CN108347729B - Network is sliced interior method for authenticating, slice authentication agent entity and session management entity - Google Patents

Network is sliced interior method for authenticating, slice authentication agent entity and session management entity Download PDF

Info

Publication number
CN108347729B
CN108347729B CN201710055047.1A CN201710055047A CN108347729B CN 108347729 B CN108347729 B CN 108347729B CN 201710055047 A CN201710055047 A CN 201710055047A CN 108347729 B CN108347729 B CN 108347729B
Authority
CN
China
Prior art keywords
authentication
slice
network
entity
sliced
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710055047.1A
Other languages
Chinese (zh)
Other versions
CN108347729A (en
Inventor
周巍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Academy of Telecommunications Technology CATT
Datang Mobile Communications Equipment Co Ltd
Original Assignee
China Academy of Telecommunications Technology CATT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Academy of Telecommunications Technology CATT filed Critical China Academy of Telecommunications Technology CATT
Priority to CN201710055047.1A priority Critical patent/CN108347729B/en
Priority to PCT/CN2018/075604 priority patent/WO2018137713A1/en
Publication of CN108347729A publication Critical patent/CN108347729A/en
Application granted granted Critical
Publication of CN108347729B publication Critical patent/CN108347729B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides the method authenticated in a kind of network slice, network slice authentication agent entity and session management entities, wherein the interior method authenticated of network slice includes: to receive the network that session management entity is sent to be sliced interior certification request and slice security strategy;It is sliced interior certification request and the slice security strategy according to the network, carries out the operation authenticated in network slice.This programme is sliced interior certification request and the slice security strategy according to the network by receiving certification request and slice security strategy in the network slice that session management entity is sent, and carries out the operation authenticated in network slice;The authentication in network slice can be completed, slice safety is further ensured, solves the problems, such as to be sliced safe authentication scheme in the prior art incomplete.

Description

Network is sliced interior method for authenticating, slice authentication agent entity and session management entity
Technical field
The present invention relates to fields of communication technology, particularly relate to method, the network slice authentication of a kind of interior authentication of network slice Agent entity and session management entity.
Background technique
3GPP SA3 (third generation cooperative partner program secure group 3) slice secure context describes each of network slice safety Kind critical issue, including network slice authentication.Network slice authentication can be divided into authentication in the outer authentication of network slice and network slice. To there are no the specific technical solutions on how to realize authentication in network slice so far, still, in order to guarantee height Slice safety, the interior authentication of network slice are still needed.
Summary of the invention
The purpose of the present invention is to provide a kind of networks to be sliced the interior method authenticated, network slice authentication agent entity and meeting Management entity is talked about, solves the problems, such as to be sliced safe authentication scheme in the prior art incomplete.
In order to solve the above-mentioned technical problem, the embodiment of the present invention provides a kind of interior method authenticated of network slice, is applied to Network is sliced authentication agent entity, comprising:
It receives the network that session management entity is sent and is sliced interior certification request and slice security strategy;
It is sliced interior certification request and the slice security strategy according to the network, carries out the behaviour authenticated in network slice Make.
Optionally, the slice security strategy includes authentication mode mark and authentication side address, in the authentication mode mark When knowing instruction agent way, described the step of carrying out the operation authenticated in network slice, includes:
Ciphering Key request is sent to corresponding authentication entity according to the authentication side address in the slice security strategy;
The authentication entity is received according to the terminal authentication vector of Ciphering Key request feedback;
Network, which is carried out, using the terminal authentication vector and counterpart terminal is sliced interior authentication.
Optionally, the slice security strategy includes authentication mode mark and authentication side address, in the authentication mode mark When knowing instruction trunking scheme, described the step of carrying out the operation authenticated in network slice, includes:
It is established and is associated with corresponding authentication entity according to the authentication side address in the slice security strategy;
By the authentication information between the association forwarding counterpart terminal and the authentication entity, to carry out in network slice Authentication.
Optionally, the authentication entity is certificate server or third party's authentication entity.
Optionally, after being authenticated successfully in network slice, the method also includes:
Generate slice master key;
The slice master key is sent to the session management entity.
The present invention also provides a kind of networks to be sliced the interior method authenticated, is applied to session management entity, comprising:
In the session establishment instruction for receiving mobility management entity transmission, slice security strategy is obtained;
When slice security strategy instruction carries out authentication in network slice to corresponding terminal, it is sliced and authenticates to network Agent entity sends network and is sliced interior certification request and the slice security strategy.
