Method for authenticating, slice authentication agent entity and session management entity in network slice
Technical field
The present invention relates to field of communication technology, the method, the network slice authentication that are authenticated in a kind of network slice are particularly related to
Agent entity and session management entity.
Background technology
3GPP SA3 (third generation cooperative partner program secure group 3) slice secure contexts describe each of network slice safety
Kind critical issue, including network slice authentication.Network slice authentication can be divided into authentication in the outer authentication of network slice and network slice.
To so far there are no on how to realize network slice in authenticate specific technical solution, still, in order to ensure height
Slice safety, the interior authentication of network slice are still needed.
Invention content
The purpose of the present invention is to provide a kind of networks to be sliced the interior method authenticated, network slice authentication agent entity and meeting
Management entity is talked about, solves the problems, such as to be sliced safe authentication scheme in the prior art incomplete.
In order to solve the above-mentioned technical problem, the embodiment of the present invention provides a kind of interior method authenticated of network slice, is applied to
Network is sliced authentication agent entity, including:
Receive certification request and slice security strategy in the network slice that session management entity is sent;
It is sliced interior certification request and the slice security strategy according to the network, carries out the behaviour authenticated in network slice
Make.
Optionally, the slice security strategy includes authentication mode mark and authentication side address, in the authentication mode mark
When knowing instruction agent way, described the step of carrying out the operation authenticated in network slice, includes:
According to the authentication side address in the slice security strategy Ciphering Key request is sent to corresponding authentication entity;
Receive terminal authentication vector of the authentication entity according to Ciphering Key request feedback;
Network, which is carried out, using the terminal authentication vector and counterpart terminal is sliced interior authentication.
Optionally, the slice security strategy includes authentication mode mark and authentication side address, in the authentication mode mark
When knowing instruction trunking scheme, described the step of carrying out the operation authenticated in network slice, includes:
It is established and is associated with corresponding authentication entity according to the authentication side address in the slice security strategy;
The authentication information between counterpart terminal and the authentication entity is forwarded by the association, to carry out in network slice
Authentication.
Optionally, the authentication entity is certificate server or third party's authentication entity.
Optionally, after being authenticated successfully in network slice, the method further includes:
Generate slice master key;
The slice master key is sent to the session management entity.
The present invention also provides a kind of networks to be sliced the interior method authenticated, is applied to session management entity, including:
In the session establishment instruction for receiving mobility management entity transmission, slice security strategy is obtained;
When slice security strategy instruction carries out authentication in network slice to corresponding terminal, it is sliced and authenticates to network
Agent entity sends certification request and the slice security strategy in network slice.
Optionally, the step of acquisition slice security strategy includes:
Locally obtaining slice security strategy;Or
Slice security strategy is obtained from policy control entity.
Optionally, described the step of slice security strategy is obtained from policy control entity, includes:
Control strategy request is sent to policy control entity, the control strategy request includes that terminal iidentification and slice are marked
Know;
Control strategy of the policy control entity according to the terminal iidentification and the slice identification feedback is received, it is described
Control strategy includes slice security strategy.
Optionally, the slice security strategy includes authentication mark in terminal slice, and authentication generation is sliced to network described
Before managing the entity transmission interior certification request of network slice and the slice security strategy, the method further includes:
When the instruction of authentication mark carries out being sliced interior authentication in the terminal is sliced, the slice security strategy instruction is confirmed
Authentication in network slice is carried out to the terminal.
Optionally, certification request and slice peace in network slice are sent to network slice authentication agent entity described
After full strategy, the method further includes:
Receive it is that network slice authentication agent entity is sent, authenticated successfully in network slice after the slice master that generates it is close
Key;
According to preset rules to the slice master key that generates after being authenticated successfully in original slice master key and network slice into
Row scatter operation.
The present invention also provides a kind of networks to be sliced authentication agent entity, including:
First receiving module, the interior certification request of network slice for receiving session management entity transmission and the safe plan of slice
Slightly;
First processing module carries out net for certification request and the slice security strategy in being sliced according to the network
The operation authenticated in network slice.
Optionally, the slice security strategy includes authentication mode mark and authentication side address, in the authentication mode mark
When knowing instruction agent way, the first processing module includes:
First sending submodule, for according to the authentication side address in the slice security strategy to corresponding authentication entity
Send Ciphering Key request;
First receiving submodule, the terminal authentication for receiving the authentication entity according to Ciphering Key request feedback
Vector;
First processing submodule, for carrying out authentication in network slice using the terminal authentication vector and counterpart terminal.
Optionally, the slice security strategy includes authentication mode mark and authentication side address, in the authentication mode mark
When knowing instruction trunking scheme, the first processing module includes:
First setting up submodule, for according to the authentication side address being sliced in security strategy and corresponding authentication entity
Establish association;
Second processing submodule, for forwarding the authentication between counterpart terminal and the authentication entity to believe by the association
Breath, to carry out authentication in network slice.
