WO2019122495A1 - Authentication for wireless communications system - Google Patents

Authentication for wireless communications system Download PDF

Info

Publication number
WO2019122495A1
WO2019122495A1 PCT/FI2017/050920 FI2017050920W WO2019122495A1 WO 2019122495 A1 WO2019122495 A1 WO 2019122495A1 FI 2017050920 W FI2017050920 W FI 2017050920W WO 2019122495 A1 WO2019122495 A1 WO 2019122495A1
Authority
WO
WIPO (PCT)
Prior art keywords
credentials
authentication
cellular access
request
response
Prior art date
Application number
PCT/FI2017/050920
Other languages
French (fr)
Inventor
Harri Markus POVELAINEN
Mikko Einari TIRRONEN
Original Assignee
Nokia Solutions And Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Solutions And Networks Oy filed Critical Nokia Solutions And Networks Oy
Priority to PCT/FI2017/050920 priority Critical patent/WO2019122495A1/en
Publication of WO2019122495A1 publication Critical patent/WO2019122495A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/06Registration at serving network Location Register, VLR or user mobility server
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • H04W60/005Multiple registrations, e.g. multihoming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • H04W88/06Terminal devices adapted for operation in multiple networks or having at least two operational modes, e.g. multi-mode terminals

Abstract

According to an example aspect of the present invention, there is provided a method, comprising: sending a request for causing generation of first credentials for cellular access and second credentials for non-cellular access, receiving a first authentication parameter of the first credentials for cellular access and a second authentication parameter of the second credentials for non-cellular access, sending a first authentication response generated on the basis of the first authentication parameter for authenticating for the cellular access, and sending a second authentication response generated on the basis of the second authentication parameter for authenticating for the non-cellular access.