Optionally, the step of acquisition slice security strategy includes:
Locally obtaining slice security strategy;Or
Slice security strategy is obtained from policy control entity.
Optionally, described the step of slice security strategy is obtained from policy control entity, includes:
Control strategy request is sent to policy control entity, includes terminal iidentification and slice mark in the control strategy request Know;
Receive the policy control entity according to the terminal iidentification and it is described slice identification feedback control strategy, it is described It include slice security strategy in control strategy.
Optionally, the slice security strategy includes authentication mark in terminal slice, is sliced authentication generation to network described Entity transmission network is managed to be sliced before interior certification request and the slice security strategy, the method also includes:
When the instruction of authentication mark carries out being sliced interior authentication in the terminal is sliced, the slice security strategy instruction is confirmed Authentication in network slice is carried out to the terminal.
Optionally, certification request and slice peace in network slice are sent to network slice authentication agent entity described After full strategy, the method also includes:
Receive it is that network slice authentication agent entity is sent, authenticated successfully in network slice after the slice master that generates it is close Key;
According to preset rules to the slice master key that generates after being authenticated successfully in original slice master key and network slice into Row scatter operation.
The present invention also provides a kind of networks to be sliced authentication agent entity, comprising:
First receiving module, the network for receiving session management entity transmission are sliced interior certification request and are sliced safe plan Slightly;
First processing module carries out net for certification request and the slice security strategy in being sliced according to the network The operation authenticated in network slice.
Optionally, the slice security strategy includes authentication mode mark and authentication side address, in the authentication mode mark When knowing instruction agent way, the first processing module includes:
First sending submodule, for according to the authentication side address in the slice security strategy to corresponding authentication entity Send Ciphering Key request;
First receiving submodule, for receiving the authentication entity according to the terminal authentication of Ciphering Key request feedback Vector;
First processing submodule, for carrying out authentication in network slice using the terminal authentication vector and counterpart terminal.
Optionally, the slice security strategy includes authentication mode mark and authentication side address, in the authentication mode mark When knowing instruction trunking scheme, the first processing module includes:
First setting up submodule, for according to the authentication side address being sliced in security strategy and corresponding authentication entity Establish association;
Second processing submodule, for being believed by the authentication between the association forwarding counterpart terminal and the authentication entity Breath, to carry out authentication in network slice.
Optionally, the authentication entity is certificate server or third party's authentication entity.
Optionally, the network is sliced authentication agent entity further include:
First generation module generates slice master key after authenticating successfully in network slice;
First sending module, for the slice master key to be sent to the session management entity.
The present invention also provides a kind of session management entities, comprising:
First obtains module, for obtaining slice in the session establishment instruction for receiving mobility management entity transmission Security strategy;
Second sending module, for carrying out authentication in network slice to corresponding terminal in slice security strategy instruction When, certification request and the slice security strategy in network slice are sent to network slice authentication agent entity.
Optionally, the first acquisition module includes:
First acquisition submodule, for locally obtaining slice security strategy;Or
Slice security strategy is obtained from policy control entity.
Optionally, first acquisition submodule includes:
First transmission unit wraps in the control strategy request for sending control strategy request to policy control entity Include terminal iidentification and slice mark;
First receiving unit identifies instead for receiving the policy control entity according to the terminal iidentification and the slice The control strategy of feedback includes slice security strategy in the control strategy.
Optionally, the slice security strategy includes authentication mark, the session management entity in terminal slice further include:
First confirmation module, for it is described to network slice authentication agent entity send network slice in certification request and Before the slice security strategy, when the instruction of authentication mark carries out being sliced interior authentication in the terminal is sliced, cut described in confirmation The instruction of piece security strategy carries out authentication in network slice to the terminal.
Optionally, the session management entity further include:
Second receiving module, for it is described to network slice authentication agent entity send network slice in certification request and After the slice security strategy, receive it is that network slice authentication agent entity is sent, authenticated successfully in network slice after The slice master key of generation;
Second processing module, for being produced after being sliced interior authenticate successfully to original slice master key and network according to preset rules Raw slice master key carries out scatter operation.
The advantageous effects of the above technical solutions of the present invention are as follows:
In above scheme, the method authenticated in the network slice is by receiving the network slice that session management entity is sent Interior certification request and slice security strategy, and interior certification request and the slice security strategy are sliced according to the network, it carries out The operation authenticated in network slice;The authentication in network slice can be completed, slice safety is further ensured, solves existing skill The incomplete problem of safe authentication scheme is sliced in art.
