at least one of a previously issued NPN certificate, a newly issued NPN certificate, and an extended NPN certificate It may include the step of connecting.

According to an embodiment, the terminal stores the NPN certificate issued for each NPN in the USIM of the terminal, and performs EAKP-TLS authentication with a specific NPN using the corresponding NPN certificate when accessing a specific NPN. Accordingly, the UE can selectively connect the PLMN and a plurality of NPNs without replacing the USIM already possessed by the UE. In addition, when the NPN is established as a corporate network, the employee terminals belonging to the enterprise may be connected to the NPN regardless of the PLMN to which the employee terminals are subscribed. Therefore, it is possible to build a dedicated network system that can accommodate various personal phones (BYOD, Bring Your Own Device).

1 is a block diagram illustrating a network environment in which an arbitrary Public Land Mobile Network (PLMN) subscriber accesses a plurality of Non-Public Networks (NPNs) according to an embodiment of the present invention.
2 is a block diagram illustrating a network environment in which a plurality of different PLMN subscribers access an arbitrary NPN according to an embodiment of the present invention.
3 is a block diagram illustrating the configuration of a UE according to an embodiment of the present invention.
4 is a block diagram showing the configuration of an authentication server according to an embodiment of the present invention.
5 is a flowchart illustrating a process in which a UE acquires access information of an authentication server according to an embodiment of the present invention.
6 is a flowchart illustrating a process of issuing an NPN certificate according to an embodiment of the present invention.
7 is a flowchart illustrating an NPN access process according to an embodiment of the present invention.
8 is a flowchart illustrating a management process of an NPN certificate according to an embodiment of the present invention.
9 is a flowchart illustrating an NPN access procedure of a UE according to an embodiment of the present invention.
10A, 10B, and 10C are exemplary views of a screen for requesting issuance of an NPN certificate through a UI (User Interface) according to an embodiment of the present invention.
11A, 11B, 11C, and 11D are exemplary views of a screen for requesting issuance of an NPN certificate through an NPN connection-only application according to an embodiment of the present invention.
12 is a sequence illustrating an NPN connection trigger operation in a UE according to an embodiment of the present invention.

Hereinafter, with reference to the accompanying drawings, embodiments of the present invention will be described in detail so that those of ordinary skill in the art to which the present invention pertains can easily implement them. However, the present invention may be embodied in various different forms and is not limited to the embodiments described herein. And in order to clearly explain the present invention in the drawings, parts irrelevant to the description are omitted, and similar reference numerals are attached to similar parts throughout the specification.

Throughout the specification, when a part "includes" a certain element, it means that other elements may be further included, rather than excluding other elements, unless otherwise stated.

In addition, terms such as “…unit”, “…group”, and “…module” described in the specification mean a unit that processes at least one function or operation, which may be implemented by hardware or software or a combination of hardware and software. can

The devices described in the present invention are composed of hardware including at least one processor, a memory device, a communication device, and the like, and a program executed in combination with the hardware is stored in a designated place. The hardware has the configuration and capability to implement the method of the present invention. The program includes instructions for implementing the method of operation of the present invention described with reference to the drawings, and is combined with hardware such as a processor and a memory device to execute the present invention.

As used herein, "transmission or provision" may include not only direct transmission or provision, but also transmission or provision indirectly through another device or using a detour path.

In the present specification, expressions described in the singular may be construed in the singular or plural unless an explicit expression such as “a” or “single” is used.

In this specification, the same reference numbers refer to the same components regardless of the drawings, and "and/or" includes each and every combination of one or more of the referenced components.

In this specification, terms including an ordinal number such as first, second, etc. may be used to describe various elements, but the elements are not limited by the terms. The above terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present disclosure, a first component may be referred to as a second component, and similarly, a second component may also be referred to as a first component.

In the flowchart described with reference to the drawings in this specification, the order of operations may be changed, several operations may be merged, some operations may be divided, and specific operations may not be performed.

In the present specification, a terminal is a generic concept meaning a user terminal in communication, and is a user equipment (UE), a mobile station (MS), a mobile terminal (MT), a subscriber station (SS), a portable subscriber station (PSS), and an AT ( Access Terminal), mobile station, mobile terminal, subscriber station, portable subscriber station, user equipment, access terminal, wireless device, etc. It may include all or part of the functions of a home country, a portable subscriber station, a user equipment, an access terminal, a wireless device, and the like.

A terminal is a base station (BS), an access point (Access Point, AP), a radio access station (RAS), a Node B (Node B), an advanced Node B (evolved NodeB, eNodeB), a transmission and reception base station ( It can be connected to a remote server by accessing a network device such as a Base Transceiver Station (BTS) or Mobile Multihop Relay (MMR)-BS.

Base Station (BS) is an Access Point (AP), Radio Access Station (RAS), Node B (Node B), Base Transceiver Station (BTS), MMR (Mobile Multihop Relay) )-BS, etc. may refer to, and may include all or some functions of an access point, a radio access station, a Node B, a transceiver base station, an MMR-BS, and the like.

The terminal of the present specification is a communication terminal of various types, such as a mobile terminal such as a smart phone, a tablet terminal such as a smart pad and a tablet PC, a computer, and a television, and may include a plurality of communication interfaces.

The Private Network service separates Packet Data Networks (PDNs), ie, a public network, from a private network through a core network.

The 3GPP (The 3rd Generation Partnership Project) 5G standard defines an NPN (Non-Public Network) with a concept similar to that of a private network, and a dedicated network subscriber (eg, a corporate subscriber) can configure the NPN in a completely isolated or sliced form. .

In addition, the 5G system supports AKA (Authentication and Key Agreement) authentication as well as EAP (Extensible Authentication Protocol) type authentication, and in particular, EAP-TLS (Transport Layer Security) is officially supported.

In this specification, the NPN is used to provide a private network such as an internal network of a company, and can be configured in various ways. The NPN can be configured completely standalone, which is referred to as a standalone NPN (SNPN). SNPN is independently built from “access to core network to internal network” regardless of the existing PLMN (Public Land Mobile Network).

In addition, the NPN may be hosted by an existing Public Land Mobile Network (PLMN) or may be configured as a slice of the existing PLMN, and this NPN is called a Public Integrated Non Public Network (PNPN).