Description

AUTHENTICATION FOR WIRELESS COMMUNICATIONS SYSTEM
FIELD
[0001] The present invention relates to arranging authentication for wireless communications systems, and in particular to authentication for cellular and non-cellular access.
BACKGROUND
[0002] With the fast increase of new devices being wirelessly connected and substantial data traffic growth, requirements for wireless networks and connections are also changing. Upcoming generations of wireless communication systems, such as Fifth Generation (5G) communication systems, are expected to enable applications, such as virtual reality, augmented reality, reliable remote operation of machines, factory automation, network-assisted control of traffic and self-driving vehicles. Further requirements for future communication systems are caused by the increasing internetworking of physical devices such as appliances, vehicles, buildings, and other items that are embedded with electronics, software, sensors, actuators, and network connectivity that enable the devices to collect and exchange data.
[0003] Co-existence and co-operation between cellular access, such as Third Generation Partnership Project (3GPP) Long Term Evolution (LTE) or New Radio Access Technology (N-RAT) based access, and non-cellular access, such as IEEE802.11 based wireless local area network (WLAN) access, has been under development. New security features have been specified for interworking between a non-3GPP access, referring to access via a non-3GPP access network, and 3GPP core network. Access authentication for non-cellular access may be provided by cellular system network functions, such as a 3GPP network function configured to operate as authentication server for non-3GPP access. The authentication signaling may be carried out via authentication and key agreement (AKA) procedures, the purpose of which is to enable mutual authentication between the UE and the network and provide keying material that can be used between the UE and network in subsequent security procedures. There is a need to further improve authentication procedures for cellular and non-cellular access. SUMMARY
[0004] According to some aspects, there is provided the subject matter of the independent claims. Some embodiments are defined in the dependent claims.
[0005] According to an aspect of the present invention, there is provided a method, comprising: sending a request for causing generation of first credentials for cellular access and second credentials for non-cellular access, receiving a first authentication parameter of the first credentials for cellular access and a second authentication parameter of the second credentials for non-cellular access, sending a first authentication response generated on the basis of the first authentication parameter for authenticating for the cellular access, and sending a second authentication response generated on the basis of the second authentication parameter for authenticating for the non-cellular access.
[0006] According to another aspect of the present invention, there is provided an apparatus, comprising at least one processing core, at least one memory including computer program code, the at least one memory and the computer program code being configured to, with the at least one processing core, cause the apparatus at least to: send a request for causing generation of first credentials for cellular access and second credentials for non-cellular access, receive a first authentication parameter of the first credentials for cellular access and a second authentication parameter of the second credentials for non- cellular access, send a first authentication response generated on the basis of the first authentication parameter for authenticating for the cellular access, and send a second authentication response generated on the basis of the second authentication parameter for authenticating for the non-cellular access.
[0007] According to a still further aspect, there is provided a method, comprising: sending a request for initiating generation of first credentials for cellular access and second credentials for non-cellular access, receiving the first credentials for cellular access and the second credentials for non-cellular access, sending a first authentication parameter of the first credentials and a second authentication parameter of the second credentials for the user equipment, receiving a second authentication response from the user equipment for authenticating for the non-cellular access, and verifying the second authentication response on the basis of an expected response of the second credentials. [0008] According to yet another aspect of the present invention, there is provided an apparatus, comprising at least one processing core, at least one memory including computer program code, the at least one memory and the computer program code being configured to, with the at least one processing core, cause the apparatus at least to: send a request for initiating generation of first credentials for cellular access and second credentials for non-cellular access, receive the first credentials for cellular access and the second credentials for non-cellular access, send a first authentication parameter of the first credentials and a second authentication parameter of the second credentials for the user equipment, receive a second authentication response from the user equipment for authenticating for the non-cellular access, and verify the second authentication response on the basis of an expected response of the second credentials.
[0009] According to a yet another aspect, there is provided a method, comprising: receiving a request for initiating generation of first credentials for cellular access and second credentials for non-cellular access for a user equipment, obtaining first credentials for cellular access and second credentials for non-cellular access, and sending a response comprising the first credentials for cellular access and the second credentials for non- cellular access.
[0010] According to a still further aspect of the present invention, there is provided an apparatus, comprising at least one processing core, at least one memory including computer program code, the at least one memory and the computer program code being configured to, with the at least one processing core, cause the apparatus at least to:receive a request for initiating generation of first credentials for cellular access and second credentials for non-cellular access for a user equipment, obtain first credentials for cellular access and second credentials for non-cellular access, and send a response comprising the first credentials for cellular access and the second credentials for non-cellular access.
BRIEF DESCRIPTION OF THE DRAWINGS
[0011] FIGURE 1 illustrates an example of a system scenario in which at least some embodiments of the invention may be applied;
[0012] FIGURE 2 illustrates a 3GPP system in which at least some embodiments of the invention may be applied; [0013] FIGURES 3, 4 and 5 illustrate methods in accordance with at least some embodiments of the present invention;
[0014] FIGURE 6 illustrates signalling in accordance with some embodiments of the present invention; and
[0015] FIGURE 7 illustrates an example apparatus capable of supporting at least some embodiments of the present invention.
EMBODIMENTS
[0016] FIGURE 1 illustrates a simplified example of a system facilitating cellular access and non-cellular access. User equipment (UE) 10 is configured to communicate wirelessly with a network node 22 of a cellular access network 20, such as a NodeB, evolved NodeB (eNB), Next Generation (NG) NodeB (gNB), a base station, an access point, or other suitable wireless/radio access network device or system.
[0017] Without limiting to Third Generation Partnership Project (3GPP) User Equipment, the term user equipment/UE is to be understood broadly to cover various mobile/wireless terminal devices, mobile stations and user devices for user communication and/or machine to machine type communication. The access network node 22 is connected to further network node(s), such as a Next Generation core network, Evolved Packet Core (EPC), or other network management element. The access network nodes 22 may be interfaced for supporting mobility of the UE 10.
[0018] The UE 10 is further configured to communicate with a network node 32 of a wireless or fixed non-cellular access network 30, such as an access point (AP) of an IEEE802.11 based network or other non-3GPP access network. The cellular access network 20 and the non-cellular access network 30 may comprise further network nodes or functions and may be connected to a cellular system core network 40. At least the cellular core network may be connected to further networks 50, such as IP -based networks.