Optionally, the authentication entity is certificate server or third party's authentication entity.
Optionally, the network slice authentication agent entity further includes:
First generation module generates slice master key after being authenticated successfully in network slice;
First sending module, for the slice master key to be sent to the session management entity.
The present invention also provides a kind of session management entities, including:
First acquisition module, in the session establishment instruction for receiving mobility management entity transmission, obtaining slice
Security strategy;
Second sending module, for carrying out authentication in network slice to corresponding terminal in slice security strategy instruction
When, send certification request and the slice security strategy in network slice to network slice authentication agent entity.
Optionally, first acquisition module includes:
First acquisition submodule, for locally obtaining slice security strategy;Or
Slice security strategy is obtained from policy control entity.
Optionally, first acquisition submodule includes:
First transmission unit is wrapped for sending control strategy request to policy control entity in the control strategy request
It includes terminal iidentification and slice identifies;
First receiving unit identifies instead for receiving the policy control entity according to the terminal iidentification and the slice
The control strategy of feedback, the control strategy include slice security strategy.
Optionally, the slice security strategy includes authenticating mark in terminal slice, and the session management entity further includes:
First confirmation module, for it is described to network slice authentication agent entity send network slice in certification request and
Before the slice security strategy, when the instruction of authentication mark carries out being sliced interior authentication in the terminal is sliced, cut described in confirmation
The instruction of piece security strategy carries out authentication in network slice to the terminal.
Optionally, the session management entity further includes:
Second receiving module, for it is described to network slice authentication agent entity send network slice in certification request and
After the slice security strategy, receive it is that network slice authentication agent entity is sent, authenticated successfully in network slice after
The slice master key of generation;
Second processing module, for according to preset rules to original slice master key and network slice in authenticate successfully after produce
Raw slice master key carries out scatter operation.
The above-mentioned technical proposal of the present invention has the beneficial effect that:
In said program, the method authenticated in the network slice is sliced by receiving the network that session management entity is sent
Interior certification request and slice security strategy, and interior certification request and the slice security strategy are sliced according to the network, it carries out
The operation authenticated in network slice;The authentication in network slice can be completed, slice safety is further ensured, solves existing skill
The incomplete problem of safe authentication scheme is sliced in art.
Description of the drawings
Fig. 1 is the method flow schematic diagram of authentication in the network slice of the embodiment of the present invention one;
Fig. 2 is the method flow schematic diagram of authentication in the network slice of the embodiment of the present invention two;
Fig. 3 is the realization configuration diagram of the embodiment of the present invention;
Fig. 4 is the method idiographic flow schematic diagram of authentication in the network slice of the embodiment of the present invention;
Fig. 5 is the method citing flow diagram of authentication in the network slice of the embodiment of the present invention;
Fig. 6 is that the network of the embodiment of the present invention three is sliced authentication agent entity structure schematic diagram;
Fig. 7 is that the network of the embodiment of the present invention four is sliced authentication agent entity structure schematic diagram;
Fig. 8 is the session management entity structural schematic diagram of the embodiment of the present invention five;
Fig. 9 is the session management entity structural schematic diagram of the embodiment of the present invention six.
Specific implementation mode
To keep the technical problem to be solved in the present invention, technical solution and advantage clearer, below in conjunction with attached drawing and tool
Body embodiment is described in detail.
The present invention is middle in view of the prior art to be sliced the incomplete problem of safe authentication scheme, provides a variety of solutions
Scheme, it is specific as follows:
As shown in Figure 1, the embodiment of the present invention one provides a kind of interior method authenticated of network slice, network slice can be applied to
Authentication agent entity, the method includes:
Step 11:Receive certification request and slice security strategy in the network slice that session management entity is sent;
Step 12:It is sliced interior certification request and the slice security strategy according to the network, carries out mirror in network slice
The operation of power.
The method authenticated in the network slice that the embodiment of the present invention one provides is sent by receiving session management entity
Network slice in certification request and slice security strategy, and according to the network be sliced in certification request and the slice it is safe
Strategy carries out the operation authenticated in network slice;The authentication in network slice can be completed, further ensures slice safety, solution
It has determined and has been sliced the incomplete problem of safe authentication scheme in the prior art.
In view of in actual use, carry out the operation authenticated in network slice specific implementation can there are many, this reality
It applies in example, following two examples is provided:
The first example, the slice security strategy includes authentication mode mark and authentication side address, in the authentication side
When formula mark instruction agent way, described the step of carrying out the operation authenticated in network slice, includes:According to slice safety
Authentication side address in strategy sends Ciphering Key request to corresponding authentication entity;The authentication entity is received according to recognize
The terminal authentication vector of syndrome vector request feedback;Network, which is carried out, using the terminal authentication vector and counterpart terminal is sliced interior mirror
Power.