The NPN may reject a non-joined UE when it attempts to access it. UEs belonging to some enterprise subscribers may be restricted to access only NPN, even if the PLMN service coverage is in the same geographic area. In addition, UEs belonging to other enterprise subscribers can access both the allowed specific NPN and specific PLMN.

The 5G system must support NPN, and it must be possible to provide services in a specific area. The 5G system should support the NPN to operate independently and should be able to operate without relying on the PLMN. The 5G system should be able to support PLMN service through NPN and support smooth service continuity. The 5G system must support identifiers that can identify multiple NPNs. The 5G system should support network change access from one PLMN to another without changing the subscriber information stored in the NPN.

When there is an access request from a UE not joined to the NPN, the NPN rejects the access with an error code.

In order for the UE in the NPN access mode normally registered in the NPN to access the PLMN, the NPN acts as “Untrusted non-3GPP Access” together with the credentials of the PLMN to connect the UE to the PLMN. Credentials of the PLMN are a process of determining whether the UE is a legitimate user who can access the PLMN, and can be determined using the authentication method of the PLMN. For example, it is possible to determine whether the user is a legitimate user using IMSI, SUPI, or the like.

When the UE normally registered in the PLMN accesses the NPN, the UE allows the UE to access the NPN as the PLMN acts as “Untrusted non-3GPP Access” with the credentials of the NPN.

PLMN operators can provide NPN services through network slicing. The UE must be subscribed to the PLMN and have credentials.

The PLMN and the NPN service provider have an overall agreement on which network slices are deployed. The PLMN operator may propose to allow the NPN service provider to manage the NPN network slice according to TS28.533. The PLMN may support so that Network Slice Selection Assistance Information (S-NSSAI) may be allocated to the NPN.

When the UE first registers with the PLMN, the PLMN may configure URSP (UE Route Selection Policies) for a specific application in the NPN S-NSSAI.

The PLMN can perform authentication and authorization using additional credentials for the NPN. The procedure of network slicing follows the previously defined logic. The PLMN may indicate to the UE that the NPN S-NSSAI is rejected for the RA when the UE leaves the NPN network slice coverage. When the UE leaves the NPN network slice coverage, the NPN PDU session is terminated, and access to the NPN Deep Neural Network (DNN) is provided through the NPN Cell.

According to 3GPP TS (Technical specification) 33.501, the 5G system supports EAP-TLS. In addition, the content regarding the NPN of the 5G system may be supported by 3GPP (3rd Generation Partnership Project) 5G standard documents such as TS23.501 and TS22.261 standard documents.

An embodiment of the present invention targets SNPN. However, the embodiment of the present invention may be modified and applied to PNPN. Therefore, in the present specification, SNPN and PNPN are not divided, but are collectively referred to as NPN.

PLMN and NPN consist of 5G core equipment. 5G core equipment constituting PLMN and NPN can be supported by standard documents related to 3GPP 5G system. That is, steps or parts not described in order to clearly reveal the technical spirit of the present invention among the embodiments of the present invention may be supported by the document. In addition, all terms disclosed in this document may be explained by the standard document.

5G core network is AMF (Access and Mobility Function), SMF (Session Management Function), UPF (User Plane Function), UDM (User Data Management), UDR (Unified Data Repository), PCF (Policy Control Function), SPR (Subscriber) Profile Repository), and the like, communication technology used in the 5G communication system, and the concept of network device configurations may be referred to in an embodiment of the present invention.

AMF is a mobility management device, and manages access and mobility of the UE through NAS (Non Access Stratuem) signaling.

SMF/UPF is a data network gateway, which creates and manages a session connecting a UE with a Packet Data Network (PDN). Here, the PDN may be an Internet network.

UPF delivers downlink protocol data unit (PDU) data to the UE in which the session is connected with the PDN, and delivers uplink PDU data to the PDN.

UDM/UDR is a subscriber device, and stores and manages subscriber information of the UE, performs location registration of the UE, subscriber authentication, and the like.

The PCF determines policies such as session management and mobility management and transmits them to AMF and SMF so that appropriate mobility management, session management, and quality of service (QoS) management can be performed.

The SPR is a database that stores the policies for each terminal, that is, the policy and charging rules (Access Profile), and provides the policy to the PCF according to the request of the PCF.

Now, an authentication server for performing 5G NPN access control, an access control method, and an access method will be described with reference to the drawings.

1 is a block diagram illustrating a network environment in which any PLMN subscriber accesses a plurality of NPNs according to an embodiment of the present invention.

Referring to FIG. 1 , UE #1 101 is a subscriber station of PLMN #1 201 . UE #1 101 may connect to PLMN #1 201 . The UE #1 101 accesses the Internet network 400 through the PLMN #1 201 and receives a data service from the service server 500 connected to the Internet network 400 . The service server 500 collectively refers to a server that provides services on the Internet.

PLMN #1 201 may include 5G core equipment. PLMN #1 201 includes AMF 201A, SMF 201B, UPF 201C, AUSF 201D, UDM 201E, and PCF 201F. For the functions and operations of these components 201A, 201B, 201C, 201D, 201E, and 201F, the contents specified in the 3GPP 5G standard document apply mutatis mutandis, and detailed descriptions are omitted.

Basically, UE #1 101 performs mutual authentication with PLMN #1 (201) using an authentication key (eg, k value) stored in a USIM (Universal Subscriber Identity Module) module, and then performs mutual authentication with PLMN #1 (201). ) and establish a PDU session.

UE #1 101 is a plurality of NPN, that is, NPN #1 (301), NPN #2 (303), ... It can connect to NPN #n (305). The plurality of NPNs (301, 303, 305) is a dedicated network independently built by each company, and detailed definitions follow those defined in the 3GPP 5G standard.

The plurality of NPNs 301 , 303 , and 305 may refer to an enterprise-dedicated 5G core network and an internal network (or intranet). At this time, when each company builds the NPNs 301, 303, and 305, the UE #1 101 possessed by the employee of the company uses the USIM module possessed regardless of the subscriber terminal of any PLMN, that is, of the USIM module. It is possible to access the NPNs (301, 303, 305) of the affiliated company without replacement. To this end, the employee's UE #1 101 performs EAP-TLS-based authentication with the NPNs 301 , 303 , and 305 .