[0019] The core network 40 may comprise various network functions 42, 44, 46. A network function in the present application may refer to an operational and/or physical entity. The network function may be a specific network node or element, or a specific function or set of functions carried out by one or more entities, such as virtual network elements. Examples of such network functions include an access control or management function, mobility management or control function, session management or control function, interworking, data management or storage function, authentication function or a combination of one or more of these functions. For example, there may be an interworking network function 42 supporting access to the core network 40 via the non-cellular access network 30.
[0020] One or more network functions may carry out security procedures for both cellular access and non-cellular access. There may be an authenticator network function 46 configured to authenticate the user equipment 10 for cellular access and non-cellular access. There may be an authentication information provider network function 44 configured to provide authentication information for cellular access and non-cellular access.
[0021] In case the UE 10 is connected to both to the non-cellular access network 30 and the cellular access network 20, separate authentication procedures are carried out for both accesses. An improved authentication mechanism has now been developed, in which authentication credentials are provided both for cellular access and non-cellular access by a single procedure.
[0022] FIGURE 2 illustrates an example of a 3GPP 5G system supporting 3GPP and non-3GPP access, in which at least some of the presently disclosed authentication features may be applied. The UE may connect to 3GPP access 210 via a 3GPP access network comprising access network node(s), such as Next Generation (NG) NodeBs (gNBs). In some embodiments, the system comprises functions and architecture as defined in 3GPP system architecture for the 5G system.
[0023] In the 5G core network, user plane (UP) functions are separated from control plane (CP) functions. Access and Mobility Management Function AMF and Session Management Function SMF provide CP functions. The SMF controls one or more User Plane Functions UPF for handling user plane path of packet data unit (PDU) sessions for the UE. The AMF may comprise termination of the RAN CP N2 interface, registration management, connection management, reachability management, mobility management, access authentication, access authorization, Security Anchor Functionality (SEAF), Security Context Management (SCM), and support of N2 interface for non-3GPP access, without limiting to these functionalities. [0024] Authentication Server Function AUSF communicates with the AMF over N12 reference point. In case of Universal Subscriber Identity Module (USIM) based authentication, the AMF requests and receives security material from the AUSF. As part of the network access control, the AMF may authenticate the UE during any procedure establishing a signalling connection with the UE. The keying material generated by primary AKA procedure results in an intermediate, anchor key, called the KSEAF provided by the AUSF to the SEAF. In addition, in the 5G security architecture an authentication run may also result in a key called the KAUSF left at the AUSF based on the home operator's policy on using such key.
[0025] The Unified Data Management UDM is connected to the AUSF over N13 reference point and to the AMF over N8 reference point. The UDM may store subscriber and authentication data for the subscriber (represented by USIM) and may comprise support for generation of 3GPP AKA authentication credentials, user identification handling, access authorization based on subscription data (e.g. roaming restrictions), serving network function registration, subscription management, without limiting to these functionalities.
[0026] The 5G Core Network supports the connectivity of the UE via non-3GPP access network(s) 200, e.g. via WEAN access, which may or may not be trusted. Non- 3GPP access networks may connect to the 5G Core Network via a Non-3GPP InterWorking Function (N3IWF). The N3IWF interfaces the 5G Core Network CP and UP functions via N2 and N3 interfaces, respectively. The N2 and N3 reference points are used to connect standalone non-3GPP accesses to 5G Core Network control-plane and user- plane functions, respectively.
[0027] A UE that accesses the 5G Core Network over a standalone non-3GPP access may, after UE attachment, support NAS signalling with 5G Core Network control-plane functions using the Nl reference point. A UE simultaneously connected to the same 5G Core Network of a PLMN over a 3GPP access and a non-3GPP access is served by a single AMF if the selected N3IWF is located in the same PLMN as the 3GPP access. A UE may establish an IPSec tunnel with the N3IWF to attach to the 5G Core Network over untrusted non-3GPP access 200. The UE may be authenticated by and attached to the 5G Core Network during the IPSec tunnel establishment procedure. It is to be noted that the N3IWF may in roaming architectures be located in different PLMN from the 3GPP access. [0028] FIGURE 3 illustrates a method according to some embodiments. The method may be for and arranged to be applied in a user equipment, such as the UE 10 communicating with the authenticator network function 46. A request is sent 300 for causing generation of first credentials for cellular access and second credentials for non- cellular access. Credentials for (cellular or non-cellular) access herein refer generally to at least authentication related information for at least performing authentication procedure for the access, and may include also other information, such as security key(s).
[0029] A first authentication parameter of the first credentials for cellular access and a second authentication parameter of the second credentials for non-cellular access are received 310. In some embodiments, the parameters are received 310 in a single message from the same entity for which the request is sent 300, such as the authenticator network function 46 serving for both cellular and non-cellular access authentication.
[0030] A first authentication response generated on the basis of the first authentication parameter for authenticating for the cellular access is sent 320. A second authentication response generated on the basis of the second authentication parameter for authenticating for the non-cellular access is sent 330.
[0031] FIGURE 4 illustrates features for, and which may be arranged to be applied in an authenticator network element or function, such as the AMF communicating with the UE and an authentication information provider, such as the AUSF.
[0032] A request is sent 410 for initiating generation of first credentials for cellular access and second credentials for non-cellular access. The request may be any type of message causing the receiving entity to directly or indirectly initiate the credentials generation, such as an authentication information request from network function 46 to 44. The request may be sent in block 410 for an authentication information provider network function 44, such as the AUSF.
[0033] The request may be sent 410 in response to receiving 400 a request from the user equipment for causing generation of first credentials for cellular access and second credentials for non-cellular access. However, it is to be appreciated that block 400 is not required in all embodiments, and in some embodiments the network element or function implementing the method of FIGURE 4 may trigger step 410 without external request or in response to a request from another network element or function. [0034] The first credentials for cellular access and the second credentials for non- cellular access are received 420. The credentials may be received in a response to the request 410 to the authentication information provider network function 44. A first authentication parameter of the first credentials and a second authentication parameter of the second credentials may be sent 430 for the user equipment.
[0035] A second authentication response is received 440 from the user equipment for authenticating for the non-cellular access. The second authentication response is verified 450 on the basis of an expected response of the second credentials. The expected response may be included in the received second credentials, but could also be computed on the basis of the second credentials.