Wherein, terminal authentication vector includes for being authenticated required information with terminal, and counterpart terminal refers to
Attach request is sent to network, mobility management entity is promoted to send session establishment instruction to session management entity, so that
Session management entity can be sliced authentication agent entity to network and send certification request and slice security strategy (tool in network slice
The flow of body as shown in Figure 4) terminal.
Second of example, the slice security strategy includes authentication mode mark and authentication side address, in the authentication side
When formula mark instruction trunking scheme, described the step of carrying out the operation authenticated in network slice, includes:According to slice safety
Authentication side address in strategy is established with corresponding authentication entity to be associated with;Counterpart terminal and the authentication are forwarded by the association
Authentication information between entity, to carry out authentication in network slice.
Wherein, the association can be the channel that can transmit communication information, and counterpart terminal refers to sending to network attached
Request, promotes mobility management entity to send session establishment instruction to session management entity, so that session management entity
Authentication agent entity can be sliced to network to send certification request in network slice and be sliced security strategy (specifically as shown in Figure 4
Flow) terminal.
Specifically, the authentication entity is certificate server or third party's authentication entity.
Further, after being authenticated successfully in network slice, the method further includes:Generate slice master key;By institute
It states slice master key and is sent to the session management entity.
From the foregoing, it will be observed that the method authenticated in the network slice provided in this embodiment solves in the prior art well
It is sliced the incomplete problem of the authentication scheme of safety.
Embodiment two
As shown in Fig. 2, second embodiment of the present invention provides a kind of networks to be sliced the interior method authenticated, session management can be applied to
Entity, the method includes:
Step 21:In the session establishment instruction for receiving mobility management entity transmission, slice security strategy is obtained;
Step 22:When slice security strategy instruction carries out authentication in network slice to corresponding terminal, to network
It is sliced authentication agent entity and sends certification request and the slice security strategy in network slice.
The method authenticated in the network slice provided by Embodiment 2 of the present invention is by receiving mobile management reality
When the session establishment instruction that body is sent, slice security strategy is obtained, and indicate to corresponding terminal in the slice security strategy
When carrying out authentication in network slice, certification request and slice peace in network slice are sent to network slice authentication agent entity
Full strategy;Network slice authentication agent entity is enable to be sliced interior certification request and the safe plan of slice according to the network
Slightly, the operation authenticated in network slice is carried out;The authentication in network slice is completed, further ensures slice safety, is solved existing
Have and is sliced the incomplete problem of safe authentication scheme in technology.
Wherein, the step of acquisition slice security strategy includes:Locally obtaining slice security strategy;Or from strategy
Slice security strategy is obtained at controlled entity.
Specifically, described the step of obtaining slice security strategy from policy control entity, includes:To policy control entity
Control strategy request is sent, the control strategy request includes that terminal iidentification and slice identify;It is real to receive the policy control
For body according to the control strategy of the terminal iidentification and the slice identification feedback, the control strategy includes the safe plan of slice
Slightly.
Further, the slice security strategy includes authentication mark in terminal slice, is authenticated in described be sliced to network
Before agent entity sends the interior certification request of network slice and the slice security strategy, the method further includes:At the end
When the instruction of authentication mark carries out being sliced interior authentication in the slice of end, confirm that the slice security strategy instruction carries out net to the terminal
Authentication in network slice.
Further, it sends certification request in network slice described to network slice authentication agent entity and described cuts
After piece security strategy, the method further includes:Receive the network slice authentication agent entity is sent, mirror in network slice
The slice master key generated after weighing successfully;According to preset rules to being produced after being authenticated successfully in original slice master key and network slice
Raw slice master key carries out scatter operation.
From the foregoing, it will be observed that the method authenticated in the network slice provided in this embodiment solves in the prior art well
It is sliced the incomplete problem of the authentication scheme of safety.
Authentication agent entity and session management entity both sides are sliced to net provided in an embodiment of the present invention with reference to network
The method authenticated in network slice is further described.
Being reported in TR for 3GPP SA3 (third generation cooperative partner program secure group 3) 5G security studies there is no realization to be sliced
The case where interior authentication, present embodiments provides a kind of interior method authenticated of network slice.Realize a kind of possible peace of this programme
Full framework is as shown in Figure 3.
It includes control plane access net CP-AN, user plane access net UP-AN, core net-user plane functions CN-UPF, shifting
Dynamic sexual function management function MMF (corresponding mobility management entity), conversation management functional SMF (respective session management entity) recognizes
It demonstrate,proves server capability AUSF and Service Ticket stores and processs function ARPF, safe context management function SCMF and safety anchor work(
Energy SEAF, network are sliced authentication agent function NSSPF (corresponding network is sliced authentication agent entity), policy control functions PCF, and
Third party's authentication functions 3rdAAA;
UP-AN, SMF, NSSPF and CN-UPF therein belong to slice Slice#n, and what #n was represented is slice mark.