UE #1 101 requires an NPN certificate to perform EAP-TLS authentication with the NPNs 301 , 303 , and 305 , which is issued for each NPN from the authentication server 600 .

The UE #1 101 connects to the authentication server 600 through the UPF 201C of the PLMN #1 201 . The authentication server 600 is connected to a plurality of NPNs (301, 303, 305).

The authentication server 600 issues and manages NPN certificates necessary for the UE #1 101 to access the plurality of NPNs 301 , 303 , and 305 , respectively.

The authentication server 600 communicates with a plurality of NPNs 301 , 303 , and 305 through a predefined interworking interface. As an example, the interworking interface may use HyperText Transfer Protocol (HTTP). For example, HTTP may be a Representational State Transfer (REST)ful Application Programming Interface (API) or the like.

2 is a block diagram illustrating a network environment in which a plurality of different PLMN subscribers access an arbitrary NPN according to an embodiment of the present invention.

Referring to FIG. 2, a plurality of UEs located within the service coverage 1 of any NPN #1 (301) among the plurality of NPNs 301, 303, and 305 described in FIG. 1, that is, UE #1 (101), A case where UE #2 103 and UE #3 105 accesses NPN #1 301 is shown.

A plurality of UEs (101, 103, 105) have different PLMNs to which they subscribe. That is, UE #1 101 is a subscriber of PLMN #1 201 . The UE #1 101 accesses the Internet network 400 through the PLMN #1 201 and receives a data service from the service server 500 connected to the Internet network 400 .

UE #2 103 is a subscriber of PLMN #2 203 . The UE #2 103 accesses the Internet network 400 through the PLMN #2 203 , and receives a data service from the service server 500 connected to the Internet network 400 .

UE #3 105 is a subscriber of PLMN #3 205 . The UE #3 105 accesses the Internet network 400 through the PLMN #3 205 , and receives a data service from the service server 500 connected to the Internet network 400 .

UE #1 101 , UE #2 103 , and UE #3 105 connect to the authentication server 600 through respective PLMNs 201 , 203 , 205 . Here, PLMN #1 (201), PLMN #2 (203), and PLMN #3 (205) are configured as 5G core devices as described in FIG. 1 .

UE #1 101 , UE # 2 103 , and UE # 3 105 receive and store the certificate of NPN #1 301 from the authentication server 600 . UE #1 (101), UE #2 (103), and UE #3 (105) access NPN #1 (301) through EAP-TLS authentication using the issued NPN certificate.

NPN #1 (301) is composed of 5G core equipment, SEAF (Security Anchor Function) (301A), SMF (301B), UPF (301C), AUSF (Authentication Server Function) (301D), UDM (301E) and and a local authentication device 301F.

The UPF 301C connects the dedicated network service 2 to each UE #1 101 , UE #2 103 , and UE #3 105 . The dedicated network service 2 may include a business-related service of a company, an internal network, and the like. In addition, a service provided only for a specific user in a specific area may be collectively referred to as a service.

The functions and operations of these components (301A, 301B, 301C, 301D, 301E, 301F) apply mutatis mutandis as defined in the 3GPP 5G standard, and the AUSF (301D) and The local authentication device 301F will be described.

The AUSF 301D receives and stores the NPN certificate from the authentication server 600 . The stored NPN certificate is used when performing EAP-TLS authentication with the UE 100 .

The local authentication device 301F performs user authentication for each UE #1 101 , UE #2 103 , and UE #3 105 based on the user authentication information received from the authentication server 600 . Here, the user authentication determines whether each of the UE #1 101, UE #2 103, and UE #3 105 is a legitimate user authorized to issue an NPN certificate. User authentication information is input from each UE #1 101 , UE #2 103 , and UE #3 105 and transmitted to the authentication server 600 . The user authentication information may include a domain, an ID (eg, company number), and a password. User authentication information may be domain and FIDO (Fast Identity Online) based biometric information. In this case, a biometric authentication method is used for user authentication.

If the authentication server 600 succeeds in user authentication, it issues an NPN certificate and provides it to the AUSF 301D and each UE #1 101 , UE # 2 103 , and UE # 3 105 . Thereafter, the NPN certificate is EAP- for NPN connection in which each UE #1 101, UE #2 103, and UE #3 105 cooperate with SEAF 301A, AUSF 301D, and UDM 301E. Used for TLS authentication.

When issuing the NPN certificate, the authentication server 600 provides a trigger identifier to each UE #1 101 , UE #2 103 , and UE #3 105 together. The trigger identifier may include a network identification (NID) list, or an app package name list (APP PKG NAME list).

The NPN base station 701 installed within the service coverage 1 of the NPN #1 (301) broadcasts the NID corresponding to the NPN #1 (301). When each UE #1 101 , UE # 2 103 , and UE # 3 105 enters the service coverage of the NPN #1 301 , the NPN base station 701 receives the NID, etc. broadcast. Each UE #1 101 , UE # 2 103 , and UE # 3 105 selects access to NPN #1 301 when the received NID corresponds to a trigger identifier. Then, an access procedure to NPN #1 (301) is performed using the NPN certificate.

In addition to basic authentication (EPS-AKA), EAP-TLS authentication is used for NPN 300 or NPN's Internet of Things (IoT) device. When a 5G system is deployed in NPN 300, SUPI and SUCI are encoded using the NAI format as specified in TS 23.501. The UE 100 includes a Realm part in the NAI to be routed to the legitimate UDM 201E.

The core devices of PLMN #1 (201) described in FIGS. 1 and 2 are equally included in PLMN #2 (203) and PLMN #3 (205). In addition, the core devices of NPN #1 (301) described in FIGS. 1 and 2 are equally included in NPN #2 (303) and NPN #3 (305). Therefore, the authentication server 600 cooperates with the AUSF 301D and the local authentication device 301F of each of the NPNs 201, 203, and 205. At this time, the authentication server 600 communicates with the AUSF 301D and the local authentication device 301F of each of the NPNs 201 , 203 and 205 through a predefined interworking interface. As an example, the interworking interface may use HyperText Transfer Protocol (HTTP). For example, HTTP may be a Representational State Transfer (REST)ful Application Programming Interface (API) or the like.

As such, according to the embodiment of the present invention, although UE #1 101, UE #2 103, and UE #3 105 are different PLMN subscribers, these 101, 103 and 105 are It is possible to access NPN #1 (301) without replacing the USIM.

