CN108347729A - Method for authenticating, slice authentication agent entity and session management entity in network slice - Google Patents

Method for authenticating, slice authentication agent entity and session management entity in network slice Download PDF

Info

Publication number
CN108347729A
CN108347729A CN201710055047.1A CN201710055047A CN108347729A CN 108347729 A CN108347729 A CN 108347729A CN 201710055047 A CN201710055047 A CN 201710055047A CN 108347729 A CN108347729 A CN 108347729A
Authority
CN
China
Prior art keywords
slice
authentication
entity
network
security strategy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710055047.1A
Other languages
Chinese (zh)
Other versions
CN108347729B (en
Inventor
周巍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Academy of Telecommunications Technology CATT
Datang Mobile Communications Equipment Co Ltd
Original Assignee
China Academy of Telecommunications Technology CATT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Academy of Telecommunications Technology CATT filed Critical China Academy of Telecommunications Technology CATT
Priority to CN201710055047.1A priority Critical patent/CN108347729B/en
Priority to PCT/CN2018/075604 priority patent/WO2018137713A1/en
Publication of CN108347729A publication Critical patent/CN108347729A/en
Application granted granted Critical
Publication of CN108347729B publication Critical patent/CN108347729B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of networks to be sliced the interior method authenticated, network slice authentication agent entity and session management entity, wherein the method for authentication includes in network slice:Receive certification request and slice security strategy in the network slice that session management entity is sent;It is sliced interior certification request and the slice security strategy according to the network, carries out the operation authenticated in network slice.This programme is sliced interior certification request and slice security strategy by receiving the network that session management entity is sent, and is sliced interior certification request and the slice security strategy, the operation authenticated in progress network slice according to the network;The authentication in network slice can be completed, slice safety is further ensured, solves the problems, such as to be sliced safe authentication scheme in the prior art incomplete.