Specifically, Partial security functional entity is described below:
Service Ticket stores and processs function (Authentication Credential Repository and
Processing Function, ARPF):This function stores, the long-term safety voucher used in authentication procedures, and holds
Row is any to use long-term safety voucher Encryption Algorithm as input.It also stores security-related contracted user and configures text
Part.ARPF passes through security service function corresponding with authentication server functions AUSF interaction completions, such as key export.
Authentication server functions (Authentication Server Function, AUSF):This function is received from peace
The certification request of full anchor function SEAF, and execute authentication function.AUSF and ARPF can be interacted by interface, and be carried by the latter
For the key needed for verification process.
Safety anchor function (Security Anchor Function, SEAF):Authentication function in core network, with
AUSF and terminal UE interaction, and the intermediate key established as the result of terminal UE verification process is received from AUSF.Initial
During attachment, SEAF will also be with mobile management (Mobility Management, MM) function and safe context management function
SCMF is interacted.SEAF should be resident in security context in the operator network, and provide access control physically.In roaming feelings
Under condition, SEAF, which is resided in, to be accessed in network.
Safe context management function (Security Context Management Function, SCMF):SCMF from
SEAF receives intermediate key, then utilizes intermediate key further key of the export for control plane and user plane safety.SCMF
It should be resident in security context in the operator network, and access control physically is provided.In roaming situations, SCMF is resident
In accessing network.
Policy control functions (Policy Control Function, PCF):Foundation for UE sessions provides control strategy.
Assume that description realizes that the strategy of slice safety also is stored in PCF in the present embodiment.Slice security strategy describes specified UE
It is no to need to execute authentication process in slice and execute the mode and relevant information authenticated in slice.
Network slice authentication agent function (Network Slice Authentication Proxy Function,
NSAPF):For the safe anchor point in network slice, it is responsible for UE and can realizes the entity interaction of authentication functions in slice, completes UE
Authentication process in slice, and be responsible for disperseing for realizing slice according to the new slice master key obtained after authenticating successfully
The new key code system of safety, and these keys are distributed to corresponding function entity, to which the slice needed for realizing is safe.
In the present embodiment, belongs to the functional entity authenticated in third-party responsible UE slices and be described below:
Third party's authentication functions (3rd party Authentication,Authorization and Account
Function, AAA):It is interacted with UE by NSAPF and is authenticated in the slice for completing UE, and new cut can be generated after authenticating successfully
Piece secret master key, the master key will be supplied to NSAPF.
In addition, in order to achieve the purpose that authentication, in the present embodiment, it is sliced in security strategy and includes at least following information:
Certification mark in UE slices:For judging whether specified UE carries out being sliced interior certification.
Authentication mode identifies:Mark realizes the mode authenticated in slice.It is identified based on authentication mode, NSAPF can determine
Which kind of technical solution should be used to realize authentication in the slice of UE, and how the authentication entity with UE and outside slice carries out
Interaction.Authentication mode in slice can be identical as the external authentication mode used of slice, can also be used with slice outside
Authentication mode is different.It can be the authentication method based on symmetric key, can also be the method for authenticating based on unsymmetrical key.It can
To be to obtain Ciphering Key from slice external authentication entity by NSAPF, and act on behalf of the external authentication entity and authenticated with UE completions
Journey can also be directly to execute authentication process with UE by slice external authentication entity.
NSAPF can support authentication mode in 2 kinds of basic slices:
Agent way:NSAPF is by " the authentication side address " that provides in slice security strategy to the authentication outside being sliced
Entity sends Ciphering Key request, and receives the Ciphering Key for coming from the external authentication entity.Then NSAPF uses acquisition
Ciphering Key executes authentication process in slice with UE.
Trunking scheme:NSAPF is by " the authentication side address " that provides in slice security strategy to the authentication outside being sliced
Entity establishes security association, and then the external authentication entity executes authentication process in slice by NSAPF and UE.
Authentication side address:The reality for being capable of providing Ciphering Key or executing authentication functions in slice being located at outside slice is provided
The address of body.
Based on above-mentioned realization framework, the method authenticated in network slice provided in this embodiment is as shown in figure 4, include:
Step 41:UE sends attach request Attach request to network.Rule is selected based on specific network function,
Attach request is routed to mobile management function to ps domain (Mobility Management by access net (Access Network, AN)
Function, MMF).MMF further route the request to the SEAF as network security anchor point, and triggers two-way authentication process.
Step 42:Certification and the main key export-Authentication and session master key of session
derivation。
UE carries out two-way authentication by SEAF and AUSF in two-way authentication process (SEAF sends certification request to AUSF).
Successful certification will cause to generate session master key Kseaf between UE and AUSF.Network side slicing selection function should simultaneously
UE distributes to suitable slice example (ARPF exports session master key Kseaf).
Step 43:Generate session master key [Kseaf]-Providing session master key [Kseaf].