[0036] FIGURE 5 illustrates features for obtaining authentication credentials both for cellular access and non-cellular access. The method may be for and arranged to be applied in an authentication information provider network function, such as the AUSF communicating with the AMF or UDM communicating with the AUSF.
[0037] A request is received 500 for initiating generation of first credentials for cellular access and second credentials for non-cellular access for a user equipment. The request may be received from an authenticator network function 46, for example by an authentication initiation request from the AMF. First credentials for cellular access and second credentials for non-cellular access are obtained 510. Obtaining of the credentials refers generally to locally generating the credentials or requesting for and receiving the credentials from another entity.
[0038] A response comprising the first credentials for cellular access and the second credentials for non-cellular access is sent 520. In some embodiments, the response is a response message to the requesting authenticator network element 46, such as an authentication initiation response or answer to the AMF.
[0039] It is to be appreciated that features illustrated in connection with FIGURES 3 to 5 may be applied in various combinations in different systems and in many ways, and there are many further steps that may be carried out before, between or after the steps illustrated in FIGURES 3 to 5. Some further embodiments are illustrated below.
[0040] The first authentication parameter and the second authentication parameter, such as a random number or other challenge, may be included 310, 430 in an authentication request message via the cellular access 20, 200. Thus, no further signalling to the UE is required for proving the non-cellular authentication parameter (and potential other authentication related information), which is then readily available at the UE for subsequent non-cellular authentication.
[0041] A first authentication response may be received between blocks 430 and 440 for authenticating to the cellular access. The first authentication response may be verified on the basis of an expected response of the first credentials.
[0042] The second credentials may be stored in connection with block 420 for subsequent non-cellular registration. The second authentication response may be (sent 330 and) received 440 from the user equipment in a registration request. The second authentication response may be verified 450 and a registration response sent to the user equipment without initiating signalling to the authentication information network function.
[0043] By applying embodiments illustrated above in connection with FIGURES 3 to 5, authentication credentials may be generated both cellular and non-cellular access by applying a single authentication (information exchange) procedure, thus enabling to reduce authentication-related signalling in the system. A single message 300, 400, 410, 500 can trigger the credentials generation for both cellular and non-cellular access, and the credentials (and the authentication parameters for the UE) can be transmitted in a single message in blocks 310, 420, 430, and 520.
[0044] In some embodiments, the method of FIGURE 5 is carried out by an authentication serving or management function, such as the AUSF of the 3GPP system. Thus, block 510 may comprise sending an authentication info request to a user data management function and receiving the first credentials and the second credentials in an authentication info response. The request 410, 500 for initiating generation of the first credentials and the second credentials may be an authentication initiation request and the first credentials and the second credentials are included 520, 420 in an authentication initiation answer.
[0045] In some other embodiments, the method of FIGURE 5 is carried out by a user data management function, such as the UDM of 3GPP system. Thus, block 510 may comprise computing the first credentials and the second credentials on the basis of a subscriber profile associated with the UE. The request 410, 500 for initiating generation of the first credentials and the second credentials may be an authentication info request from the AUSF and the response 520 comprising the first credentials and the second credentials may be an authentication info response.
[0046] In some embodiments, the request 300, 400, 410 500 indicates a request for extensible authentication protocol authentication and key agreement based (EAP-AKA) procedure or evolved packet system authentication and key agreement based procedure (EPS-AKA) for the cellular access and the request indicates a request for EAP-AKA based procedure for the non-cellular access. In connection with 3GPP 5G access, at least some of the above-illustrated features may be applied for arranging EAP-AKA' and 5G AKA authentication methods.
[0047] FIGURE 6 illustrates signaling in a 3GPP 5G based system according to some example embodiments. In the example, authentication via 3GPP starts with a registration request 602, which is adapted for (indirectly) causing generation authentication information or vector for both 3GPP access and non-3GPP access. For example, this may be indicated by a specific or other type of information element(s) that indicate that the UE is capable of supporting the new non-3GPP authentication or dual authentication preparation.
[0048] The AMF may request 604 the identity of the UE and sends a 5G Authentication Initiation Request (AIR) 608 for initiating generation of 3GPP and non- 3GPP credentials upon receiving 606 the identity of the UE. The 5G-AIR 608 may comprise at least one information element for indicating that authentication is meant for 3GPP access and non-3GPP access, and thus indicate the present specific dual authentication information request type. For example, the 5G-AIR 608 may comprise a new information element“Non-3GPP-Authentication-Info-Required”, which is set to 1 to initiate generation of also the non-3GPP credentials. Annex la illustrates an example of such 5G-AIR message.
[0049] In response to the 5G-AIR 608, the AUSF sends an authentication info request 610 to the UDM. The message 610 may comprise a new information element initiating generation of both 3GPP and non-3GPP credentials. In response to the message 610, the UDM is configured to select both 3GPP and non-3GPP authentication methods and generate 612 both 3GPP and non-3GPP credentials. For example, the UDM in accordance with the message 610 selects EPS-AKA or 5G-AKA for 3GPP authentication and EAP-AKA or EAP-AKA’ for non-3GPP authentication.
[0050] In some embodiments, without limiting to the example embodiment of FIGURE 6, the first and/or second credentials comprise or are included in an authentication vector comprising at least some of a random number, an authentication token, an expected response generated on the basis of the random number, and an intermediate security key(s) for generating one or more further security keys.
[0051] In block 612 the UDM may generate a random number (RAND), an expected response (XRES) and an authentication token (AUTN) as 3GPP credentials in accordance with the associated subscriber profile and include them in a 3GPP authentication vector. The UDM may further generate RAND, XRES, and AUTN for non-3GPP access and as non-3GPP credentials. The UDM sends the 3GPP credentials and the non-3GPP credentials in an authentication info response 614 to the AUSF.
[0052] Upon receiving the authentication info response 614, the AUSF may calculate the intermediate security key KASME. The AUSF includes the received credentials in an authentication information element of a 5G Authentication Initiation Answer (AIA) message 616. The non-3GPP credentials may be included in a new non-3GPP specific authentication information element of the 5G-AIA message 616, for example a“Non- 3GPP- Authentication-Info”. Annex lb illustrates an example of such 5G-AIA message. The credentials may be included in authentication vectors in the messages 614 and 616.
[0053] The AMF stores 618 the received 3GPP and non-3GPP authentication information (RAND, XRES, and AUTN) and sends a 3GPP authentication request 620 comprising the random numbers RAND both for the 3GPP access and non-3GPP access. The authentication request may comprise a new information element for the non-3GPP access RAND. In the case of the EAP-AKA’, the messages 616 and 620 may comprise an EAP-Request/AKA’ Challenge element.