Detailed description of the invention
Fig. 1 is the method flow schematic diagram of authentication in the network slice of the embodiment of the present invention one;
Fig. 2 is the method flow schematic diagram of authentication in the network slice of the embodiment of the present invention two;
Fig. 3 is the realization configuration diagram of the embodiment of the present invention;
Fig. 4 is the method idiographic flow schematic diagram of authentication in the network slice of the embodiment of the present invention;
Fig. 5 is the method citing flow diagram of authentication in the network slice of the embodiment of the present invention;
Fig. 6 is that the network of the embodiment of the present invention three is sliced authentication agent entity structure schematic diagram;
Fig. 7 is that the network of the embodiment of the present invention four is sliced authentication agent entity structure schematic diagram;
Fig. 8 is the session management entity structural schematic diagram of the embodiment of the present invention five;
Fig. 9 is the session management entity structural schematic diagram of the embodiment of the present invention six.
Specific embodiment
To keep the technical problem to be solved in the present invention, technical solution and advantage clearer, below in conjunction with attached drawing and tool Body embodiment is described in detail.
The present invention is middle in view of the prior art to be sliced the incomplete problem of safe authentication scheme, provides a variety of solutions Scheme, specific as follows:
As shown in Figure 1, the embodiment of the present invention one provides a kind of interior method authenticated of network slice, network slice can be applied to Authentication agent entity, which comprises
Step 11: receiving the network that session management entity is sent and be sliced interior certification request and slice security strategy;
Step 12: interior certification request and the slice security strategy being sliced according to the network, carry out mirror in network slice The operation of power.
The method authenticated in the network slice that the embodiment of the present invention one provides is sent by receiving session management entity Network be sliced in certification request and slice security strategy, and according to the network be sliced in certification request and the slice it is safe Strategy carries out the operation authenticated in network slice;The authentication in network slice can be completed, further ensures slice safety, solution It has determined and has been sliced the incomplete problem of safe authentication scheme in the prior art.
In view of in actual use, carry out the operation authenticated in network slice specific implementation can there are many, this reality It applies in example, following two example is provided:
The first example, the slice security strategy includes authentication mode mark and authentication side address, in the authentication side When formula mark instruction agent way, described the step of carrying out the operation authenticated in network slice includes: according to the slice safety Authentication side address in strategy sends Ciphering Key request to corresponding authentication entity;The authentication entity is received to recognize according to The terminal authentication vector of syndrome vector request feedback;Network, which is carried out, using the terminal authentication vector and counterpart terminal is sliced interior mirror Power.
Wherein, terminal authentication vector includes for carrying out authenticating required information with terminal, and counterpart terminal refers to Attach request is sent to network, mobility management entity is promoted to send session establishment instruction to session management entity, so that Session management entity can be sliced authentication agent entity to network and send certification request and slice security strategy (tool in network slice The process of body as shown in Figure 4) terminal.
Second of example, the slice security strategy includes authentication mode mark and authentication side address, in the authentication side When formula mark instruction trunking scheme, described the step of carrying out the operation authenticated in network slice includes: according to the slice safety Authentication side address in strategy is established with corresponding authentication entity to be associated with;Counterpart terminal and the authentication are forwarded by the association Authentication information between entity, to carry out authentication in network slice.
Wherein, the association can be the channel that can transmit communication information, and counterpart terminal refers to sending to network attached Request, promote mobility management entity to session management entity send session establishment instruction so that session management entity Authentication agent entity can be sliced to network to send certification request in network slice and be sliced security strategy (specifically as shown in Figure 4 Process) terminal.
Specifically, the authentication entity is certificate server or third party's authentication entity.
Further, after being authenticated successfully in network slice, the method also includes: generate slice master key;By institute It states slice master key and is sent to the session management entity.
From the foregoing, it will be observed that the network provided in this embodiment is sliced the interior method very good solution authenticated in the prior art It is sliced the incomplete problem of the authentication scheme of safety.
Embodiment two
As shown in Fig. 2, second embodiment of the present invention provides a kind of networks to be sliced the interior method authenticated, session management can be applied to Entity, which comprises
Step 21: in the session establishment instruction for receiving mobility management entity transmission, obtaining slice security strategy;
Step 22: when slice security strategy instruction carries out authentication in network slice to corresponding terminal, to network It is sliced authentication agent entity and sends certification request and the slice security strategy in network slice.