The session master key Kseaf of generation is supplied to SEAF, SEAF to pass to session master key Kseaf by AUSF
SCMF。
Step 44:Control plane master key [Kcn-mm, Kns]-CP master key install [Kcn-mm, Kns].
SCMF exports for realizing the control plane master key Kcn-mm of control plane safety and cutting for realizing slice safety
Piece master key Kns, and it is supplied to MMF.
Step 45:Control plane establishes safely CP security establish.
MMF carries out necessary key dispersion using Kcn-mm, and derived key is supplied to corresponding control plane function
Entity, to realize control plane safety.
Step 46:Create session, including [Kns]-Session creation [Kns].
Session establishment instruction is sent to conversation management functional (the Session Management in UE slices by MMF
Session, SMF), include slice master key Kns in instruction.
Step 47:It is sliced security strategy inspection request (carrying slice mark, terminal iidentification)-Control policy
check request[Slice ID,UE ID]。
SMF sends slice safety control strategy inspection to policy control functions (Policy Control Function, PCF)
It makes a thorough investigation of and asks, wherein include UE marks (UE ID) and slice mark (Slice ID), to obtain slice security strategy, the strategy
In include the information for whether carrying out being sliced interior authentication and how carrying out being sliced interior authentication.
Certainly, SMF can also obtain slice security strategy from local, so there is no need to step 48, other steps without
It changes.
Step 48:It is sliced security strategy inspection response (carrying slice security strategy)-Control policy check
response[control policy]。
PCF is identified according to slice and UE identification retrievals are to the control strategy suitable for the UE, and by being sliced security strategy
Check that response returns to SMF.
It includes control strategy to be sliced in security strategy inspection response.Pacify with the relevant slice of certification in slice in control strategy
Full strategy includes at least following content:
Authentication mark in-UE slices;
Authentication mode identifies;
Authentication side address.
Step 49:Re-authentication request-Secondary authentication request can carry the safe plan of slice
Slightly.
If the slice security strategy in the control strategy that PCF is provided requires to carry out secondary authentication (in network slice to the UE
Authentication), then interior certification (re-authentication) process of SMF triggerings slice, sends re-authentication request to NSAPF and (reflects in network slice
Power request) and slice security strategy.
Step 410:Re-authentication+key export-Secondary authentication and key
derivation。
In slice in authentication process UE by NSAPF and AUSF and ARPF, or by NSAPF with belong to third-party
3rdAAA carries out being sliced interior certification (re-authentication+key export).
NSAPF is proceeded as follows according to the setting of authentication mode:
If authentication mode is " agent way ", it is handled as follows:
(1) " the authentication side address " provided in NSAPF tangential sections security strategy to corresponding authentication entity send certification to
Amount request." UE marks " should be included at least in request, and include optionally " slice mark ".
(2) " the UE Ciphering Key " that authentication entity utilizes " UE marks " and/or " slice mark " generates or retrieval is applicable.
(3) " UE Ciphering Key " is returned to NSAPF by authentication entity.
(4) NSAPF carries out being sliced interior authentication using the Ciphering Key and UE.
If authentication mode is " trunking scheme ", it is handled as follows:
(1) authentication entity specified with " the authentication side address " that is provided in slice security strategy NSAPF establishes security association.
(2) UE executes authentication process in slice with authentication entity by NSAPF, and NSAPF realizes relay forwarding function.
Step 411:New user plane master key-New UP master key install [Kns'].
It can cause to generate new slice master key (user plane master key) Kns' after certification success.If there is new slice master close
Key Kns' is generated, and NSAPF will obtain the key, and the key is supplied to SMF.
Step 412:User plane key [Kup]-UP key install [Kup].
SMF sends user plane key [Kup] to user plane functions UPF.
It is also understood that SMF carries out necessary key dispersion process according to rule, and the key of generation is supplied to and is cut
Corresponding functional entity in piece, to realize slice safety.
Step 413:User plane safety foundation-UP security established.
SMF, UE, UPF and AN pass through corresponding safe mode command (Security Model Command, SMC) process
Safe context and key needed for generating, and it is supplied to corresponding functional entity, to set up user plane safety.
The interior method authenticated is sliced with reference to the above to network provided in an embodiment of the present invention to be illustrated.
Citing one:
The above provides one and includes the scheme authenticated in the outer slice for authenticating and being participated in by third party of slice.Herein
Assuming that third party's authentication entity can provide Ciphering Key.Detailed process is as shown in figure 5, and be described as follows:
Step 51 is identical (41-step 49 of Same as step) to step 49 as above-mentioned steps 41 to step 59.Assuming that
It requires that UE is carried out to be sliced interior certification in the control strategy that SMF is obtained from PCF, particular content is as follows:
Authentication mark in-UE slices:" needing to be sliced interior authentication ";
Authentication mode identifies:" agent way ";
Authentication side address:“3rdThe addresses AAA ".