Hereinafter, in the description with reference to FIGS. 3 to 12 , UE #1 101 , UE # 2 103 , and UE # 3 105 described in FIGS. 1 and 2 for convenience of explanation are UE 100 . It is referred to collectively as In addition, PLMN #1 (201), PLMN #2 (203), and PLMN #3 (205) described in FIGS. 1 and 2 are collectively referred to as PLMN 200 . In addition, NPN #1 (301), NPN #2 (303), and NPN #3 (305) described in FIGS. 1 and 2 are collectively referred to as NPN (300).

3 is a block diagram illustrating the configuration of a UE according to an embodiment of the present invention.

Referring to FIG. 3 , the UE 100 is a wireless terminal and supports 5G mobile communication network access.

The UE 100 includes a processor 120 , a memory 130 , a communication interface 140 , a USIM 150 , and a storage 160 that communicate via a common bus 110 .

In addition, each of the components 120 , 130 , 140 , 150 , and 160 may be connected through an individual interface or an individual bus with the processor 120 as the center instead of the common bus 110 .

The processor 120 may execute a program command stored in at least one of the memory 130 and the storage 170 . The processor 120 may refer to a central processing unit (CPU) or a dedicated processor on which methods according to embodiments are performed. Such a processor 120 may be configured to implement a function corresponding to an embodiment method of the present invention.

The memory 130 is connected to the processor 120 and stores various information related to the operation of the processor 120 . The memory 130 may store instructions to be executed by the processor 120 or may temporarily store instructions by loading the instructions from the storage 160 . The processor 120 may execute instructions stored in or loaded from the memory 130 . The memory 130 may include read only memory (ROM) and random access memory (RAM).

The memory 130/storage 160 may be located inside or outside the processor 120 , and may be connected to the processor 120 through various known means.

In this case, the memory 130 includes a dedicated application 131 , an original equipment manufacturer (OEM) application programming interface (API) 132 , and an operating system (OS) framework 133 . Of course, only the components 131, 132, and 133 are not included, but only the components related to the embodiment of the present invention are schematically illustrated for convenience of description.

The dedicated application 131 is an NPN-only application in which NPN connection is set as mandatory, and may be, for example, a corporate business application. The dedicated application 131 may have "OEM API call authority" granted by the terminal manufacturer set. When a specific condition is met, the dedicated application 131 may call the OEM API to handle the NPN certificate stored in the USIM 150 . Here, the specific condition may be application execution.

The OEM API 132 controls the NPN certificate management function of the USIM 150 . NPN certificate management functions include storage, renewal and deletion.

The OS framework 133 includes a dedicated application 131 in an upper layer and an OS in a lower layer. In general, the OS framework 133 serves to connect the dedicated application 131 and the OS layer. In this case, the OS framework 133 controls the dedicated application 131 to access the USIM 150 using the OEM API 132 to perform an authentication procedure and an access procedure with the NPN 300 .

The OS framework 133 may provide a user interface (UI) for NPN certificate management. The UI may be used to request a user to issue, renew, or delete an NPN certificate, and to receive user authentication information required for this purpose.

The communication interface 140 may transmit and receive a wired signal or a wireless signal. The USIM 150 stores a PLMN authentication key (k) 151 and at least one NPN certificate 151 , 152 , 153 .

The PLMN authentication key (k) 151 is used for EPS-AKA mutual authentication for access to the PLMN 200, and is called a k value in the LTE network.

At least one NPN certificate (151, 152, 153) is used for EAP-TLS mutual authentication for NPN (300) connection. According to an embodiment, the at least one NPN certificate 151 , 152 , 153 may include an X.509 certificate. The X.509 certificate is the ITU-T (International Telecommunications Union-Telecommunication) standard certificate of Public Key Infrastructure (PKI) among the standards of public key certificates and authentication algorithms in cryptography.

The processor 120 of the UE 100 may detect the NPN connection trigger event in the following manner.

One way, after the UE 100 enters a specific zone or geographic area, when receiving a specific NID broadcast by the base station 701 in the zone, an NPN certificate that can access the NPN 300 corresponding to the NID You can determine whether you have it and check whether there is an NPN certificate of the domain corresponding to the NID. If the NPN certificate is possessed, it is automatically connected to the NPN 300 , and if it does not have the NPN certificate, it communicates with the authentication server 600 to request a certificate issuance. Here, when NPN is implemented as PNPN, a Closed Access Group (CAG) ID can be received from the base station 701 in the zone, and it is determined whether the CAG ID is included in the trigger identifier, etc. to issue / hold the NPN certificate, access Whether it is possible or not can be determined.

Another method is when the dedicated application 131 installed in the UE 100 is executed, the UE 100 recognizes whether the NPN connection is made through the executed application name (pkgname) and holds a certificate for accessing the NPN 300 . can determine whether If the NPN certificate is possessed, it is automatically connected to the NPN 300 , and if it does not have the NPN certificate, it communicates with the authentication server 600 to request a certificate issuance.

In the above two methods, the UE 100 performs network authentication based on the NPN 300 and EAP-TLS at the same time as the execution of the dedicated application 131 after the NPN certificate is installed or the NPN certificate is issued.

When the network authentication is completed, the UE 100 directly executes the dedicated application 131 . After the certificate is issued for the first time, when the dedicated application 131 is executed, the connection authentication is performed to the NPN 300 immediately, and the dedicated application 131 is executed and simultaneously connected to the NPN 300 to receive the internal network connection service. .

4 is a block diagram showing the configuration of an authentication server according to an embodiment of the present invention.

The authentication server 600 is the same as described with reference to FIGS. 1 and 2 . Since the authentication server 600 interworks with a plurality of different PLMNs 200 , it may be implemented as a server device on the Internet.

Referring to FIG. 4 , the authentication server 600 includes a processor 620 , a memory 630 , a communication interface 640 , and a storage 650 communicating through a common bus 610 . In addition, each of the components 620 , 630 , 640 , and 650 may be connected through an individual interface or a separate bus centering on the processor 620 rather than the common bus 610 .