[0054] The UE stores 622 the non-3GPP authentication information (RAND and AUTN) for subsequent non-3GPP authentication. For 3GPP authentication, the UE calculates XRES based on the received AUTN and RAND and, in case of successful AUTN verification and successful AMF verification, responds with (User) authentication response message 624 including a 3GPP authentication response RES3GPP generated on the basis of the received AUTN and RAND.
[0055] The AMF performs 3GPP authentication by comparing the RES3GPP to the 3GPP XRES3GPP and may send a 5G-AIA confirmation message 626 to the AUSF (which may comprise the authentication response received from the UE). It is to be noted that there may be variations in the authentication procedure depending on the selected method. For example, in the case of 5G AKA the AMF may receive an expected response HXRES* from the AUSF, compute HRES* from RES* received from the UE, and compare the HRES* with the HXRES*. If the authentication was successful, the key KASME (or in some embodiments KASME*) received by the AMF in the 3GPP authentication vector may become the anchor key for the 5G key hierarchy.
[0056] Security mode command (SMC) procedure 628 may be performed between the AMF and the UE. The SMC procedure 628 may comprise of a roundtrip of messages between AMF and UE. The AMF may send a Network Access Stratum (NAS) Security Mode Command to the UE and the UE replies with a NAS Security Mode Complete message. The primary purpose of the NAS SMC procedure is to securely establish a NAS security context between the UE and AMF, i.a. to indicated selected NAS algorithms to the UE. The AMF may send a registration response 630 to the UE.
[0057] A need to perform authentication for (and via) non-3GPP access may arise instantly in connection with the authentication via the 3GPP access, or later e.g. upon an input from the user or an application of the UE. The UE retrieves the stored non-3GPP access RAND and AUTN and generates an authentication response RESnon-3gpp for non- 3GPP authentication, which is included in a registration request 632 (via a non-3GPP access network 200) to the N3IWF. The N3IWF forwards 634 the registration request to the AMF. The AMF retrieves the stored non-3GPP credentials and verifies 636 the RESn0n- 3gpp with the non-3GPP XRESn0n-3gpp. The AMF sends a registration response 638, which is forwarded 640 to the UE.
[0058] Hence, there is no need to initiate further EAP-AKA based signaling to the AUSF for the non-3GPP authentication, saving time and signaling burden in the 3GPP core network. Furthermore, signaling on the UDM can be minimized. [0059] As illustrated in the above examples, signaling may be reduced by applying common messages for both 3GPP and non-3GPP authentication information. However, it will be appreciated that various modifications are possible, and it is alternatively feasible to apply separate messages in one or more signaling instances for requesting and/or sending 3GPP and non-3GPP authentication information, for example. Further, it is to be noted that although references were made to the AMF, the SEAF of the AMF may be involved in the signaling and forward EAP/AKA’ messages between UE and the AUSF.
[0060] It is to be appreciated that various embodiments illustrated in the above Figures 3 to 6 may be applied in various combinations with other embodiments and in isolation from the other features in the same Figure and related description. For example, the functions carried out by the UE and the network functions as described in connection with FIGURE 6 and 3GPP 5G may be applied in connection with other systems and various modifications and future developments and releases of the 5G system. In some other examples, at least some of the above-illustrated new messages and functions related to providing authentication information for cellular and non-cellular access may be applied in isolation of the above disclosed application of the other security related features.
[0061] It is to be noted that at least some of the network functions or nodes illustrated above, such as the authenticator network function (46 or AMF) and/or the authentication information provider network function (44, AUSF, UDM) may be shared between two physically separate devices forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes. In general, virtual networking may involve a process of combining hardware and software network resources and network functionality into a single, software -based administrative entity, a virtual network. Network virtualization may involve platform virtualization, often combined with resource virtualization. Network virtualization may be categorized as external virtual networking which combines many networks, or parts of networks, into the server computer or the host computer. External network virtualization is targeted to optimized network sharing. Another category is internal virtual networking which provides network- like functionality to the software containers on a single system. For example, instances of the AMF, SMF, AUSF, and UDM can be instantiated as virtual functions in a network function virtualization architecture (NFV). [0062] An electronic device comprising electronic circuitries may be an apparatus for realizing at least some embodiments of the present invention. The apparatus may be or may be comprised in a computer, a server, a laptop, a tablet computer, a mobile phone, a machine to machine (M2M) device (e.g. an IoT sensor device), a wearable device, for example. In another embodiment, the apparatus carrying out the above-described functionalities is comprised in or adapted to be included in such a device, e.g. the apparatus may comprise a circuitry, such as a chip, a chipset, a microcontroller, or a combination of such circuitries in any one of the above-described devices.
[0063] FIGURE 7 illustrates an example apparatus capable of supporting at least some embodiments of the present invention. Illustrated is a device 700, which may comprise an electronic communication device, such as a 3GPP N-RAT compliant UE or other user communications device capable of communicating over cellular access and non- cellular access. In some embodiments, the device 700 may be adapted to functions as the AMF, AUSF, or UDM communication device.
[0064] Comprised in the device 700 is a processor 702, which may comprise, for example, a single- or multi-core processor wherein a single-core processor comprises one processing core and a multi-core processor comprises more than one processing core. The processor 702 may comprise more than one processor. The processor may comprise at least one application- specific integrated circuit, ASIC. The processor may comprise at least one field-programmable gate array, FPGA. The processor may be means for performing method steps in the device. The processor may be configured, at least in part by computer instructions, to perform actions.
[0065] The device 700 may comprise memory 704. The memory may comprise random-access memory and/or permanent memory. The memory may comprise at least one RAM chip. The memory may comprise solid-state, magnetic, optical and/or holographic memory, for example. The memory may be at least in part accessible to the processor 702. The memory may be at least in part comprised in the processor 702. The memory 704 may be means for storing information. The memory may comprise computer instructions that the processor is configured to execute. When computer instructions configured to cause the processor to perform certain actions are stored in the memory, and the device in overall is configured to run under the direction of the processor using computer instructions from the memory, the processor and/or its at least one processing core may be considered to be configured to perform said certain actions. The memory may be at least in part comprised in the processor. The memory may be at least in part external to the device 700 but accessible to the device.
[0066] The device 700 may comprise a transmitter 706. The device may comprise a receiver 708. The transmitter and the receiver may be configured to transmit and receive, respectively, information in accordance with at least one cellular or non-cellular standard. The transmitter may comprise more than one transmitter and more than one receiver. The transmitter and/or receiver may be configured to operate in accordance with global system for mobile communication, GSM, wideband code division multiple access, WCDMA, long term evolution, LTE, 3GPP new radio access technology (N-RAT), IS-95, wireless local area network, WLAN, and/or Ethernet standards, for example. The device 700 may comprise a near- field communication, NFC, transceiver 714. The NFC transceiver may support at least one NFC technology, such as NFC, Bluetooth, Wibree or similar technologies.