Step 510.1:Ciphering Key request (carried terminal identifies, slice mark)-authentication vector
request[UE ID,Slice ID]。
NSAPF is to 3rdAAA sends Ciphering Key request in slice, and " UE ID " and " slice ID " are included in request.
Step 510.2:Ciphering Key response (carrying Ciphering Key)-authentication vector response
[authentication vector]。
3rdAAA provides Ciphering Key according to " UE ID " and " slice ID " information to NSAPF.
Step 510.3:Two-way authentication and key export-Mutual authentication and key
derivation。
NSAPF and UE executes authentication process in slice, and derives new user plane master key Kns' after the authentication has been successful.
Step 511 is to step 513 and above-mentioned steps 411 to the identical (411-step of Same as step of step 413
413)。
Citing two:
Authentication side address in citing one can also be to be directed toward local AUSF or ARPF.Detailed process and one phase of citing
Together.
Citing three:
When the authentication mode mark instruction " trunking scheme " in citing one, NSAPF serves as UE and 3rdIt is communicated between AAA
Relaying role.Upon successful authentication, 3rdAAA needs new user plane secret master key being supplied to NSAPF.
Citing four:
When illustrate the authentication mode mark instruction " trunking scheme " in one when, step 510.3 can also only carry out two-way recognizing
Card, without exporting new slice master key.It is directly close using the slice master that outer SCMF is provided is sliced in slice in this case
Key;Also it no longer needs to execute step 511- steps 513.
It is described herein as, the network slice authentication agent function NSAPF in the present embodiment:For the safety anchor in network slice
Point, be responsible for UE and can realize slice in authentication functions positioned at be sliced outside authentication entity interact, be sliced with completing UE
Interior authentication process.Successfully authentication can cause to generate new slice master key in slice.NSAPF carries new slice master key
SMF is supplied, and necessary key dispersion is carried out by SMF, and the key of dispersion is distributed to corresponding functional entity to realize
The slice safety needed.
Whether carry out being sliced interior certification in the present embodiment in being sliced to be determined according to security strategy is sliced by SMF.SMF can lead to
It crosses 2 kinds of modes and obtains slice security strategy:
(1) SMF is obtained from policy control functions (PCF);
(2) SMF is obtained from local.
Authentication is executed by NSAPF in being sliced in the present embodiment.Authentication should support authentication side in 2 kinds of basic slices in slice
Formula:
Agent way:NSAPF is by " the authentication side address " that provides in slice security strategy to the authentication outside being sliced
Entity sends Ciphering Key request, and receives the Ciphering Key for coming from external authentication entity.Then NSAPF recognizing using acquisition
Syndrome vector carries out being sliced interior authentication process with UE.After successful authentication, NSAPF and UE can obtain new slice master key respectively.
Trunking scheme:NSAPF is by " the authentication side address " provided in slice security strategy and the authentication entity outside slice
Security association is established, then UE executes authentication process in slice by NSAPF and the authentication entity outside slice.Success is reflected
External authentication entity needs the new slice master key of generation being supplied to NSAPF after power.
It is sliced security strategy in the present embodiment and describes whether UE needs to execute authentication process in slice and how to execute slice
Interior authentication.Slice security strategy, which includes at least, to be had:
Certification mark in-UE slices:For determining whether specified UE carries out being sliced interior authentication;
Authentication mode identifies:It should use for determination and be authenticated in the slice of which kind of method realization UE;
Authentication side address:For describing to send to which slice external authentication entity and authenticating relevant request.
" UE marks " and " slice mark are included at least in the slice security strategy request that SMF is sent to PCF in the present embodiment
Know ".PCF retrieves the slice security strategy suitable for specified UE according to " UE marks " and " slice mark ", and returns to SMF.
Authentication process can lead to generate new slice master key in being successfully sliced in the present embodiment, the key alternatively by
The slice master key that SCMF outside slice is provided, and the new key body for realizing slice safety is generated according to new slice master key
System.
Embodiment three
As shown in fig. 6, the embodiment of the present invention three provides a kind of network slice authentication agent entity, including:
First receiving module 61, the interior certification request of network slice for receiving session management entity transmission and slice safety
Strategy;
First processing module 62 is carried out for certification request and the slice security strategy in being sliced according to the network
The operation authenticated in network slice.
The network slice authentication agent entity that the embodiment of the present invention three provides is sent by receiving session management entity
Network slice in certification request and slice security strategy, and according to the network be sliced in certification request and the slice it is safe
Strategy carries out the operation authenticated in network slice;The authentication in network slice can be completed, further ensures slice safety, solution
It has determined and has been sliced the incomplete problem of safe authentication scheme in the prior art.