Description

Method for authenticating, slice authentication agent entity and session management entity in network slice
Technical field
The present invention relates to field of communication technology, the method, the network slice authentication that are authenticated in a kind of network slice are particularly related to Agent entity and session management entity.
Background technology
3GPP SA3 (third generation cooperative partner program secure group 3) slice secure contexts describe each of network slice safety Kind critical issue, including network slice authentication.Network slice authentication can be divided into authentication in the outer authentication of network slice and network slice. To so far there are no on how to realize network slice in authenticate specific technical solution, still, in order to ensure height Slice safety, the interior authentication of network slice are still needed.
Invention content
The purpose of the present invention is to provide a kind of networks to be sliced the interior method authenticated, network slice authentication agent entity and meeting Management entity is talked about, solves the problems, such as to be sliced safe authentication scheme in the prior art incomplete.
In order to solve the above-mentioned technical problem, the embodiment of the present invention provides a kind of interior method authenticated of network slice, is applied to Network is sliced authentication agent entity, including:
Receive certification request and slice security strategy in the network slice that session management entity is sent;
It is sliced interior certification request and the slice security strategy according to the network, carries out the behaviour authenticated in network slice Make.
Optionally, the slice security strategy includes authentication mode mark and authentication side address, in the authentication mode mark When knowing instruction agent way, described the step of carrying out the operation authenticated in network slice, includes:
According to the authentication side address in the slice security strategy Ciphering Key request is sent to corresponding authentication entity;
Receive terminal authentication vector of the authentication entity according to Ciphering Key request feedback;
Network, which is carried out, using the terminal authentication vector and counterpart terminal is sliced interior authentication.
Optionally, the slice security strategy includes authentication mode mark and authentication side address, in the authentication mode mark When knowing instruction trunking scheme, described the step of carrying out the operation authenticated in network slice, includes:
It is established and is associated with corresponding authentication entity according to the authentication side address in the slice security strategy;
The authentication information between counterpart terminal and the authentication entity is forwarded by the association, to carry out in network slice Authentication.
Optionally, the authentication entity is certificate server or third party's authentication entity.
Optionally, after being authenticated successfully in network slice, the method further includes:
Generate slice master key;
The slice master key is sent to the session management entity.
The present invention also provides a kind of networks to be sliced the interior method authenticated, is applied to session management entity, including:
In the session establishment instruction for receiving mobility management entity transmission, slice security strategy is obtained;
When slice security strategy instruction carries out authentication in network slice to corresponding terminal, it is sliced and authenticates to network Agent entity sends certification request and the slice security strategy in network slice.
Optionally, the step of acquisition slice security strategy includes:
Locally obtaining slice security strategy;Or
Slice security strategy is obtained from policy control entity.
Optionally, described the step of slice security strategy is obtained from policy control entity, includes:
Control strategy request is sent to policy control entity, the control strategy request includes that terminal iidentification and slice are marked Know;
Control strategy of the policy control entity according to the terminal iidentification and the slice identification feedback is received, it is described Control strategy includes slice security strategy.
Optionally, the slice security strategy includes authentication mark in terminal slice, and authentication generation is sliced to network described Before managing the entity transmission interior certification request of network slice and the slice security strategy, the method further includes:
When the instruction of authentication mark carries out being sliced interior authentication in the terminal is sliced, the slice security strategy instruction is confirmed Authentication in network slice is carried out to the terminal.
Optionally, certification request and slice peace in network slice are sent to network slice authentication agent entity described After full strategy, the method further includes:
Receive it is that network slice authentication agent entity is sent, authenticated successfully in network slice after the slice master that generates it is close Key;
According to preset rules to the slice master key that generates after being authenticated successfully in original slice master key and network slice into Row scatter operation.
The present invention also provides a kind of networks to be sliced authentication agent entity, including:
First receiving module, the interior certification request of network slice for receiving session management entity transmission and the safe plan of slice Slightly;
First processing module carries out net for certification request and the slice security strategy in being sliced according to the network The operation authenticated in network slice.
Optionally, the slice security strategy includes authentication mode mark and authentication side address, in the authentication mode mark When knowing instruction agent way, the first processing module includes:
First sending submodule, for according to the authentication side address in the slice security strategy to corresponding authentication entity Send Ciphering Key request;
First receiving submodule, the terminal authentication for receiving the authentication entity according to Ciphering Key request feedback Vector;
First processing submodule, for carrying out authentication in network slice using the terminal authentication vector and counterpart terminal.
Optionally, the slice security strategy includes authentication mode mark and authentication side address, in the authentication mode mark When knowing instruction trunking scheme, the first processing module includes:
First setting up submodule, for according to the authentication side address being sliced in security strategy and corresponding authentication entity Establish association;
Second processing submodule, for forwarding the authentication between counterpart terminal and the authentication entity to believe by the association Breath, to carry out authentication in network slice.
Optionally, the authentication entity is certificate server or third party's authentication entity.
Optionally, the network slice authentication agent entity further includes:
First generation module generates slice master key after being authenticated successfully in network slice;
First sending module, for the slice master key to be sent to the session management entity.
The present invention also provides a kind of session management entities, including:
First acquisition module, in the session establishment instruction for receiving mobility management entity transmission, obtaining slice Security strategy;
Second sending module, for carrying out authentication in network slice to corresponding terminal in slice security strategy instruction When, send certification request and the slice security strategy in network slice to network slice authentication agent entity.
Optionally, first acquisition module includes:
First acquisition submodule, for locally obtaining slice security strategy;Or
Slice security strategy is obtained from policy control entity.
Optionally, first acquisition submodule includes:
First transmission unit is wrapped for sending control strategy request to policy control entity in the control strategy request It includes terminal iidentification and slice identifies;
First receiving unit identifies instead for receiving the policy control entity according to the terminal iidentification and the slice The control strategy of feedback, the control strategy include slice security strategy.
Optionally, the slice security strategy includes authenticating mark in terminal slice, and the session management entity further includes:
First confirmation module, for it is described to network slice authentication agent entity send network slice in certification request and Before the slice security strategy, when the instruction of authentication mark carries out being sliced interior authentication in the terminal is sliced, cut described in confirmation The instruction of piece security strategy carries out authentication in network slice to the terminal.
Optionally, the session management entity further includes:
Second receiving module, for it is described to network slice authentication agent entity send network slice in certification request and After the slice security strategy, receive it is that network slice authentication agent entity is sent, authenticated successfully in network slice after The slice master key of generation;
Second processing module, for according to preset rules to original slice master key and network slice in authenticate successfully after produce Raw slice master key carries out scatter operation.
The above-mentioned technical proposal of the present invention has the beneficial effect that:
In said program, the method authenticated in the network slice is sliced by receiving the network that session management entity is sent Interior certification request and slice security strategy, and interior certification request and the slice security strategy are sliced according to the network, it carries out The operation authenticated in network slice;The authentication in network slice can be completed, slice safety is further ensured, solves existing skill The incomplete problem of safe authentication scheme is sliced in art.
Description of the drawings
Fig. 1 is the method flow schematic diagram of authentication in the network slice of the embodiment of the present invention one;
Fig. 2 is the method flow schematic diagram of authentication in the network slice of the embodiment of the present invention two;
Fig. 3 is the realization configuration diagram of the embodiment of the present invention;
Fig. 4 is the method idiographic flow schematic diagram of authentication in the network slice of the embodiment of the present invention;
Fig. 5 is the method citing flow diagram of authentication in the network slice of the embodiment of the present invention;
Fig. 6 is that the network of the embodiment of the present invention three is sliced authentication agent entity structure schematic diagram;
Fig. 7 is that the network of the embodiment of the present invention four is sliced authentication agent entity structure schematic diagram;
Fig. 8 is the session management entity structural schematic diagram of the embodiment of the present invention five;
Fig. 9 is the session management entity structural schematic diagram of the embodiment of the present invention six.
Specific implementation mode
To keep the technical problem to be solved in the present invention, technical solution and advantage clearer, below in conjunction with attached drawing and tool Body embodiment is described in detail.
The present invention is middle in view of the prior art to be sliced the incomplete problem of safe authentication scheme, provides a variety of solutions Scheme, it is specific as follows:
As shown in Figure 1, the embodiment of the present invention one provides a kind of interior method authenticated of network slice, network slice can be applied to Authentication agent entity, the method includes:
Step 11:Receive certification request and slice security strategy in the network slice that session management entity is sent;
Step 12:It is sliced interior certification request and the slice security strategy according to the network, carries out mirror in network slice The operation of power.
The method authenticated in the network slice that the embodiment of the present invention one provides is sent by receiving session management entity Network slice in certification request and slice security strategy, and according to the network be sliced in certification request and the slice it is safe Strategy carries out the operation authenticated in network slice;The authentication in network slice can be completed, further ensures slice safety, solution It has determined and has been sliced the incomplete problem of safe authentication scheme in the prior art.
In view of in actual use, carry out the operation authenticated in network slice specific implementation can there are many, this reality It applies in example, following two examples is provided:
The first example, the slice security strategy includes authentication mode mark and authentication side address, in the authentication side When formula mark instruction agent way, described the step of carrying out the operation authenticated in network slice, includes:According to slice safety Authentication side address in strategy sends Ciphering Key request to corresponding authentication entity;The authentication entity is received according to recognize The terminal authentication vector of syndrome vector request feedback;Network, which is carried out, using the terminal authentication vector and counterpart terminal is sliced interior mirror Power.
Wherein, terminal authentication vector includes for being authenticated required information with terminal, and counterpart terminal refers to Attach request is sent to network, mobility management entity is promoted to send session establishment instruction to session management entity, so that Session management entity can be sliced authentication agent entity to network and send certification request and slice security strategy (tool in network slice The flow of body as shown in Figure 4) terminal.
Second of example, the slice security strategy includes authentication mode mark and authentication side address, in the authentication side When formula mark instruction trunking scheme, described the step of carrying out the operation authenticated in network slice, includes:According to slice safety Authentication side address in strategy is established with corresponding authentication entity to be associated with;Counterpart terminal and the authentication are forwarded by the association Authentication information between entity, to carry out authentication in network slice.
Wherein, the association can be the channel that can transmit communication information, and counterpart terminal refers to sending to network attached Request, promotes mobility management entity to send session establishment instruction to session management entity, so that session management entity Authentication agent entity can be sliced to network to send certification request in network slice and be sliced security strategy (specifically as shown in Figure 4 Flow) terminal.
Specifically, the authentication entity is certificate server or third party's authentication entity.
Further, after being authenticated successfully in network slice, the method further includes:Generate slice master key;By institute It states slice master key and is sent to the session management entity.
From the foregoing, it will be observed that the method authenticated in the network slice provided in this embodiment solves in the prior art well It is sliced the incomplete problem of the authentication scheme of safety.
Embodiment two
As shown in Fig. 2, second embodiment of the present invention provides a kind of networks to be sliced the interior method authenticated, session management can be applied to Entity, the method includes:
Step 21:In the session establishment instruction for receiving mobility management entity transmission, slice security strategy is obtained;
Step 22:When slice security strategy instruction carries out authentication in network slice to corresponding terminal, to network It is sliced authentication agent entity and sends certification request and the slice security strategy in network slice.
The method authenticated in the network slice provided by Embodiment 2 of the present invention is by receiving mobile management reality When the session establishment instruction that body is sent, slice security strategy is obtained, and indicate to corresponding terminal in the slice security strategy When carrying out authentication in network slice, certification request and slice peace in network slice are sent to network slice authentication agent entity Full strategy;Network slice authentication agent entity is enable to be sliced interior certification request and the safe plan of slice according to the network Slightly, the operation authenticated in network slice is carried out;The authentication in network slice is completed, further ensures slice safety, is solved existing Have and is sliced the incomplete problem of safe authentication scheme in technology.
Wherein, the step of acquisition slice security strategy includes:Locally obtaining slice security strategy;Or from strategy Slice security strategy is obtained at controlled entity.
Specifically, described the step of obtaining slice security strategy from policy control entity, includes:To policy control entity Control strategy request is sent, the control strategy request includes that terminal iidentification and slice identify;It is real to receive the policy control For body according to the control strategy of the terminal iidentification and the slice identification feedback, the control strategy includes the safe plan of slice Slightly.
Further, the slice security strategy includes authentication mark in terminal slice, is authenticated in described be sliced to network Before agent entity sends the interior certification request of network slice and the slice security strategy, the method further includes:At the end When the instruction of authentication mark carries out being sliced interior authentication in the slice of end, confirm that the slice security strategy instruction carries out net to the terminal Authentication in network slice.
Further, it sends certification request in network slice described to network slice authentication agent entity and described cuts After piece security strategy, the method further includes:Receive the network slice authentication agent entity is sent, mirror in network slice The slice master key generated after weighing successfully;According to preset rules to being produced after being authenticated successfully in original slice master key and network slice Raw slice master key carries out scatter operation.
From the foregoing, it will be observed that the method authenticated in the network slice provided in this embodiment solves in the prior art well It is sliced the incomplete problem of the authentication scheme of safety.
Authentication agent entity and session management entity both sides are sliced to net provided in an embodiment of the present invention with reference to network The method authenticated in network slice is further described.
Being reported in TR for 3GPP SA3 (third generation cooperative partner program secure group 3) 5G security studies there is no realization to be sliced The case where interior authentication, present embodiments provides a kind of interior method authenticated of network slice.Realize a kind of possible peace of this programme Full framework is as shown in Figure 3.
It includes control plane access net CP-AN, user plane access net UP-AN, core net-user plane functions CN-UPF, shifting Dynamic sexual function management function MMF (corresponding mobility management entity), conversation management functional SMF (respective session management entity) recognizes It demonstrate,proves server capability AUSF and Service Ticket stores and processs function ARPF, safe context management function SCMF and safety anchor work( Energy SEAF, network are sliced authentication agent function NSSPF (corresponding network is sliced authentication agent entity), policy control functions PCF, and Third party's authentication functions 3rdAAA;
UP-AN, SMF, NSSPF and CN-UPF therein belong to slice Slice#n, and what #n was represented is slice mark.
Specifically, Partial security functional entity is described below:
Service Ticket stores and processs function (Authentication Credential Repository and Processing Function, ARPF):This function stores, the long-term safety voucher used in authentication procedures, and holds Row is any to use long-term safety voucher Encryption Algorithm as input.It also stores security-related contracted user and configures text Part.ARPF passes through security service function corresponding with authentication server functions AUSF interaction completions, such as key export.
Authentication server functions (Authentication Server Function, AUSF):This function is received from peace The certification request of full anchor function SEAF, and execute authentication function.AUSF and ARPF can be interacted by interface, and be carried by the latter For the key needed for verification process.
Safety anchor function (Security Anchor Function, SEAF):Authentication function in core network, with AUSF and terminal UE interaction, and the intermediate key established as the result of terminal UE verification process is received from AUSF.Initial During attachment, SEAF will also be with mobile management (Mobility Management, MM) function and safe context management function SCMF is interacted.SEAF should be resident in security context in the operator network, and provide access control physically.In roaming feelings Under condition, SEAF, which is resided in, to be accessed in network.
Safe context management function (Security Context Management Function, SCMF):SCMF from SEAF receives intermediate key, then utilizes intermediate key further key of the export for control plane and user plane safety.SCMF It should be resident in security context in the operator network, and access control physically is provided.In roaming situations, SCMF is resident In accessing network.
Policy control functions (Policy Control Function, PCF):Foundation for UE sessions provides control strategy. Assume that description realizes that the strategy of slice safety also is stored in PCF in the present embodiment.Slice security strategy describes specified UE It is no to need to execute authentication process in slice and execute the mode and relevant information authenticated in slice.
Network slice authentication agent function (Network Slice Authentication Proxy Function, NSAPF):For the safe anchor point in network slice, it is responsible for UE and can realizes the entity interaction of authentication functions in slice, completes UE Authentication process in slice, and be responsible for disperseing for realizing slice according to the new slice master key obtained after authenticating successfully The new key code system of safety, and these keys are distributed to corresponding function entity, to which the slice needed for realizing is safe.
In the present embodiment, belongs to the functional entity authenticated in third-party responsible UE slices and be described below:
Third party's authentication functions (3rd party Authentication,Authorization and Account Function, AAA):It is interacted with UE by NSAPF and is authenticated in the slice for completing UE, and new cut can be generated after authenticating successfully Piece secret master key, the master key will be supplied to NSAPF.
In addition, in order to achieve the purpose that authentication, in the present embodiment, it is sliced in security strategy and includes at least following information:
Certification mark in UE slices:For judging whether specified UE carries out being sliced interior certification.
Authentication mode identifies:Mark realizes the mode authenticated in slice.It is identified based on authentication mode, NSAPF can determine Which kind of technical solution should be used to realize authentication in the slice of UE, and how the authentication entity with UE and outside slice carries out Interaction.Authentication mode in slice can be identical as the external authentication mode used of slice, can also be used with slice outside Authentication mode is different.It can be the authentication method based on symmetric key, can also be the method for authenticating based on unsymmetrical key.It can To be to obtain Ciphering Key from slice external authentication entity by NSAPF, and act on behalf of the external authentication entity and authenticated with UE completions Journey can also be directly to execute authentication process with UE by slice external authentication entity.
NSAPF can support authentication mode in 2 kinds of basic slices:
Agent way:NSAPF is by " the authentication side address " that provides in slice security strategy to the authentication outside being sliced Entity sends Ciphering Key request, and receives the Ciphering Key for coming from the external authentication entity.Then NSAPF uses acquisition Ciphering Key executes authentication process in slice with UE.
Trunking scheme:NSAPF is by " the authentication side address " that provides in slice security strategy to the authentication outside being sliced Entity establishes security association, and then the external authentication entity executes authentication process in slice by NSAPF and UE.
Authentication side address:The reality for being capable of providing Ciphering Key or executing authentication functions in slice being located at outside slice is provided The address of body.
Based on above-mentioned realization framework, the method authenticated in network slice provided in this embodiment is as shown in figure 4, include:
Step 41:UE sends attach request Attach request to network.Rule is selected based on specific network function, Attach request is routed to mobile management function to ps domain (Mobility Management by access net (Access Network, AN) Function, MMF).MMF further route the request to the SEAF as network security anchor point, and triggers two-way authentication process.
Step 42:Certification and the main key export-Authentication and session master key of session derivation。
UE carries out two-way authentication by SEAF and AUSF in two-way authentication process (SEAF sends certification request to AUSF). Successful certification will cause to generate session master key Kseaf between UE and AUSF.Network side slicing selection function should simultaneously UE distributes to suitable slice example (ARPF exports session master key Kseaf).
Step 43:Generate session master key [Kseaf]-Providing session master key [Kseaf].
The session master key Kseaf of generation is supplied to SEAF, SEAF to pass to session master key Kseaf by AUSF SCMF。
Step 44:Control plane master key [Kcn-mm, Kns]-CP master key install [Kcn-mm, Kns].
SCMF exports for realizing the control plane master key Kcn-mm of control plane safety and cutting for realizing slice safety Piece master key Kns, and it is supplied to MMF.
Step 45:Control plane establishes safely CP security establish.
MMF carries out necessary key dispersion using Kcn-mm, and derived key is supplied to corresponding control plane function Entity, to realize control plane safety.
Step 46:Create session, including [Kns]-Session creation [Kns].
Session establishment instruction is sent to conversation management functional (the Session Management in UE slices by MMF Session, SMF), include slice master key Kns in instruction.
Step 47:It is sliced security strategy inspection request (carrying slice mark, terminal iidentification)-Control policy check request[Slice ID,UE ID]。
SMF sends slice safety control strategy inspection to policy control functions (Policy Control Function, PCF) It makes a thorough investigation of and asks, wherein include UE marks (UE ID) and slice mark (Slice ID), to obtain slice security strategy, the strategy In include the information for whether carrying out being sliced interior authentication and how carrying out being sliced interior authentication.
Certainly, SMF can also obtain slice security strategy from local, so there is no need to step 48, other steps without It changes.
Step 48:It is sliced security strategy inspection response (carrying slice security strategy)-Control policy check response[control policy]。
PCF is identified according to slice and UE identification retrievals are to the control strategy suitable for the UE, and by being sliced security strategy Check that response returns to SMF.
It includes control strategy to be sliced in security strategy inspection response.Pacify with the relevant slice of certification in slice in control strategy Full strategy includes at least following content:
Authentication mark in-UE slices;
Authentication mode identifies;
Authentication side address.
Step 49:Re-authentication request-Secondary authentication request can carry the safe plan of slice Slightly.
If the slice security strategy in the control strategy that PCF is provided requires to carry out secondary authentication (in network slice to the UE Authentication), then interior certification (re-authentication) process of SMF triggerings slice, sends re-authentication request to NSAPF and (reflects in network slice Power request) and slice security strategy.
Step 410:Re-authentication+key export-Secondary authentication and key derivation。
In slice in authentication process UE by NSAPF and AUSF and ARPF, or by NSAPF with belong to third-party 3rdAAA carries out being sliced interior certification (re-authentication+key export).
NSAPF is proceeded as follows according to the setting of authentication mode:
If authentication mode is " agent way ", it is handled as follows:
(1) " the authentication side address " provided in NSAPF tangential sections security strategy to corresponding authentication entity send certification to Amount request." UE marks " should be included at least in request, and include optionally " slice mark ".
(2) " the UE Ciphering Key " that authentication entity utilizes " UE marks " and/or " slice mark " generates or retrieval is applicable.
(3) " UE Ciphering Key " is returned to NSAPF by authentication entity.
(4) NSAPF carries out being sliced interior authentication using the Ciphering Key and UE.
If authentication mode is " trunking scheme ", it is handled as follows:
(1) authentication entity specified with " the authentication side address " that is provided in slice security strategy NSAPF establishes security association.
(2) UE executes authentication process in slice with authentication entity by NSAPF, and NSAPF realizes relay forwarding function.
Step 411:New user plane master key-New UP master key install [Kns'].
It can cause to generate new slice master key (user plane master key) Kns' after certification success.If there is new slice master close Key Kns' is generated, and NSAPF will obtain the key, and the key is supplied to SMF.
Step 412:User plane key [Kup]-UP key install [Kup].
SMF sends user plane key [Kup] to user plane functions UPF.
It is also understood that SMF carries out necessary key dispersion process according to rule, and the key of generation is supplied to and is cut Corresponding functional entity in piece, to realize slice safety.
Step 413:User plane safety foundation-UP security established.
SMF, UE, UPF and AN pass through corresponding safe mode command (Security Model Command, SMC) process Safe context and key needed for generating, and it is supplied to corresponding functional entity, to set up user plane safety.
The interior method authenticated is sliced with reference to the above to network provided in an embodiment of the present invention to be illustrated.
Citing one:
The above provides one and includes the scheme authenticated in the outer slice for authenticating and being participated in by third party of slice.Herein Assuming that third party's authentication entity can provide Ciphering Key.Detailed process is as shown in figure 5, and be described as follows:
Step 51 is identical (41-step 49 of Same as step) to step 49 as above-mentioned steps 41 to step 59.Assuming that It requires that UE is carried out to be sliced interior certification in the control strategy that SMF is obtained from PCF, particular content is as follows:
Authentication mark in-UE slices:" needing to be sliced interior authentication ";
Authentication mode identifies:" agent way ";
Authentication side address:“3rdThe addresses AAA ".
Step 510.1:Ciphering Key request (carried terminal identifies, slice mark)-authentication vector request[UE ID,Slice ID]。
NSAPF is to 3rdAAA sends Ciphering Key request in slice, and " UE ID " and " slice ID " are included in request.
Step 510.2:Ciphering Key response (carrying Ciphering Key)-authentication vector response [authentication vector]。
3rdAAA provides Ciphering Key according to " UE ID " and " slice ID " information to NSAPF.
Step 510.3:Two-way authentication and key export-Mutual authentication and key derivation。
NSAPF and UE executes authentication process in slice, and derives new user plane master key Kns' after the authentication has been successful.
Step 511 is to step 513 and above-mentioned steps 411 to the identical (411-step of Same as step of step 413 413)。
Citing two:
Authentication side address in citing one can also be to be directed toward local AUSF or ARPF.Detailed process and one phase of citing Together.
Citing three:
When the authentication mode mark instruction " trunking scheme " in citing one, NSAPF serves as UE and 3rdIt is communicated between AAA Relaying role.Upon successful authentication, 3rdAAA needs new user plane secret master key being supplied to NSAPF.
Citing four:
When illustrate the authentication mode mark instruction " trunking scheme " in one when, step 510.3 can also only carry out two-way recognizing Card, without exporting new slice master key.It is directly close using the slice master that outer SCMF is provided is sliced in slice in this case Key;Also it no longer needs to execute step 511- steps 513.
It is described herein as, the network slice authentication agent function NSAPF in the present embodiment:For the safety anchor in network slice Point, be responsible for UE and can realize slice in authentication functions positioned at be sliced outside authentication entity interact, be sliced with completing UE Interior authentication process.Successfully authentication can cause to generate new slice master key in slice.NSAPF carries new slice master key SMF is supplied, and necessary key dispersion is carried out by SMF, and the key of dispersion is distributed to corresponding functional entity to realize The slice safety needed.
Whether carry out being sliced interior certification in the present embodiment in being sliced to be determined according to security strategy is sliced by SMF.SMF can lead to It crosses 2 kinds of modes and obtains slice security strategy:
(1) SMF is obtained from policy control functions (PCF);
(2) SMF is obtained from local.
Authentication is executed by NSAPF in being sliced in the present embodiment.Authentication should support authentication side in 2 kinds of basic slices in slice Formula:
Agent way:NSAPF is by " the authentication side address " that provides in slice security strategy to the authentication outside being sliced Entity sends Ciphering Key request, and receives the Ciphering Key for coming from external authentication entity.Then NSAPF recognizing using acquisition Syndrome vector carries out being sliced interior authentication process with UE.After successful authentication, NSAPF and UE can obtain new slice master key respectively.
Trunking scheme:NSAPF is by " the authentication side address " provided in slice security strategy and the authentication entity outside slice Security association is established, then UE executes authentication process in slice by NSAPF and the authentication entity outside slice.Success is reflected External authentication entity needs the new slice master key of generation being supplied to NSAPF after power.
It is sliced security strategy in the present embodiment and describes whether UE needs to execute authentication process in slice and how to execute slice Interior authentication.Slice security strategy, which includes at least, to be had:
Certification mark in-UE slices:For determining whether specified UE carries out being sliced interior authentication;
Authentication mode identifies:It should use for determination and be authenticated in the slice of which kind of method realization UE;
Authentication side address:For describing to send to which slice external authentication entity and authenticating relevant request.
" UE marks " and " slice mark are included at least in the slice security strategy request that SMF is sent to PCF in the present embodiment Know ".PCF retrieves the slice security strategy suitable for specified UE according to " UE marks " and " slice mark ", and returns to SMF.
Authentication process can lead to generate new slice master key in being successfully sliced in the present embodiment, the key alternatively by The slice master key that SCMF outside slice is provided, and the new key body for realizing slice safety is generated according to new slice master key System.
Embodiment three
As shown in fig. 6, the embodiment of the present invention three provides a kind of network slice authentication agent entity, including:
First receiving module 61, the interior certification request of network slice for receiving session management entity transmission and slice safety Strategy;
First processing module 62 is carried out for certification request and the slice security strategy in being sliced according to the network The operation authenticated in network slice.
The network slice authentication agent entity that the embodiment of the present invention three provides is sent by receiving session management entity Network slice in certification request and slice security strategy, and according to the network be sliced in certification request and the slice it is safe Strategy carries out the operation authenticated in network slice;The authentication in network slice can be completed, further ensures slice safety, solution It has determined and has been sliced the incomplete problem of safe authentication scheme in the prior art.
In view of in actual use, the specific implementation of first processing module can there are many, in the present embodiment, provide with Lower two kinds of examples:
The first example, the slice security strategy includes authentication mode mark and authentication side address, in the authentication side When formula mark instruction agent way, the first processing module includes:First sending submodule, for according to slice safety Authentication side address in strategy sends Ciphering Key request to corresponding authentication entity;First receiving submodule, for receiving State terminal authentication vector of the authentication entity according to Ciphering Key request feedback;First processing submodule, described in utilizing Terminal authentication vector carries out authentication in network slice with counterpart terminal.