The processor 620 may execute a program command stored in at least one of the memory 630 and the storage 650 . The processor 620 may refer to a central processing unit (CPU) or a dedicated processor on which methods according to embodiments are performed. Such a processor 620 may be configured to implement a function corresponding to an embodiment method of the present invention.

The memory 630 is connected to the processor 620 and stores various information related to the operation of the processor 620 . The memory 630 may store instructions to be executed by the processor 620 or may temporarily store instructions by loading the instructions from the storage 650 . The processor 620 may execute instructions stored in or loaded from the memory 630 . Memory 630 may include ROM and RAM.

The memory 630/storage 650 may be located inside or outside the processor 620 , and may be connected to the processor 620 through various known means.

At this time, the memory 630 is a PLMN interface 631, NPN interface 632, authentication relay 633, certificate issuance 634, certificate management 635, domain divided according to detailed functions of the authentication server 600 management 636 .

The PLMN interface 631 processes data by interworking with a plurality of different PLMNs 200 through the communication interface 640 . In particular, the PLMN interface 631 interworks with the UPF of the PLMN 200 .

Since the PLMN interface 631 is connected to the PLMN 200 through the Internet network 400 , it may be a web interface.

The NPN interface 632 processes data by interworking with a plurality of NPNs 300 through the communication interface 640 . In particular, the NPN interface 632 interworks with the AUSF 301D of the NPN 300 and the local authentication device 301F.

The NPN interface 632 may interwork with the AUSF 301D and the local authentication device 301F using a dedicated protocol for interworking with the NPN 300 . The dedicated protocol may be selected from known protocols or newly developed for NPN interworking.

The authentication relay 633 relays a user authentication procedure between the UE 100 and the local authentication device 301F, and relays user authentication data.

Certificate issuance 634 is an NPN certificate used for authentication to access the NPN 300 to which the UE 100 belongs / subscribed when user authentication is successful between the UE 100 and the local authentication device 301F, e.g. For example, it issues an X.509 certificate.

The certificate management 635 checks the validity period of the issued NPN certificate, and performs management such as revoking or renewing the NPN certificate whose validity period has passed.

The domain management 636 stores corresponding domains for each of the plurality of NPNs 300 .

In an embodiment of the present invention, when an arbitrary subscriber, for example, a corporate subscriber, establishes an independent NPN 300, the employee's UE 100 is the employee's UE regardless of the PLMN 200 subscribed to by the employee's UE 100 belonging to the enterprise. (100) is to allow access to the NPN (300) through the USIM each possessed. That is, in order to access the NPN 300 without replacing the USIM, the employee's UE 100 must perform EAP-TLS authentication with the NPN 300 , for this purpose, the employee's UE 100 is from the authentication server 600 . NPN certificate is issued for EAP-TLS authentication.

In order for the UE 100 of the employee to be issued an NPN certificate, access to the authentication server 600 must be preceded. The UE 100 of the employee obtains the access information of the authentication server 600 from the PLMN 200 in the PLMN registration process, which is described in FIG. 5 .

5 is a flowchart illustrating a process in which a UE acquires access information of an authentication server according to an embodiment of the present invention.

In this case, in order for the UE 100 to initially access the PLMN 200, it must go through a process of establishing a PDU session by registering with the network, and this process is described briefly because it is specified in the 3GPP 5G standard.

Referring to FIG. 5 , the UE 100 requests an access to the AMF 201A of the PLMN to which the UE 100 has subscribed (Attach R). equest) is transmitted (S101). The AMF 201A performs a PLMN authentication procedure for network registration (S103). The PLMN authentication procedure is performed by interworking between the UE 100, the AMF 201A, and the UDM 201E, and the PLMN authentication key (value k) stored in the USIM 150 of the UE 100 is used.

The PLMN authentication procedure is an EPS-AKA authentication procedure, and corresponds to a primary authentication and key agreement procedure. This procedure enables mutual authentication between UE 100 and network 200 and provides key material that can be used between UE 100 and network 200 in subsequent security procedures. This procedure is supported by the UE 100 and the AMF 201A.

When the network registration is completed, the UE 100 configures an N1 PDU session establishment request (Session Establishment Request) message, which is a Session Management-Non Access Stratum (SM-NAS) message, to establish a PDU (Packet Data Unit) session to establish an AMF ( 201A) (S105). The AMF 201A selects the SMF 201B (S107).

In this case, the UE 100 may include a Data Network Name (DNN) that it intends to use in the N1 PDU Session Establishment Request message. Then, the AMF 201A may select the SMF 201B based on the DNN.

The AMF 201A transmits a session creation request (Nsmf PDU Session Create SM Context request) message to the SMF 201B selected in step S107 (S109).

The SMF 201B obtains subscription information of the UE 100 by requesting the UDM 201E (S111). The subscription information may include information related to “Registration/subscription retrieval/subscribe for updates” of the UE 100 .

The SMF 201B transmits a session creation response (Nsmf PDUSession Create SM Context Response) message to the AMF 201A (S113).

UE 100 performs a PDU session authentication / authorization (Session authentication / authorization) procedure (S115).

The SMF 201B selects the PCF 201F (S117). The SMF 201B transmits a policy creation request (NpcfSM policy ControlCreateRequest) message to the PCF 201F selected in step S117 (S119). The PCF 201F transmits a policy creation response (Npcf_SMpolicyControl_Create_Response) message to the SMF 201B (S121).

After selecting the UPF 201C (S123), the SMF 201B transmits an N4 session establishment/modification request message to the UPF 201C (S125). The UPF 201C transmits an N4 session establishment/modification response message to the SMF 201B (S127).

The SMF 201B transmits a Namf_Communication_N1N2_Message_Transfer message requesting the AMF 201A to transfer the policy to the UE 100 (S129).

AMF (201A) transmits a PDU session establishment response (PDU Session Establishment Accept) message to the UE (100) (S131).

At this time, in the field assigned for operator specific use among the protocol configuration option (hereinafter referred to as "PCO") field of the PDU Session Establishment Accept message, the authentication server (600) of connection information. The access information includes an IP address or domain name of the authentication server 600 .

Here, the PCO and Operator Specific Use fields apply mutatis mutandis as defined in the 3GPP TS 24.008 standard document, and Container ID = FF00H may be used.

Then, the UE 100 stores the access information of the authentication server 600 received in step S131 (S133). In this case, the access information of the authentication server 600 may be stored in one of the memory 130 , the storage 160 , and the USIM 150 described with reference to FIG. 3 .