In view of in actual use, the specific implementation of first processing module can there are many, in the present embodiment, provide with
Lower two kinds of examples:
The first example, the slice security strategy includes authentication mode mark and authentication side address, in the authentication side
When formula mark instruction agent way, the first processing module includes:First sending submodule, for according to slice safety
Authentication side address in strategy sends Ciphering Key request to corresponding authentication entity;First receiving submodule, for receiving
State terminal authentication vector of the authentication entity according to Ciphering Key request feedback;First processing submodule, described in utilizing
Terminal authentication vector carries out authentication in network slice with counterpart terminal.
Wherein, terminal authentication vector includes for being authenticated required information with terminal, and counterpart terminal refers to
Attach request is sent to network, mobility management entity is promoted to send session establishment instruction to session management entity, so that
Session management entity can be sliced authentication agent entity to network and send certification request and slice security strategy (tool in network slice
The flow of body as shown in Figure 4) terminal.
Second of example, the slice security strategy includes authentication mode mark and authentication side address, in the authentication side
When formula mark instruction trunking scheme, the first processing module includes:First setting up submodule, for according to slice safety
Authentication side address in strategy is established with corresponding authentication entity to be associated with;Second processing submodule, for being turned by the association
The authentication information between counterpart terminal and the authentication entity is sent out, to carry out authentication in network slice.
Wherein, the association can be the channel that can transmit communication information, and counterpart terminal refers to sending to network attached
Request, promotes mobility management entity to send session establishment instruction to session management entity, so that session management entity
Authentication agent entity can be sliced to network to send certification request in network slice and be sliced security strategy (specifically as shown in Figure 4
Flow) terminal.
Specifically, the authentication entity is certificate server or third party's authentication entity.
Further, the network slice authentication agent entity further includes:First generation module, in network slice
After authenticating successfully, slice master key is generated;First sending module, for the slice master key to be sent to the session pipe
Manage entity.
From the foregoing, it will be observed that the network slice authentication agent entity provided in this embodiment solves in the prior art well
It is sliced the incomplete problem of the authentication scheme of safety.
Wherein, the realization of the above-mentioned method for being related to authenticating in the network slice of network slice authentication agent entity side is real
Example is applied suitable for the embodiment that the network is sliced authentication agent entity, can also reach identical technique effect.
Example IV
As shown in fig. 7, the present embodiment provides a kind of networks to be sliced authentication agent entity, including:
Processor 71;And the memory 73 being connected with the processor 71 by bus interface 72, the memory
73 for storing the processor 71 used program and data when executing operation, when processor 71 calls and executes described
When the program and data that are stored in memory 73, following process is executed:
Certification request and slice security strategy in the network slice that session management entity is sent are received by transceiver 74;
It is sliced interior certification request and the slice security strategy according to the network, carries out the behaviour authenticated in network slice
Make.
Wherein, transceiver 74 is connect with bus interface 72, for sending and receiving data under the control of processor 71.
It should be noted that in the figure 7, bus architecture may include the bus and bridge of any number of interconnection, specifically by
The various circuits for the memory that the one or more processors and memory 73 that processor 71 represents represent link together.Bus
Framework can also link together various other circuits of such as peripheral equipment, voltage-stablizer and management circuit or the like,
These are all it is known in the art, and therefore, it will not be further described herein.Bus interface provides interface.Transmitting-receiving
Machine 74 can be multiple element, that is, include transmitter and transceiver, provide for logical with various other devices over a transmission medium
The unit of letter.Processor 71 is responsible for bus architecture and common processing, and memory 73 can store processor 71 and execute
Used data when operation.
It will be understood by those skilled in the art that realize above-described embodiment all or part of step can by hardware come
It completes, relevant hardware can also be indicated by computer program to complete, the computer program includes executing above-mentioned side
The instruction of some or all of step of method;And the computer program can be stored in a readable storage medium storing program for executing, storage medium
It can be any type of storage medium.
Embodiment five
As shown in figure 8, the embodiment of the present invention five provides a kind of session management entity, including:
First acquisition module 81, in the session establishment instruction for receiving mobility management entity transmission, acquisition to be cut
Piece security strategy;
Second sending module 82, for carrying out mirror in network slice to corresponding terminal in slice security strategy instruction
Temporary, certification request and the slice security strategy in network slice are sent to network slice authentication agent entity.
The session management entity that the embodiment of the present invention five provides is by receiving mobility management entity transmission
When session establishment instructs, slice security strategy is obtained, and network is carried out to corresponding terminal in slice security strategy instruction
In slice when authentication, certification request and the slice security strategy in network slice are sent to network slice authentication agent entity;
Enable network slice authentication agent entity to be sliced interior certification request and the slice security strategy according to the network, carries out
The operation authenticated in network slice;The authentication in network slice is completed, slice safety is further ensured, solves in the prior art
It is sliced the incomplete problem of the authentication scheme of safety.
Wherein, first acquisition module includes:First acquisition submodule, for locally obtaining slice security strategy;
Or slice security strategy is obtained from policy control entity.