Wherein, terminal authentication vector includes for being authenticated required information with terminal, and counterpart terminal refers to Attach request is sent to network, mobility management entity is promoted to send session establishment instruction to session management entity, so that Session management entity can be sliced authentication agent entity to network and send certification request and slice security strategy (tool in network slice The flow of body as shown in Figure 4) terminal.
Second of example, the slice security strategy includes authentication mode mark and authentication side address, in the authentication side When formula mark instruction trunking scheme, the first processing module includes:First setting up submodule, for according to slice safety Authentication side address in strategy is established with corresponding authentication entity to be associated with;Second processing submodule, for being turned by the association The authentication information between counterpart terminal and the authentication entity is sent out, to carry out authentication in network slice.
Wherein, the association can be the channel that can transmit communication information, and counterpart terminal refers to sending to network attached Request, promotes mobility management entity to send session establishment instruction to session management entity, so that session management entity Authentication agent entity can be sliced to network to send certification request in network slice and be sliced security strategy (specifically as shown in Figure 4 Flow) terminal.
Specifically, the authentication entity is certificate server or third party's authentication entity.
Further, the network slice authentication agent entity further includes:First generation module, in network slice After authenticating successfully, slice master key is generated;First sending module, for the slice master key to be sent to the session pipe Manage entity.
From the foregoing, it will be observed that the network slice authentication agent entity provided in this embodiment solves in the prior art well It is sliced the incomplete problem of the authentication scheme of safety.
Wherein, the realization of the above-mentioned method for being related to authenticating in the network slice of network slice authentication agent entity side is real Example is applied suitable for the embodiment that the network is sliced authentication agent entity, can also reach identical technique effect.
Example IV
As shown in fig. 7, the present embodiment provides a kind of networks to be sliced authentication agent entity, including:
Processor 71;And the memory 73 being connected with the processor 71 by bus interface 72, the memory 73 for storing the processor 71 used program and data when executing operation, when processor 71 calls and executes described When the program and data that are stored in memory 73, following process is executed:
Certification request and slice security strategy in the network slice that session management entity is sent are received by transceiver 74;
It is sliced interior certification request and the slice security strategy according to the network, carries out the behaviour authenticated in network slice Make.
Wherein, transceiver 74 is connect with bus interface 72, for sending and receiving data under the control of processor 71.
It should be noted that in the figure 7, bus architecture may include the bus and bridge of any number of interconnection, specifically by The various circuits for the memory that the one or more processors and memory 73 that processor 71 represents represent link together.Bus Framework can also link together various other circuits of such as peripheral equipment, voltage-stablizer and management circuit or the like, These are all it is known in the art, and therefore, it will not be further described herein.Bus interface provides interface.Transmitting-receiving Machine 74 can be multiple element, that is, include transmitter and transceiver, provide for logical with various other devices over a transmission medium The unit of letter.Processor 71 is responsible for bus architecture and common processing, and memory 73 can store processor 71 and execute Used data when operation.
It will be understood by those skilled in the art that realize above-described embodiment all or part of step can by hardware come It completes, relevant hardware can also be indicated by computer program to complete, the computer program includes executing above-mentioned side The instruction of some or all of step of method;And the computer program can be stored in a readable storage medium storing program for executing, storage medium It can be any type of storage medium.
Embodiment five
As shown in figure 8, the embodiment of the present invention five provides a kind of session management entity, including:
First acquisition module 81, in the session establishment instruction for receiving mobility management entity transmission, acquisition to be cut Piece security strategy;
Second sending module 82, for carrying out mirror in network slice to corresponding terminal in slice security strategy instruction Temporary, certification request and the slice security strategy in network slice are sent to network slice authentication agent entity.
The session management entity that the embodiment of the present invention five provides is by receiving mobility management entity transmission When session establishment instructs, slice security strategy is obtained, and network is carried out to corresponding terminal in slice security strategy instruction In slice when authentication, certification request and the slice security strategy in network slice are sent to network slice authentication agent entity; Enable network slice authentication agent entity to be sliced interior certification request and the slice security strategy according to the network, carries out The operation authenticated in network slice;The authentication in network slice is completed, slice safety is further ensured, solves in the prior art It is sliced the incomplete problem of the authentication scheme of safety.
Wherein, first acquisition module includes:First acquisition submodule, for locally obtaining slice security strategy; Or slice security strategy is obtained from policy control entity.
Specifically, first acquisition submodule includes:First transmission unit is controlled for being sent to policy control entity Strategy request, the control strategy request include that terminal iidentification and slice identify;First receiving unit, for receiving the plan Slightly for controlled entity according to the control strategy of the terminal iidentification and the slice identification feedback, the control strategy includes slice Security strategy.
Further, the slice security strategy includes authenticating mark in terminal slice, and the session management entity is also wrapped It includes:First confirmation module, for sending certification request and described in network slice to network slice authentication agent entity described It is sliced before security strategy, when the instruction of authentication mark carries out being sliced interior authentication in the terminal is sliced, confirms the slice peace Full strategy instruction carries out authentication in network slice to the terminal.
Further, the session management entity further includes:Second receiving module, for reflecting in described be sliced to network After weighing the agent entity transmission interior certification request of network slice and the slice security strategy, the network slice authentication generation is received The slice master key that generates after being authenticated successfully in reason entity is sent, network slice;Second processing module, for according to default rule Scatter operation then is carried out to the slice master key generated after being authenticated successfully in original slice master key and network slice.
From the foregoing, it will be observed that the session management entity provided in this embodiment solves slice safety in the prior art well The incomplete problem of authentication scheme.
Wherein, the realization embodiment of the method authenticated in the above-mentioned network slice for being related to session management entity side is suitable For in the embodiment of the session management entity, can also reach identical technique effect.
Embodiment six
As shown in figure 9, the present embodiment provides a kind of session management entities, including:
Processor 91;And the memory 93 being connected with the processor 91 by bus interface 92, the memory 93 for storing the processor 91 used program and data when executing operation, when processor 91 calls and executes described When the program and data that are stored in memory 93, following process is executed:
When the session establishment for receiving mobility management entity transmission by transceiver 94 instructs, obtains and be sliced safe plan Slightly;
The slice security strategy instruction to corresponding terminal carry out network slice in authentication when, by transceiver 94 to Network is sliced authentication agent entity and sends certification request and the slice security strategy in network slice.
Wherein, transceiver 94 is connect with bus interface 92, for sending and receiving data under the control of processor 91.
It should be noted that in fig.9, bus architecture may include the bus and bridge of any number of interconnection, specifically by The various circuits for the memory that the one or more processors and memory 93 that processor 91 represents represent link together.Bus Framework can also link together various other circuits of such as peripheral equipment, voltage-stablizer and management circuit or the like, These are all it is known in the art, and therefore, it will not be further described herein.Bus interface provides interface.Transmitting-receiving Machine 94 can be multiple element, that is, include transmitter and transceiver, provide for logical with various other devices over a transmission medium The unit of letter.Processor 91 is responsible for bus architecture and common processing, and memory 93 can store processor 91 and execute Used data when operation.
It will be understood by those skilled in the art that realize above-described embodiment all or part of step can by hardware come It completes, relevant hardware can also be indicated by computer program to complete, the computer program includes executing above-mentioned side The instruction of some or all of step of method;And the computer program can be stored in a readable storage medium storing program for executing, storage medium It can be any type of storage medium.
Wherein, this many functional component described in this description is all referred to as module/submodule/unit, so as to more Particularly emphasize the independence of its realization method.
In the embodiment of the present invention, module/submodule/unit can use software realization, so as to by various types of processors It executes.For example, one mark executable code module may include computer instruction one or more physics or Logical block, for example, it can be built as object, process or function.Nevertheless, the executable code of institute's mark module It needs not be physically located together, but may include the different instructions being stored in different positions, when in these command logics When being combined together, constitutes module and realize the regulation purpose of the module.
In fact, executable code module can be the either many item instructions of individual instructions, and can even be distributed It on multiple and different code segments, is distributed in distinct program, and is distributed across multiple memory devices.Similarly, it grasps Making data can be identified in module, and can be realized according to any form appropriate and be organized in any appropriate class In the data structure of type.The operation data can be collected as individual data collection, or can be distributed on different location (including in different storage device), and can only be present in system or network as electronic signal at least partly.
When module can utilize software realization, it is contemplated that the level of existing hardware technique, it is possible to implemented in software Module, in the case where not considering cost, those skilled in the art can build corresponding hardware circuit to realize correspondence Function, the hardware circuit includes conventional ultra-large integrated (VLSI) circuit or gate array and such as logic core The existing semiconductor of piece, transistor etc either other discrete elements.Module can also use programmable hardware device, such as The realizations such as field programmable gate array, programmable logic array, programmable logic device.
Above-described is the preferred embodiment of the present invention, it should be pointed out that the ordinary person of the art is come It says, under the premise of not departing from principle of the present invention, can also make several improvements and retouch, these improvements and modifications should also regard For protection scope of the present invention.