As shown in FIG. 5 , the UE 100 , which has obtained access information of the authentication server 600 through the registration procedure with the PLMN 200 , attempts to access the NPN 300 if there is an NPN certificate. If there is no NPN certificate, the authentication server 600 is requested to issue the NPN certificate.

6 is a flowchart illustrating a process of issuing an NPN certificate according to an embodiment of the present invention.

Referring to FIG. 6 , when an NPN issuance trigger event is detected ( S201 ), the UE 100 outputs a user authentication screen and receives user authentication information through it ( S203 ).

In this case, the user authentication information may be an ID (employee number) and a password. Also, the user authentication information may be FIDO-based biometric information, and the user authentication procedure may be biometric authentication.

The user authentication screen may be provided by a dedicated application ( 131 in FIG. 3 ) that requires NPN connection, or may be provided by an OS framework ( 133 in FIG. 3 ).

The UE 100 transmits an NPN certificate issuance request to the authentication server 600 using the access information stored in step S133 of FIG. 5 ( S205 ). In this case, the NPN certificate issuance request includes an NPN domain, user authentication information, and a Mobile Station International ISDN Number (MSISDN).

The authentication server 600 selects the local authentication device 301F using the NPN domain (S207).

The authentication server 600 transmits an authentication request including user authentication information to the local authentication device 301F (S209).

The local authentication device 301F performs authentication to determine whether the user authentication information received in step S209 is correct (S211). If authentication is successful, an authentication response including an authentication result is transmitted to the authentication server 600 (S213). Here, the authentication response includes a trigger identifier. The trigger identifier is an identifier that triggers the NPN connection, and may include a Network Identification (NID) list or an application package name list.

The authentication server 600 issues the NPN certificate in a predefined manner (S215). According to an embodiment, an NPN certificate may be generated (S215) based on an encryption key generation algorithm.

The authentication server 600 generates subscriber authentication credentials including an NPN certificate, a subscriber permanent identifier (SUPI), and an MSISDN, and transmits them to the AUSF 301D (S217). Here, SUPI is an identifier of the UE, and includes International Mobile Subscriber Identification (IMSI), Network Access Identifier (NAI), and the like. The NPN certificate is stored in the AUSF 301D.

The SUPI is determined in the AMF 201A based on the identifier GUTI of the UE. The AMF 201A obtains a GUTI (Globally Unique Temporary Identifier) from the access request message received from the UE 100 and determines the IMSI of the UE 100 using the obtained.

SUPI is in the form of 'username@realm' as defined in the 3GPP standard, and may be defined as '<Username>@<NID>.mnc<MNC>.mcc <mcc>.3gppnetwork.org'. SUPI is the same as IMSI concept in LTE.

SUPI, IMSI, and NAI are used as the same concept. SUPI is used in 3GPP systems. SUPI includes IMSI, a network-specific identifier. The network specific identifier is used for the private network and may be used for NPN identification.

SUPI may be implemented in the form of NAI using NAI based on user identification defined based on IMSI or based on NON-IMSI. Interworking with EPC, SUPI is based on IMSI so that UE 100 can provide IMSI to EPC.

The AUSF 301D transmits a subscriber authentication information update request including SUPI and MSISDN to the UDM 301E (S219). The UDM 301E updates the received subscriber authentication information (SUPI, MSISDN, etc.) in the subscriber profile (S221).

The NPN certificate stored in the AUSF 301D is used for EAP-TLS authentication between the UE 100 and the NPN 300 .

The SUPI and MSISDN delivered to the UDM 301E are used to determine whether the UE 100 requesting access to the NPN 300 has access to the NPN 300 .

In addition, the authentication server 600 generates a subscriber authentication credential including the NPN certificate, the SUPI, and the trigger identifier and transmits it to the UE 100 ( S223 ).

The UE 100 stores or adds the received subscriber authentication credentials (S223) to the USIM (150 in FIG. 3) (S225). The UE 100 may request the OS framework 133 to store the subscriber authentication credentials by calling the OEM API. Then, the OS framework 133 may store the subscriber authentication credentials in the USIM 150 .

7 is a flowchart illustrating an NPN access process according to an embodiment of the present invention. At this time, the NPN access process will be briefly described because the specifications specified in the 5G standard are applied mutatis mutandis.

Referring to FIG. 7 , when the UE 100 detects the NPN connection trigger event (S301), the UE 100 identifies the NPN domain based on the trigger identifier stored in the USIM 150 (S303) and checks the NPN certificate status (S305) .

According to an embodiment, as the UE 100 enters a specific geographic area and receives the NID broadcasted by the NPN base station 701 in FIG. 2 , an NPN connection trigger event may be detected ( S301 ). In NG-RAN supporting SNPN, it is defined in the 5G standard to broadcast a specific NID.

According to another embodiment, when the package name of the executed dedicated application is included in the trigger identifier, the UE 100 may detect an NPN connection trigger event ( S301 ).

When the NID is included in the pre-stored trigger identifier or is not included in the NID list of the PLMN 200, the UE 100 checks whether the NPN certificate is issued. Alternatively, the UE 100 may detect the NPN connection trigger event when the package name of the execution application is included in the pre-stored trigger identifier.

The UE 100 identifies the domain name through the trigger identifier (S303). For example, domain names such as "samsung.npn.com", "kt.npn.com", etc. can be identified through the NID or application package name.

The UE 100 may check (S305) whether the NPN certificate matched to the identified domain name (S303) is possessed.

If there is no NPN certificate, the UE 100 detects an NPN issuance trigger event (S201 in FIG. 6 ) and proceeds with the NPN issuance procedure as in FIG. 6 .

If there is an NPN certificate, the UE 100 checks the validity period of the NPN certificate, and if the validity period has expired, requests to renew the NPN certificate as shown in FIG. 8 .

If the validity period has not expired, the UE 100 automatically connects to the NPN 300 , and step S307 is executed.

The UE 100, the authentication server 600, and the local authentication device 301F may perform a user authentication procedure for using the NPN certificate (S307). In this case, step S307 may be an optional step.