Specifically, first acquisition submodule includes:First transmission unit is controlled for being sent to policy control entity
Strategy request, the control strategy request include that terminal iidentification and slice identify;First receiving unit, for receiving the plan
Slightly for controlled entity according to the control strategy of the terminal iidentification and the slice identification feedback, the control strategy includes slice
Security strategy.
Further, the slice security strategy includes authenticating mark in terminal slice, and the session management entity is also wrapped
It includes:First confirmation module, for sending certification request and described in network slice to network slice authentication agent entity described
It is sliced before security strategy, when the instruction of authentication mark carries out being sliced interior authentication in the terminal is sliced, confirms the slice peace
Full strategy instruction carries out authentication in network slice to the terminal.
Further, the session management entity further includes:Second receiving module, for reflecting in described be sliced to network
After weighing the agent entity transmission interior certification request of network slice and the slice security strategy, the network slice authentication generation is received
The slice master key that generates after being authenticated successfully in reason entity is sent, network slice;Second processing module, for according to default rule
Scatter operation then is carried out to the slice master key generated after being authenticated successfully in original slice master key and network slice.
From the foregoing, it will be observed that the session management entity provided in this embodiment solves slice safety in the prior art well
The incomplete problem of authentication scheme.
Wherein, the realization embodiment of the method authenticated in the above-mentioned network slice for being related to session management entity side is suitable
For in the embodiment of the session management entity, can also reach identical technique effect.
Embodiment six
As shown in figure 9, the present embodiment provides a kind of session management entities, including:
Processor 91;And the memory 93 being connected with the processor 91 by bus interface 92, the memory
93 for storing the processor 91 used program and data when executing operation, when processor 91 calls and executes described
When the program and data that are stored in memory 93, following process is executed:
When the session establishment for receiving mobility management entity transmission by transceiver 94 instructs, obtains and be sliced safe plan
Slightly;
The slice security strategy instruction to corresponding terminal carry out network slice in authentication when, by transceiver 94 to
Network is sliced authentication agent entity and sends certification request and the slice security strategy in network slice.
Wherein, transceiver 94 is connect with bus interface 92, for sending and receiving data under the control of processor 91.
It should be noted that in fig.9, bus architecture may include the bus and bridge of any number of interconnection, specifically by
The various circuits for the memory that the one or more processors and memory 93 that processor 91 represents represent link together.Bus
Framework can also link together various other circuits of such as peripheral equipment, voltage-stablizer and management circuit or the like,
These are all it is known in the art, and therefore, it will not be further described herein.Bus interface provides interface.Transmitting-receiving
Machine 94 can be multiple element, that is, include transmitter and transceiver, provide for logical with various other devices over a transmission medium
The unit of letter.Processor 91 is responsible for bus architecture and common processing, and memory 93 can store processor 91 and execute
Used data when operation.
It will be understood by those skilled in the art that realize above-described embodiment all or part of step can by hardware come
It completes, relevant hardware can also be indicated by computer program to complete, the computer program includes executing above-mentioned side
The instruction of some or all of step of method;And the computer program can be stored in a readable storage medium storing program for executing, storage medium
It can be any type of storage medium.
Wherein, this many functional component described in this description is all referred to as module/submodule/unit, so as to more
Particularly emphasize the independence of its realization method.
In the embodiment of the present invention, module/submodule/unit can use software realization, so as to by various types of processors
It executes.For example, one mark executable code module may include computer instruction one or more physics or
Logical block, for example, it can be built as object, process or function.Nevertheless, the executable code of institute's mark module
It needs not be physically located together, but may include the different instructions being stored in different positions, when in these command logics
When being combined together, constitutes module and realize the regulation purpose of the module.
In fact, executable code module can be the either many item instructions of individual instructions, and can even be distributed
It on multiple and different code segments, is distributed in distinct program, and is distributed across multiple memory devices.Similarly, it grasps
Making data can be identified in module, and can be realized according to any form appropriate and be organized in any appropriate class
In the data structure of type.The operation data can be collected as individual data collection, or can be distributed on different location
(including in different storage device), and can only be present in system or network as electronic signal at least partly.
When module can utilize software realization, it is contemplated that the level of existing hardware technique, it is possible to implemented in software
Module, in the case where not considering cost, those skilled in the art can build corresponding hardware circuit to realize correspondence
Function, the hardware circuit includes conventional ultra-large integrated (VLSI) circuit or gate array and such as logic core
The existing semiconductor of piece, transistor etc either other discrete elements.Module can also use programmable hardware device, such as
The realizations such as field programmable gate array, programmable logic array, programmable logic device.
Above-described is the preferred embodiment of the present invention, it should be pointed out that the ordinary person of the art is come
It says, under the premise of not departing from principle of the present invention, can also make several improvements and retouch, these improvements and modifications should also regard
For protection scope of the present invention.