Claims (20)

1. a kind of method authenticated in network slice, is applied to network and is sliced authentication agent entity, which is characterized in that including:
Receive certification request and slice security strategy in the network slice that session management entity is sent;
It is sliced interior certification request and the slice security strategy according to the network, carries out the operation authenticated in network slice.
2. according to the method described in claim 1, it is characterized in that, the slice security strategy includes authentication mode mark and mirror The addresses Quan Fang, when the authentication mode identifies instruction agent way, described the step of carrying out the operation authenticated in network slice Including:
According to the authentication side address in the slice security strategy Ciphering Key request is sent to corresponding authentication entity;
Receive terminal authentication vector of the authentication entity according to Ciphering Key request feedback;
Network, which is carried out, using the terminal authentication vector and counterpart terminal is sliced interior authentication.
3. according to the method described in claim 1, it is characterized in that, the slice security strategy includes authentication mode mark and mirror The addresses Quan Fang, when the authentication mode identifies instruction trunking scheme, described the step of carrying out the operation authenticated in network slice Including:
It is established and is associated with corresponding authentication entity according to the authentication side address in the slice security strategy;
The authentication information between counterpart terminal and the authentication entity is forwarded by the association, to carry out mirror in network slice Power.
4. according to the method in claim 2 or 3, which is characterized in that the authentication entity is certificate server or third party Authentication entity.
5. according to the method described in claim 1, it is characterized in that, after being authenticated successfully in network slice, the method is also Including:
Generate slice master key;
The slice master key is sent to the session management entity.
6. a kind of method authenticated in network slice, is applied to session management entity, which is characterized in that including:
In the session establishment instruction for receiving mobility management entity transmission, slice security strategy is obtained;
When slice security strategy instruction carries out authentication in network slice to corresponding terminal, authentication agent is sliced to network Entity sends certification request and the slice security strategy in network slice.
7. according to the method described in claim 6, it is characterized in that, the acquisition includes the step of being sliced security strategy:
Locally obtaining slice security strategy;Or
Slice security strategy is obtained from policy control entity.
8. the method according to the description of claim 7 is characterized in that described obtain slice security strategy from policy control entity The step of include:
Control strategy request is sent to policy control entity, the control strategy request includes that terminal iidentification and slice identify;
The policy control entity is received according to the control strategy of the terminal iidentification and the slice identification feedback, the control Strategy includes slice security strategy.
9. according to the method described in claim 6, it is characterized in that, the slice security strategy includes authentication mark in terminal slice Know, before the certification request into network slice authentication agent entity transmission network slice and the slice security strategy, The method further includes:
When the instruction of authentication mark carries out being sliced interior authentication in the terminal is sliced, confirm the slice security strategy instruction to institute It states terminal and carries out authentication in network slice.
10. according to the method described in claim 6, it is characterized in that, sending net to network slice authentication agent entity described After the interior certification request of network slice and the slice security strategy, the method further includes:
Receive it is that network slice authentication agent entity is sent, authenticated successfully in network slice after the slice master key that generates;
The slice master key generated after being authenticated successfully in original slice master key and network slice is divided according to preset rules Dissipate operation.
11. a kind of network is sliced authentication agent entity, which is characterized in that including:
First receiving module, the interior certification request of network slice for receiving session management entity transmission and slice security strategy;
First processing module carries out network and cuts for certification request and the slice security strategy in being sliced according to the network The operation authenticated in piece.
12. network according to claim 11 is sliced authentication agent entity, which is characterized in that the slice security strategy packet Authentication mode mark and authentication side address are included, when the authentication mode identifies instruction agent way, the first processing module Including:
First sending submodule, for being sent to corresponding authentication entity according to the authentication side address in the slice security strategy Ciphering Key is asked;
First receiving submodule, for receive the authentication entity according to the Ciphering Key request feedback terminal authentication to Amount;
First processing submodule, for carrying out authentication in network slice using the terminal authentication vector and counterpart terminal.
13. network according to claim 11 is sliced authentication agent entity, which is characterized in that the slice security strategy packet Authentication mode mark and authentication side address are included, when the authentication mode identifies instruction trunking scheme, the first processing module Including:
First setting up submodule, for being established with corresponding authentication entity according to the authentication side address in the slice security strategy Association;
Second processing submodule, for forwarding the authentication information between counterpart terminal and the authentication entity by the association, To carry out authentication in network slice.
14. network is sliced authentication agent entity according to claim 12 or 13, which is characterized in that the authentication entity is Certificate server or third party's authentication entity.
15. network according to claim 11 is sliced authentication agent entity, which is characterized in that the network slice authentication generation Managing entity further includes:
First generation module generates slice master key after being authenticated successfully in network slice;
First sending module, for the slice master key to be sent to the session management entity.
16. a kind of session management entity, which is characterized in that including:
First acquisition module, in the session establishment instruction for receiving mobility management entity transmission, obtaining slice safety Strategy;
Second sending module is used for when slice security strategy instruction to corresponding terminal authenticate in network slice, Certification request and the slice security strategy in network slice are sent to network slice authentication agent entity.
17. session management entity according to claim 16, which is characterized in that first acquisition module includes:
First acquisition submodule, for locally obtaining slice security strategy;Or
Slice security strategy is obtained from policy control entity.
18. session management entity according to claim 17, which is characterized in that first acquisition submodule includes:
First transmission unit, for sending control strategy request to policy control entity, the control strategy request includes eventually End mark and slice mark;
First receiving unit, for receiving the policy control entity according to the terminal iidentification and the slice identification feedback Control strategy, the control strategy include slice security strategy.
19. session management entity according to claim 16, which is characterized in that the slice security strategy includes that terminal is cut Authentication mark, the session management entity further include in piece:
First confirmation module, for sending certification request and described in network slice to network slice authentication agent entity described It is sliced before security strategy, when the instruction of authentication mark carries out being sliced interior authentication in the terminal is sliced, confirms the slice peace Full strategy instruction carries out authentication in network slice to the terminal.
20. session management entity according to claim 16, which is characterized in that the session management entity further includes:
Second receiving module, for sending certification request and described in network slice to network slice authentication agent entity described Be sliced after security strategy, receive it is that network slice authentication agent entity is sent, authenticated successfully in network slice after generate Slice master key;
Second processing module, for according to preset rules to being generated after being authenticated successfully in original slice master key and network slice It is sliced master key and carries out scatter operation.
CN201710055047.1A 2017-01-24 2017-01-24 Network is sliced interior method for authenticating, slice authentication agent entity and session management entity Active CN108347729B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201710055047.1A CN108347729B (en) 2017-01-24 2017-01-24 Network is sliced interior method for authenticating, slice authentication agent entity and session management entity
PCT/CN2018/075604 WO2018137713A1 (en) 2017-01-24 2018-02-07 Internal network slice authentication method, slice authentication proxy entity, and session management entity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710055047.1A CN108347729B (en) 2017-01-24 2017-01-24 Network is sliced interior method for authenticating, slice authentication agent entity and session management entity