When performing the user authentication procedure, the UE 100 obtains user authentication information as in step S203 of FIG. 6, and sends an authentication request including user authentication information, MSISDN, and the NPN domain identified in step S303 to the authentication server ( 600) is sent. The authentication server 600 performs steps S207 to S213 of FIG. 6 in cooperation with the local authentication device 301F. In this case, the trigger identifier is not included in the authentication response of step S213.

When the UE 100 succeeds in the user authentication procedure of step S307, the UE 100 performs PLMN PDU session release (S309). Since the PLMN PDU session release procedure is already known (eg, 3GPP TS23.502), a detailed description thereof will be omitted.

After completing the PLMN PDU session release, the UE 100 transmits a registration request to the SEAF 301A of the NPN 300 (S311). In this case, the registration request includes a Subscription Concealed Identifier (SUCI).

At this time, since the delivered SUPI follows the NAI format, only the user name part is encrypted and delivered in the SUPI format.

The SEAF (301A) transmits an authentication request (Nausf UE Authentication Request) message to the AUSF (301D) (S313). The authentication request includes SUCI and SN-Name. The SUCI is a UE assigned from the PLMN 200 to the UE 100 . SN-Name refers to the SN (Subject Name) of the certificate used for NPN connection. For example, it may be SN=user@nowhere-domain.com and the like.

The AUSF 301D transmits a Nudm UE Authentication Get Request message including a SUCI and an SN-Name to the UDM 301E to the UDM 301E (S315).

The UDM 301E decrypts the transmitted SUPI to obtain a Username (NAI), and determines an authentication method for the subscriber as EAP-TLS with the obtained Username (S317).

The UDM 301E performs EAP-TLS authentication in conjunction with the UE 100, the SEAF 301A, and the AUSF 301D (S319). At this time, EAP-TLS authentication is made using the NPN certificate stored in the UE (100). Since the EAP-TLS authentication procedure is known, a detailed description thereof will be omitted.

After the EAP-TLS authentication is completed, the UE 100 connects the NPN call by performing a PDU session establishment procedure with the NPN 300 like the PLMN initial access procedure (S321). Since this procedure (S321) is the same as the standard procedure (eg, 3GPP TS23.502), a detailed description thereof will be omitted.

8 is a flowchart illustrating a management process of an NPN certificate according to an embodiment of the present invention.

Referring to FIG. 8 , the UE 100 checks the state of the NPN certificate ( S401 ) to determine whether the validity period of the NPN certificate has expired ( S403 ). Steps S401 and S403 may be steps S305 of FIG. 7 .

If the validity period of the NPN certificate has not expired, the NPN access procedure is performed using the NPN certificate (S405). Step S405 may be an operation after step S307 of FIG. 7 .

When the validity period of the NPN certificate has expired, the UE 100 requests the authentication server 600 to renew the NPN certificate (S407). The NPN certificate renewal request may include the expired NPN certificate and user authentication information input through the user authentication screen.

The authentication server 600 extends the validity period of the NPN certificate ( S409 ), and then transmits the NPN certificate with the extended validity period to the UE 100 ( S411 ).

The UE 100 discards the existing NPN certificate, that is, the expired NPN certificate, and stores the extended NPN certificate in the USIM 150 (S413). Steps S407 to S413 may be added between steps S305 and S307 of FIG. 7 .

9 is a flowchart illustrating an NPN access procedure of a UE according to an embodiment of the present invention.

Referring to FIG. 9 , when the UE 100 detects the NPN connection trigger (S501), it is determined whether or not the NPN certificate matching the NPN connection trigger identifier is retained (S501). Step S501 is the same as step S301 of FIG. 7 described above.

If there is an NPN certificate, the UE 100 determines whether the validity period of the NPN certificate has expired (S505). When the validity period of the NPN certificate has expired, the UE 100 proceeds with the NPN certificate extension issuance procedure in FIG. 8 ( S507 ).

If there is no NPN certificate, the UE 100 proceeds with the NPN certificate issuance procedure in FIG. 6 (S509).

When the validity period of the NPN certificate has not expired, the UE 100 proceeds with the NPN access procedure using the NPN certificate in FIG. 7 ( S511 ).

10A, 10B, and 10C are exemplary views of a screen for requesting issuance of an NPN certificate through a UI (User Interface) according to an embodiment of the present invention.

Referring to FIGS. 10A, 10B, and 10C , the UE 100 may provide a certificate issuance UI. The certificate issuing UI may be provided by the OS framework 133 or may be provided by the dedicated application 131 .

Referring to FIG. 10A , when a certificate issue item is selected in the certificate issue UI, the UE 100 provides a domain input UI as shown in FIG. 10B . When a domain is input, the UE 100 provides a user authentication information (ID/password) input UI as shown in FIG. 10C .

When a domain is input in the domain input UI, the UE 100 may check whether there is an NPN certificate matching the domain in the USIM 150 .

11A, 11B, 11C, and 11D are exemplary views of a screen for requesting issuance of an NPN certificate through an NPN connection-only application according to an embodiment of the present invention.

11A, 11B, 11C, and 11D, the UE 100 may make a request for issuing an NPN certificate through execution of a dedicated application.

Referring to FIG. 11A , when a dedicated application is executed on the app screen of the UE 100 , the UE 100 may check whether the application requires NPN connection through the package name (pkgname) of the execution application.

Referring to FIG. 11B , when the execution application is a dedicated application, the UE 100 provides a domain input UI to receive domain information.

Referring to FIG. 11C , the UE 100 receives an ID and password through the user authentication screen, and then performs a user authentication procedure ( S307 of FIG. 7 ) for NPN connection based on the input. And after performing steps S309 to S321, when the NPN connection is completed, the app is executed as shown in FIG. 11D.

If a certificate for the corresponding NPN connection is installed in the USIM 150 of the UE 100, EAP-TLS-based network authentication is performed simultaneously with the execution of the dedicated application, and the dedicated application is immediately executed when the authentication is completed. . After the NPN certificate is issued for the first time, access authentication is performed with the NPN 300 immediately when the dedicated application is executed, and access to the NPN 300 and internal network access service can be provided simultaneously with the execution of the dedicated application.

12 is a flowchart illustrating an NPN connection trigger operation in a UE according to an embodiment of the present invention, in which SNPN standards are reflected.