[0067] The device 700 may comprise user interface, UI, 712. The UI may comprise at least one of a display, a keyboard, a touchscreen, a vibrator arranged to signal to a user by causing the device to vibrate, a speaker and a microphone. A user may be able to operate the device via the UI, for example to accept incoming telephone calls, to originate telephone calls or video calls, to browse the Internet, to manage digital files stored in the memory 704 or on a cloud accessible via the transmitter 706 and the receiver 708, or via the NFC transceiver 714, and/or to play games.
[0068] The device 700 may comprise or be arranged to accept a user identity module 710. The user identity module may comprise, for example, a universal subscriber identity module, USIM, card installable in the device 700. The user identity module 710 may comprise information identifying a subscription of a user of device 700. The user identity module 710 may comprise cryptographic information usable to verify the identity of a user of device 700 and/or to facilitate encryption of communicated information and billing of the user of the device 700 for communication effected via the device 700.
[0069] The processor 702 may be furnished with a transmitter arranged to output information from the processor, via electrical leads internal to the device 700, to other devices comprised in the device. Such a transmitter may comprise a serial bus transmitter arranged to, for example, output information via at least one electrical lead to memory 704 for storage therein. Alternatively to a serial bus, the transmitter may comprise a parallel bus transmitter. Likewise the processor may comprise a receiver arranged to receive information in the processor, via electrical leads internal to the device 700, from other devices comprised in the device 700. Such a receiver may comprise a serial bus receiver arranged to, for example, receive information via at least one electrical lead from the receiver 708 for processing in the processor. Alternatively to a serial bus, the receiver may comprise a parallel bus receiver.
[0070] The device 700 may comprise further devices not illustrated in Figure 7. For example, the device may comprise at least one digital camera. Some devices 700 may comprise a back-facing camera and a front-facing camera. The device may comprise a fingerprint sensor arranged to authenticate, at least in part, a user of the device. In some embodiments, the device lacks at least one device described above. For example, some devices may lack the NFC transceiver 714, the fingerprint sensor and/or the user identity module 710.
[0071] The processor 702, the memory 704, the transmitter 706, the receiver 708, the NFC transceiver 714, the UI 712 and/or the user identity module 710 may be interconnected by electrical leads internal to the device 700 in a multitude of different ways. For example, each of the aforementioned devices may be separately connected to a master bus internal to the device, to allow for the devices to exchange information. However, as the skilled person will appreciate, this is only one example and depending on the embodiment various ways of interconnecting at least two of the aforementioned devices may be selected without departing from the scope of the present invention.
[0072] It is to be understood that the embodiments of the invention disclosed are not limited to the particular structures, process steps, or materials disclosed herein, but are extended to equivalents thereof as would be recognized by those ordinarily skilled in the relevant arts. It should also be understood that terminology employed herein is used for the purpose of describing particular embodiments only and is not intended to be limiting.
[0073] Reference throughout this specification to one embodiment or an embodiment means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases“in one embodiment” or“in an embodiment” in various places throughout this specification are not necessarily all referring to the same embodiment. Where reference is made to a numerical value using a term such as, for example, about or substantially, the exact numerical value is also disclosed.
[0074] As used herein, a plurality of items, structural elements, compositional elements, and/or materials may be presented in a common list for convenience. However, these lists should be construed as though each member of the list is individually identified as a separate and unique member. Thus, no individual member of such list should be construed as a de facto equivalent of any other member of the same list solely based on their presentation in a common group without indications to the contrary. In addition, various embodiments and example of the present invention may be referred to herein along with alternatives for the various components thereof. It is understood that such embodiments, examples, and alternatives are not to be construed as de facto equivalents of one another, but are to be considered as separate and autonomous representations of the present invention.
[0075] While the forgoing examples are illustrative of the principles of the present invention in one or more particular applications, it will be apparent to those of ordinary skill in the art that numerous modifications in form, usage and details of implementation can be made without the exercise of inventive faculty, and without departing from the principles and concepts of the invention. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. Accordingly, it is not intended that the invention be limited, except as by the claims set forth below.
[0076] The verbs“to comprise” and“to include” are used in this document as open limitations that neither exclude nor require the existence of also un -recited features. The features recited in depending claims are mutually freely combinable unless otherwise explicitly stated. Furthermore, it is to be understood that the use of "a" or "an", that is, a singular form, throughout this document does not exclude a plurality.
INDUSTRIAL APPLICABILITY
At least some embodiments of the present invention find industrial application in wireless communications.
ACRONYMS LIST 3GPP Third generation partnership project
AF Application Function
AIA Authentication Initiation Answer
AIR Authentication Initiation Request
AKA Authentication and Key Agreement
AMF Access and Mobility Management Function
APRF Authentication credential Repository and Processing Function AS Access stratum
ASIC Application- specific integrated circuit
AUSF Authentication Server Function
AUTN Authentication token
CE Control element
EAP Extensible Authentication Protocol
EPS Evolved Packet System
FPGA Field-programmable gate array
gNB Next Generation NodeB
GSM Global system for mobile communication
IoT Internet of things
LTE Long term evolution
NAS Network Access Stratum
N3IWF Non-3GPP InterWorking Function
N-RAT New radio access technology
NFC Near-field communication NFV Network function virtualization
PDCP Packet data convergence protocol
(R)AN (Radio) Access Network
RAND Random number
SCM Security Context Management
SEAF Security anchor function
SMF Session Management Function
UDM Unified Data Management
UE User Equipment
UI User interface
UPF User Plane Function
USIM Universal Subscriber Identity Module
XRES Expected response
WCDMA Wideband code division multiple access
WEAN Wireless local area network
ANNEX la) 5G-AIR example:
{
"Session-Id" :
"mmecl.mmegi2.epc.mnc7l.mcc588.3gppnetwork.org;3267362853; 6l44;mme",
"Auth-Session-State" : 1,
"Origin-Host" : "mmecl.mmegi2.epc.mnc7l.mcc588.3gppnetwork.org", "Origin-Realm" : "epc.mnc7l.mcc588.3gppnetwork.org", "Destination-Realm" : "epc.mncl7.mcc588.3gppnetwork.org",
"User-Name" : "588710000000001",
"Requested-EUTRAN-Authentication-Info" : {
"Number-of-Requested- Vectors" : 1,
"Immediate-Response-Preferred" : 1,
},
"Visited-PLMN-Id" : 58871,
"Non-3gpp-Authentication-Info-Required" : 1
}
lb) 5G-AIA example:
{
"Session-Id" :
"mmecl.mmegi2.epc.mnc7l.mcc588.3gppnetwork.org;3267362853;6l44;mme",
"Auth-Session-State" : 1,
"Origin-Host" : "hssl.epc.mnc7l.mcc588.3gppnetwork.org", "Origin-Realm" : "hssl.mnc7l.mcc588.3gppnetwork.org", "Authentication-Info" : { Item-Number" : 1,
"RAND" : "000102030405060708090A0B0C0D0E0F",
"XRES" : "0102010201020102",
"AUTN" : "01020304050607080102030405060708", "KASME" :
"0102030405060708010203040506070801020304050607080102030405060708"
},
"Non-3gpp-Authentication-Info" : {
"Item-Number" : 1,
"RAND" : "000102030405060708090A0B0C0D0E0F",
"XRES" : "0102010201020102",
"AUTN" : "01020304050607080102030405060708"
},
"Result-Code" : 2001
}