Publications (2)

Publication Number Publication Date
CN108347729A true CN108347729A (en) 2018-07-31
CN108347729B CN108347729B (en) 2019-08-02

Family

ID=62962949

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710055047.1A Active CN108347729B (en) 2017-01-24 2017-01-24 Network is sliced interior method for authenticating, slice authentication agent entity and session management entity

Country Status (2)

Country Link
CN (1) CN108347729B (en)
WO (1) WO2018137713A1 (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110831249A (en) * 2018-08-13 2020-02-21 华为技术有限公司 Communication method and device
WO2020056611A1 (en) * 2018-09-18 2020-03-26 Oppo广东移动通信有限公司 Method and device for use in network slice authentication
WO2020073838A1 (en) * 2018-10-09 2020-04-16 华为技术有限公司 Network slice access control method and device
WO2020073802A1 (en) * 2018-10-09 2020-04-16 华为技术有限公司 Authentication method and device
CN112073969A (en) * 2020-09-07 2020-12-11 中国联合网络通信集团有限公司 5G network security protection method and system
CN112105015A (en) * 2019-06-17 2020-12-18 华为技术有限公司 Secondary authentication method and device
WO2021004444A1 (en) * 2019-07-09 2021-01-14 华为技术有限公司 Communication method and network element
WO2021026927A1 (en) * 2019-08-15 2021-02-18 华为技术有限公司 Communication method and related devices
WO2021031053A1 (en) * 2019-08-18 2021-02-25 华为技术有限公司 Communication method, device, and system
WO2021227600A1 (en) * 2020-05-14 2021-11-18 华为技术有限公司 Network slice control method and communication apparatus
WO2021253859A1 (en) * 2020-06-20 2021-12-23 华为技术有限公司 Slice authentication method and system
CN113841429A (en) * 2019-04-01 2021-12-24 株式会社Ntt都科摩 Communication network component and method for initiating slice-specific authentication and authorization
CN113852483A (en) * 2020-06-28 2021-12-28 中兴通讯股份有限公司 Network slice connection management method, terminal and computer readable storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104092668A (en) * 2014-06-23 2014-10-08 北京航空航天大学 Method for constructing safety service of reconfigurable network
WO2016192636A1 (en) * 2015-06-01 2016-12-08 Huawei Technologies Co., Ltd. System and method for virtualized functions in control and data planes

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104092668A (en) * 2014-06-23 2014-10-08 北京航空航天大学 Method for constructing safety service of reconfigurable network
WO2016192636A1 (en) * 2015-06-01 2016-12-08 Huawei Technologies Co., Ltd. System and method for virtualized functions in control and data planes

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
HUAWEI 等: "Network authentication supporting network slices", 《3GPP TSG SA WG3 (SECURITY) MEETING #85,S3-161741,NETWORK AUTHENTICATION SUPPORTING NETWORK SLICES》 *
HUAWEI 等: "Security for UE connecting to multiple Slice", 《3GPP TSG SA WG2 MEETING #116,S2-163599,SECURITY FOR UE CONNECTING TO MULTIPLE SLICE》 *
ZTE: "Key hierarchy schems for network slicing", 《3GPP TSG SA WG3 (SECURITY) MEETING #84,S3-160965,KEY HIERARCHY SCHEMS FOR NETWORK SLICING》 *