Referring to FIG. 12 , a Next Generation-Radio Access Network (NG-RAN) base station ( 701 in FIG. 2 ) broadcasts an NID in NPN service coverage. In NG-RAN supporting SNPN, it is defined in the 5G standard to broadcast a specific NID.

As the UE enters a specific geographic area (service coverage) and receives NIDs broadcast by the NG-RAN base station, an NPN connection trigger event may be detected. When the UE operates in the SNPN access mode, the UE selects a network based on broadcasting information without performing a PLMN selection procedure.

In this case, the NG-RAN base station may broadcast a plurality of different NIDs. If multiple SNPNs are available with the UE's SUPI and credentials, the priority to try is based on the UE implementation. When manually selecting the SNPN, the UE provides a list of Human Readable NIDs available in the UE.

When the UE 100 enters the NPN service coverage, it may output a domain and user authentication information screen to induce NPN access. When the UE 100 leaves the NPN service coverage, the UE 100 may attempt to release the NPN session and attempt to establish a session by accessing the PLMN.

The embodiment of the present invention described above is not implemented only through the apparatus and method, but may be implemented through a program for realizing a function corresponding to the configuration of the embodiment of the present invention or a recording medium in which the program is recorded.

Although the embodiments of the present invention have been described in detail above, the scope of the present invention is not limited thereto, and various modifications and improved forms of the present invention are also provided by those skilled in the art using the basic concept of the present invention as defined in the following claims. is within the scope of the right.

Claims (15)

PLMN interface connected to a plurality of different PLMNs (Public Land Mobile Networks);
NPN interface connected to multiple different NPN (NON-PUBLIC NETWORK),
memory to store the program, and
a processor executing the program;
The program is
Receives a certificate issuance request from a terminal through any PLMN among the plurality of PLMNs, transmits a user authentication request to an NPN corresponding to a domain included in the certificate issuance request, and receives a user authentication response from the NPN. Including instructions (Instructions) to generate and transmit to the terminal,
The NPN certificate is
An authentication server stored in the terminal and used to authenticate the terminal to access the NPN. In claim 1,
The certificate issuance request is
Received from the terminal using the access information of the authentication server,
The access information is
The authentication server, which is included in the session establishment response message received by the terminal from the arbitrary PLMN. In claim 2,
The access information is
The authentication server, which is included in a protocol configuration option (PCO) field of the session establishment response message. In claim 1,
The program is
Transmitting the first subscriber authentication credential including the NPN certificate and the terminal identifier to the NPN,
The NPN certificate is
Used for network authentication between the terminal and the NPN,
The terminal identifier is
An authentication server used to determine whether the terminal has access to the NPN. In claim 1,
The program is
and instructions for transmitting a second subscriber authentication credential including an NPN certificate, a terminal identifier, and a trigger identifier to the terminal,
The trigger identifier is
Inducing the NPN connection of the terminal, the authentication server. In claim 1,
The program is
A terminal requesting an NPN connection and commands for performing a user authentication procedure according to the request of the terminal and transmitting a user authentication result to the terminal,
When the user authentication result indicates authentication success, the connection is induced to the NPN after the session with the PLMN is released in the terminal. In claim 1,
The program is
An authentication server comprising commands for receiving a certificate renewal request from the terminal, extending the validity period of the corresponding NPN certificate, and transmitting the extended NPN certificate to the terminal. In claim 1,
The authentication between the NPN and the terminal is,
An authentication server, including Extensible Authentication Protocol (EAP)-Transport Layer Security (TLS) authentication. As a method of controlling the connection of a terminal in NPN (NON-PUBLIC NETWORK),
receiving and storing information of a terminal having NPN access authority from an authentication server and an NPN certificate issued to the terminal;
receiving a registration request from the terminal;
Checking the NPN certificate issued to the terminal using the terminal information included in the registration request, and performing an authentication procedure with the terminal using the checked NPN certificate and the NPN certificate stored in the terminal;
When the authentication procedure is completed, establishing a session with the terminal
Including, access control method. In claim 9,
The NPN is
including SEAF (Security Anchor Function), AUSF (Authentication Server Function) and UDM (User Data Management);
The NPN certificate is
It is stored in the terminal and the AUSF and used for the authentication procedure,
The terminal information is
included in the subscriber profile of the UDM,
The registration request is
forwarded to the SEAF and generating an authentication request to the AUSF. In claim 10,
The NPN further comprises a local authentication device,
The local authentication device,
Before the terminal transmits a registration request to SEAF, a user authentication procedure is performed using the user authentication information received from the terminal,
The registration request is
Transmitted after completing the user authentication procedure, access control method. As a method for the terminal to access NPN (NON-PUBLIC NETWORK),
obtaining, by the terminal, access information of an authentication server from a session establishment response message received from an Access and Mobility Function (AMF) of a Public Land Mobile Network (PLMN);
accessing the authentication server using the access information;
requesting the authentication server to issue a certificate of the NPN to be accessed, receiving and storing the certificate of the NPN from the authentication server;
performing an authentication procedure with the NPN using the certificate; and
When the authentication process is completed, accessing the NPN
Including, a connection method. In claim 12,
The saving step is
Receives subscriber authentication credentials including the NPN certificate, trigger identifier, and terminal identifier from the authentication server, maps the NPN certificate to the trigger identifier and the terminal identifier, and stores it in USIM (Universal Subscriber Identity Module) , how to connect. In claim 13,
The trigger identifier is
including a network identification (NID) list or a list of application package names;
The NID is,
Broadcast by a base station in a zone located in a specific area and forming a predetermined coverage,
The step of connecting to the NPN comprises:
When the NID received from the base station is included in the NID list or the cell ID received from the base station is included in the NID list, determining the NPN area and accessing the NPN; and
When the package name of the executed application is included in the application package name list, connecting to the NPN
performing one of the steps of a connection method. 15. In claim 14,
The step of connecting to the NPN comprises:
checking whether you have an NPN certificate;
If there is no NPN certificate, accessing the authentication server and requesting a certificate issuance;
If there is an NPN certificate, checking whether the NPN certificate has expired;
If the NPN certificate has expired, accessing the authentication server and requesting an extension of the NPN certificate, and
Accessing the NPN after performing an authentication procedure using at least one of a previously issued NPN certificate, a newly issued NPN certificate, and an extended NPN certificate
Including, authentication method.

Images