Claims

CLAIMS:
1. A method, comprising:
- sending a request for causing generation of first credentials for cellular access and second credentials for non-cellular access,
- receiving a first authentication parameter of the first credentials for cellular access and a second authentication parameter of the second credentials for non-cellular access,
- sending a first authentication response generated on the basis of the first authentication parameter for authenticating for the cellular access, and
- sending a second authentication response generated on the basis of the second authentication parameter for authenticating for the non-cellular access.
2. The method of claim 1, wherein the request is or is included in a registration request from a user equipment via a cellular wireless access network to an access management network function or a security anchor function.
3. The method of claim 1 or 2, wherein a user equipment calculates and stores for subsequent non-cellular access registration the second authentication response upon receiving the first authentication parameter for cellular access and the second authentication parameter, and
the second authentication response is included in a registration request to an access management function or a security anchor function via a non-cellular access network.
4. A method, comprising:
- sending a request for initiating generation of first credentials for cellular access and second credentials for non-cellular access,
- receiving the first credentials for cellular access and the second credentials for non- cellular access,
- sending a first authentication parameter of the first credentials and a second authentication parameter of the second credentials for the user equipment, - receiving a second authentication response from the user equipment for authenticating for the non-cellular access, and
- verifying the second authentication response on the basis of an expected response of the second credentials.
5. The method of claim 4, further comprising:
- receiving a request from user equipment for causing generation of the first credentials for cellular access and the second credentials for non-cellular access, wherein the request for initiating generation of first credentials and second credentials is sent to an authentication information provider network function in response to the request from the user equipment.
6. The method of claim 4 or 5, further comprising:
- receiving a first authentication response for authenticating to the cellular access, and
- verifying the first authentication response on the basis of an expected response of the first credentials.
7. The method of claim 4, 5, or 6, wherein the second credentials are stored for subsequent non-cellular authentication,
the second authentication response is received from the user equipment in a registration request, and
the second authentication response is verified and a registration response is sent to the user equipment without initiating signalling to the authentication information provider network function.
8. The method according to any preceding claim, wherein an authentication request message via the cellular access comprises the first authentication parameter and the second authentication parameter.
9. A method, comprising:
- receiving a request for initiating generation of first credentials for cellular access and second credentials for non-cellular access for a user equipment, - obtaining first credentials for cellular access and second credentials for non-cellular access, and
- sending a response comprising the first credentials for cellular access and the second credentials for non-cellular access.
10. The method of claim 9, wherein the method is carried out by an authentication server function, and
the obtaining of the first credentials and the second credentials comprises sending an authentication info request to a user data management function and receiving the first credentials and the second credentials in an authentication info response.
11. The method of any preceding claim 4 to 10, wherein the request for initiating generation of the first credentials and the second credentials is an authentication initiation request and the first credentials and the second credentials are included in an authentication initiation answer.
12. The method of claim 9, wherein the method is carried out by a user data management function,
the obtaining of the first credentials and the second credentials comprises calculating the first credentials and the second credentials on the basis of a subscriber profile associated with the user equipment,
the request for initiating generation of the first credentials and the second credentials is an authentication info request from an authentication server function, and the response comprising the first credentials and the second credentials is an authentication info response.
13. The method of any preceding claim, wherein the first and/or second credentials comprise or are included in an authentication vector comprising a random number, an authentication token, an expected response generated on the basis of the random number, and an intermediate security key for generating one or more further security keys.
14. The method of any preceding claim, wherein the request indicates a request for extensible authentication protocol authentication and key agreement based procedure or evolved packet system authentication and key agreement based procedure for the cellular access and the request indicates request for extensible authentication protocol authentication and key agreement based procedure the non-cellular access.
15. An apparatus comprising at least one processing core, at least one memory including computer program code, the at least one memory and the computer program code being configured to, with the at least one processing core, cause the apparatus at least to:
- send a request for causing generation of first credentials for cellular access and second credentials for non-cellular access,
- receive a first authentication parameter of the first credentials for cellular access and a second authentication parameter of the second credentials for non-cellular access,
- send a first authentication response generated on the basis of the first authentication parameter for authenticating for the cellular access, and
- send a second authentication response generated on the basis of the second authentication parameter for authenticating for the non-cellular access.
16. The apparatus of claim 15, wherein the request is or is included in a registration request from a user equipment via a cellular wireless access network to an access management network function or a security anchor function.
17. The apparatus of claim 15 or 16, wherein the apparatus is configured to cause calculation and storing of the second authentication response for subsequent non-cellular access registration upon receiving the first authentication parameter for cellular access and the second authentication parameter, and
the apparatus is configured to include the second authentication response is included in a registration request to an access management function or a security anchor function via a non-cellular access network.
18. An apparatus comprising at least one processing core, at least one memory including computer program code, the at least one memory and the computer program code being configured to, with the at least one processing core, cause the apparatus at least to:
- send a request for initiating generation of first credentials for cellular access and second credentials for non-cellular access, - receive the first credentials for cellular access and the second credentials for non- cellular access,
- send a first authentication parameter of the first credentials and a second authentication parameter of the second credentials for the user equipment,
- receive a second authentication response from the user equipment for authenticating for the non-cellular access, and
- verify the second authentication response on the basis of an expected response of the second credentials.
19. The apparatus of claim 18, wherein the apparatus is configured to receive a request from a user equipment for causing generation of the first credentials for cellular access and the second credentials for non-cellular access, wherein the apparatus is configured to send the request for initiating generation of first credentials and second credentials to an authentication information provider network function in response to the request from the user equipment.
20. The apparatus of claim 18 or 19, wherein the apparatus is further configured to:
- receive a first authentication response for authenticating to the cellular access, and
- verify the first authentication response on the basis of an expected response of the first credentials.
21. The apparatus of claim 18, 19, or 20, wherein the apparatus is further configured to:
- store the second credentials for subsequent non-cellular authentication,
- receive the second authentication response from the user equipment in a registration request, and
- verify the second authentication response and send a registration response to the user equipment without initiating signalling to the authentication information provider network function.
22. The apparatus of any preceding claim 15 to 21, wherein an authentication request message via the cellular access comprises the first authentication parameter and the second authentication parameter.
23. An apparatus comprising at least one processing core, at least one memory including computer program code, the at least one memory and the computer program code being configured to, with the at least one processing core, cause the apparatus at least to:
- receive a request for initiating generation of first credentials for cellular access and second credentials for non-cellular access for a user equipment,
- obtain first credentials for cellular access and second credentials for non-cellular access, and
- send a response comprising the first credentials for cellular access and the second credentials for non-cellular access.
24. The apparatus of claim 23, wherein the apparatus is configured to provide an authentication server function, and
the apparatus is configured to obtain the first credentials and the second credentials by sending an authentication info request to a user data management function and receiving the first credentials and the second credentials in an authentication info response.
25. The apparatus of any preceding claim 18 to 24, wherein the request for initiating generation of the first credentials and the second credentials is an authentication initiation request and the apparatus is configured to include the first credentials and the second credentials in an authentication initiation answer.
26. The apparatus of claim 25, wherein the apparatus is configured to provide a user data management function,
the apparatus is configured to obtain of the first credentials and the second credentials by calculating the first credentials and the second credentials on the basis of a subscriber profile associated with the user equipment,
the request for initiating generation of the first credentials and the second credentials is an authentication info request from an authentication server function, and the response comprising the first credentials and the second credentials is an authentication info response.
27. The apparatus of any preceding claim 15 to 26, wherein the first and/or second credentials comprise or are included in an authentication vector comprising a random number, an authentication token, an expected response generated on the basis of the random number, and an intermediate security key for generating one or more further security keys.
28. The apparatus of any preceding claim, wherein the request indicates a request for extensible authentication protocol authentication and key agreement based procedure or evolved packet system authentication and key agreement based procedure for the cellular access and the request indicates request for extensible authentication protocol authentication and key agreement based procedure the non-cellular access.
29. A user communications device, comprising the apparatus of any preceding claim 15 to 17.
30. The user communications device of claim 29, wherein the user equipment is operative in accordance with third generation partnership project new radio access technology.
31. An apparatus, comprising means for carrying out the method of any one of claims 1 to 14.
32. A non-transitory computer readable medium having stored thereon a set of computer readable instructions that, when executed by at least one processor, cause an apparatus to perform a method in accordance with at least one of claims 1 to 14.
33. A computer program, comprising code for, when executed in a data processing apparatus, to cause a method in accordance with at least one of claims 1 to 14 to be performed.
PCT/FI2017/050920 2017-12-21 2017-12-21 Authentication for wireless communications system WO2019122495A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/FI2017/050920 WO2019122495A1 (en) 2017-12-21 2017-12-21 Authentication for wireless communications system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/FI2017/050920 WO2019122495A1 (en) 2017-12-21 2017-12-21 Authentication for wireless communications system