Cited By (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110831249A (en) * 2018-08-13 2020-02-21 华为技术有限公司 Communication method and device
CN110831249B (en) * 2018-08-13 2021-10-01 华为技术有限公司 Communication method and device
KR102569538B1 (en) 2018-09-18 2023-08-22 광동 오포 모바일 텔레커뮤니케이션즈 코포레이션 리미티드 Method and Apparatus for Network Slice Authentication
WO2020056611A1 (en) * 2018-09-18 2020-03-26 Oppo广东移动通信有限公司 Method and device for use in network slice authentication
JP2022511327A (en) * 2018-09-18 2022-01-31 オッポ広東移動通信有限公司 Methods and equipment for network slice authentication
CN113316148B (en) * 2018-09-18 2023-02-28 Oppo广东移动通信有限公司 Method and apparatus for network slice authentication
JP7261872B2 (en) 2018-09-18 2023-04-20 オッポ広東移動通信有限公司 Method and apparatus for network slice authentication
CN113316148A (en) * 2018-09-18 2021-08-27 Oppo广东移动通信有限公司 Method and apparatus for network slice authentication
EP3840442A4 (en) * 2018-09-18 2021-08-18 Guangdong Oppo Mobile Telecommunications Corp., Ltd. Method and device for use in network slice authentication
KR20210059743A (en) * 2018-09-18 2021-05-25 광동 오포 모바일 텔레커뮤니케이션즈 코포레이션 리미티드 Method and device for network slice authentication
US11223949B2 (en) 2018-09-18 2022-01-11 Guangdong Oppo Mobile Telecommunications Corp., Ltd. Method and device for network slice authentication
US11665542B2 (en) 2018-09-18 2023-05-30 Guangdong Oppo Mobile Telecommunications Corp., Ltd. Method and device for network slice authentication
WO2020073838A1 (en) * 2018-10-09 2020-04-16 华为技术有限公司 Network slice access control method and device
US11751054B2 (en) 2018-10-09 2023-09-05 Huawei Technologies Co., Ltd. Network slice access control method and apparatus
WO2020073802A1 (en) * 2018-10-09 2020-04-16 华为技术有限公司 Authentication method and device
CN111031538A (en) * 2018-10-09 2020-04-17 华为技术有限公司 Authentication method and device
CN111031538B (en) * 2018-10-09 2021-12-03 华为技术有限公司 Authentication method and device
CN111031571A (en) * 2018-10-09 2020-04-17 华为技术有限公司 Network slice access control method and device
CN111031571B (en) * 2018-10-09 2022-01-14 华为技术有限公司 Network slice access control method and device
CN113841429B (en) * 2019-04-01 2024-01-05 株式会社Ntt都科摩 Communication network component and method for initiating slice specific authentication and authorization
CN113841429A (en) * 2019-04-01 2021-12-24 株式会社Ntt都科摩 Communication network component and method for initiating slice-specific authentication and authorization
CN112105015A (en) * 2019-06-17 2020-12-18 华为技术有限公司 Secondary authentication method and device
CN112291784A (en) * 2019-07-09 2021-01-29 华为技术有限公司 Communication method and network element
CN112291784B (en) * 2019-07-09 2022-04-05 华为技术有限公司 Communication method and network element
WO2021004444A1 (en) * 2019-07-09 2021-01-14 华为技术有限公司 Communication method and network element
WO2021026927A1 (en) * 2019-08-15 2021-02-18 华为技术有限公司 Communication method and related devices
WO2021031053A1 (en) * 2019-08-18 2021-02-25 华为技术有限公司 Communication method, device, and system
CN113746649A (en) * 2020-05-14 2021-12-03 华为技术有限公司 Network slice control method and communication device
WO2021227600A1 (en) * 2020-05-14 2021-11-18 华为技术有限公司 Network slice control method and communication apparatus
CN113904781A (en) * 2020-06-20 2022-01-07 华为技术有限公司 Slice authentication method and system
CN113904781B (en) * 2020-06-20 2023-04-07 华为技术有限公司 Slice authentication method and system
WO2021253859A1 (en) * 2020-06-20 2021-12-23 华为技术有限公司 Slice authentication method and system
CN113852483A (en) * 2020-06-28 2021-12-28 中兴通讯股份有限公司 Network slice connection management method, terminal and computer readable storage medium
WO2022001474A1 (en) * 2020-06-28 2022-01-06 中兴通讯股份有限公司 Network slice connection management method, terminal, and computer-readable storage medium
CN113852483B (en) * 2020-06-28 2023-09-05 中兴通讯股份有限公司 Network slice connection management method, terminal and computer readable storage medium
CN112073969B (en) * 2020-09-07 2022-09-13 中国联合网络通信集团有限公司 5G network security protection method and system
CN112073969A (en) * 2020-09-07 2020-12-11 中国联合网络通信集团有限公司 5G network security protection method and system

Also Published As

Publication number Publication date
CN108347729B (en) 2019-08-02
WO2018137713A1 (en) 2018-08-02

Similar Documents

Publication Publication Date Title
CN108347729B (en) Network is sliced interior method for authenticating, slice authentication agent entity and session management entity
CN106664554B (en) The security configuration of Service Ticket
JP4621200B2 (en) Communication apparatus, communication system, and authentication method
US8582762B2 (en) Method for producing key material for use in communication with network
KR101438243B1 (en) Sim based authentication
JP2003188885A5 (en)
CN113781678B (en) Vehicle Bluetooth key generation and authentication method and system in networking-free environment
CN101714918A (en) Safety system for logging in VPN and safety method for logging in VPN
EP4057658A1 (en) Machine-card verification method applied to minimalist network, and related device
CN102932341A (en) Method, device and equipment for password processing
CN107733652A (en) For sharing the method for unlocking and system and lock of the vehicles
CN101986598A (en) Authentication method, server and system
CN109583154A (en) A kind of system and method based on Web middleware access intelligent code key
CN109891921A (en) The certification of Successor-generation systems
CN109391937A (en) Acquisition methods, equipment and the system of public key
CN107846676A (en) Safety communicating method and system based on network section security architecture
CN102255904B (en) Communication network and terminal authentication method thereof
JP3964338B2 (en) Communication network system, communication terminal, authentication device, authentication server, and electronic authentication method
CN106790078A (en) Safety communicating method and device between a kind of SDK and electronic certificate system
CN104796891B (en) One kind realizes security certification system and corresponding method using carrier network
CN107135228B (en) Authentication system and authentication method based on central node
CN103081520A (en) Network access
CN107295510A (en) The method, equipment and system of Home eNodeB access control are realized based on OCSP
CN109150915A (en) A kind of method trusted each other between mist calculate node
CN108966218A (en) A kind of wireless network access method and system based on management terminal control

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 100191 No. 40, Haidian District, Beijing, Xueyuan Road

Patentee after: CHINA ACADEMY OF TELECOMMUNICATIONS TECHNOLOGY

Address before: 100191 No. 40, Haidian District, Beijing, Xueyuan Road

Patentee before: CHINA ACADEMY OF TELECOMMUNICATIONS TECHNOLOGY

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20210604

Address after: 100085 1st floor, building 1, yard 5, Shangdi East Road, Haidian District, Beijing

Patentee after: DATANG MOBILE COMMUNICATIONS EQUIPMENT Co.,Ltd.

Address before: 100191 No. 40, Haidian District, Beijing, Xueyuan Road

Patentee before: CHINA ACADEMY OF TELECOMMUNICATIONS TECHNOLOGY