Publications (1)

Publication Number Publication Date
WO2019122495A1 true WO2019122495A1 (en) 2019-06-27

Family

ID=66993161

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2017/050920 WO2019122495A1 (en) 2017-12-21 2017-12-21 Authentication for wireless communications system

Country Status (1)

Country Link
WO (1) WO2019122495A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022029957A1 (en) * 2020-08-06 2022-02-10 株式会社Nttドコモ Terminal, network node, and communication method
WO2022236772A1 (en) * 2021-05-13 2022-11-17 Telefonaktiebolaget Lm Ericsson (Publ) Joint authentication for private network
CN115380570A (en) * 2020-03-29 2022-11-22 华为技术有限公司 Communication method, device and system
EP4176608A4 (en) * 2020-08-06 2024-03-27 Apple Inc Network authentication for user equipment access to an edge data network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016015748A1 (en) * 2014-07-28 2016-02-04 Telefonaktiebolaget L M Ericsson (Publ) Authentication in a radio access network
WO2017049461A1 (en) * 2015-09-22 2017-03-30 华为技术有限公司 Access method, device and system for user equipment (ue)
WO2017159970A1 (en) * 2016-03-17 2017-09-21 엘지전자(주) Method for performing security setting of terminal in wireless communication system and apparatus for same
US20170295529A1 (en) * 2016-04-08 2017-10-12 Electronics And Telecommunications Research Institute Non-access stratum based access method and terminal supporting the same

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016015748A1 (en) * 2014-07-28 2016-02-04 Telefonaktiebolaget L M Ericsson (Publ) Authentication in a radio access network
WO2017049461A1 (en) * 2015-09-22 2017-03-30 华为技术有限公司 Access method, device and system for user equipment (ue)
WO2017159970A1 (en) * 2016-03-17 2017-09-21 엘지전자(주) Method for performing security setting of terminal in wireless communication system and apparatus for same
US20170295529A1 (en) * 2016-04-08 2017-10-12 Electronics And Telecommunications Research Institute Non-access stratum based access method and terminal supporting the same

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Procedures for the 5G System; Stage 2 (Release 15", 3GPP TS 23.502 V2.0.0 (2017-12, 15 December 2017 (2017-12-15), XP051391988, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/Specs/archive/23_series/23.502/23502-200.zip> [retrieved on 20180309] *
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on the security aspects of the next generation system (Release 14", 3GPP TR 33.899 V1.3.0 (2017-08, 21 August 2017 (2017-08-21), XP051450230, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/Specs/archive/33_series/33.899/33899-130.zip> [retrieved on 20180309] *
"Details of EAP-5G Solution for registration via untrusted non-3GPP Access", MOTOROLA MOBILITY, 30 October 2017 (2017-10-30), pages 2 - 177681, XP051360334, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/tsg_sa/WG2_Arch/TSGS2_123_Ljub!jana/Docs/S2-177681.zip> [retrieved on 20180309] *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115380570A (en) * 2020-03-29 2022-11-22 华为技术有限公司 Communication method, device and system
CN115380570B (en) * 2020-03-29 2023-12-08 华为技术有限公司 Communication method, device and system
WO2022029957A1 (en) * 2020-08-06 2022-02-10 株式会社Nttドコモ Terminal, network node, and communication method
EP4176608A4 (en) * 2020-08-06 2024-03-27 Apple Inc Network authentication for user equipment access to an edge data network
US11968530B2 (en) 2020-08-06 2024-04-23 Apple Inc. Network authentication for user equipment access to an edge data network
WO2022236772A1 (en) * 2021-05-13 2022-11-17 Telefonaktiebolaget Lm Ericsson (Publ) Joint authentication for private network

Similar Documents

Publication Publication Date Title
US11818566B2 (en) Unified authentication for integrated small cell and Wi-Fi networks
US10932132B1 (en) Efficient authentication and secure communications in private communication systems having non-3GPP and 3GPP access
US10798767B2 (en) Method and apparatus for relaying user data between a secure connection and a data connection
US10924930B2 (en) Core network attachment through standalone non-3GPP access networks
EP3408988B1 (en) Method and apparatus for network access
US9009801B2 (en) Authentication and secure channel setup for communication handoff scenarios
KR102024653B1 (en) Access Methods, Devices, and Systems for User Equipment (UE)
US11956626B2 (en) Cryptographic key generation for mobile communications device
US20130114463A1 (en) System and Method for Domain Name Resolution for Fast Link Setup
US20230319556A1 (en) Key obtaining method and communication apparatus
WO2019122495A1 (en) Authentication for wireless communications system
WO2020094914A1 (en) Secure inter-mobile network communication
US20220264296A1 (en) Enhanced onboarding in cellular communication networks
US20240056302A1 (en) Apparatus, method, and computer program
WO2024092529A1 (en) Determining authentication credentials for a device-to-device service
US20230413046A1 (en) Authentication procedure
EP4156741A1 (en) Slice service verification method and apparatus
WO2021089903A1 (en) Tethering service provision
CN115699834A (en) Supporting remote unit re-authentication
WO2016203094A1 (en) Assisted network selection

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17935148

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17935148

Country of ref document: EP

Kind code of ref document: A1