The method authenticated in the network slice provided by Embodiment 2 of the present invention is by receiving mobile management reality When the session establishment instruction that body is sent, slice security strategy is obtained, and indicate to corresponding terminal in the slice security strategy When carrying out authentication in network slice, certification request and slice peace in network slice are sent to network slice authentication agent entity Full strategy;Network slice authentication agent entity is enabled to be sliced interior certification request and the safe plan of slice according to the network Slightly, the operation authenticated in network slice is carried out;The authentication in network slice is completed, further ensures slice safety, is solved existing Have and is sliced the incomplete problem of safe authentication scheme in technology.
Wherein, the step of acquisition slice security strategy includes: locally to obtain slice security strategy;Or from strategy Slice security strategy is obtained at controlled entity.
Specifically, described the step of obtaining slice security strategy from policy control entity includes: to policy control entity Control strategy request is sent, includes terminal iidentification and slice mark in the control strategy request;It is real to receive the policy control Body includes being sliced safe plan in the control strategy according to the control strategy of the terminal iidentification and the slice identification feedback Slightly.
Further, the slice security strategy includes authentication mark in terminal slice, is authenticated in described be sliced to network Agent entity sends network and is sliced before interior certification request and the slice security strategy, the method also includes: at the end When the instruction of authentication mark carries out being sliced interior authentication in the slice of end, confirm that the slice security strategy instruction carries out net to the terminal Authentication in network slice.
Further, described certification request in network slice is sent to network slice authentication agent entity and described cut After piece security strategy, the method also includes: receive the network slice authentication agent entity is sent, mirror in network slice The slice master key generated after weighing successfully;It is produced after being sliced interior authenticate successfully to original slice master key and network according to preset rules Raw slice master key carries out scatter operation.
From the foregoing, it will be observed that the network provided in this embodiment is sliced the interior method very good solution authenticated in the prior art It is sliced the incomplete problem of the authentication scheme of safety.
Authentication agent entity and session management entity two sides are sliced to net provided in an embodiment of the present invention below with reference to network The method authenticated in network slice is further described.
Slice is realized for there is no in 3GPP SA3 (third generation cooperative partner program secure group 3) 5G security study report TR The case where interior authentication, present embodiments provides a kind of interior method authenticated of network slice.Realize a kind of possible peace of this programme Full framework is as shown in Figure 3.
It includes control plane access net CP-AN, user face access net UP-AN, core net-user plane functions CN-UPF, shifting Dynamic sexual function management function MMF (corresponding mobility management entity), conversation management functional SMF (respective session management entity) recognizes It demonstrate,proves server capability AUSF and Service Ticket stores and processs function ARPF, safe context management function SCMF and safety anchor function Energy SEAF, network are sliced authentication agent function NSSPF (corresponding network is sliced authentication agent entity), policy control functions PCF, and Third party's authentication functions 3rdAAA;
UP-AN, SMF, NSSPF and CN-UPF therein belong to slice Slice#n, and what #n was represented is slice mark.
Specifically, Partial security functional entity is described below:
Service Ticket stores and processs function (Authentication Credential Repository and Processing Function, ARPF): the storage of this function, the long-term safety voucher used in authentication procedures, and hold Row is any to use long-term safety voucher Encryption Algorithm as input.It also stores security-related contracted user and configures text Part.ARPF passes through security service function corresponding with authentication server functions AUSF interaction completion, such as key export.
Authentication server functions (Authentication Server Function, AUSF): this function is received from peace The certification request of full anchor function SEAF, and execute authentication function.AUSF and ARPF can be interacted by interface, and be mentioned by the latter For key needed for verification process.
Safety anchor function (Security Anchor Function, SEAF): the authentication function in core network, with AUSF and terminal UE interaction, and the intermediate key established from AUSF reception as the result of terminal UE verification process.Initial During attachment, SEAF will also be with mobile management (Mobility Management, MM) function and safe context management function SCMF interaction.SEAF should be resident in security context in the operator network, and provide access control physically.In roaming feelings Under condition, SEAF is resided in access network.
Safe context management function (Security Context Management Function, SCMF): SCMF from SEAF receives intermediate key, and intermediate key is then utilized further to export the key for control plane and user face safety.SCMF It should be resident in security context in the operator network, and access control physically is provided.In roaming situations, SCMF is resident In access network.
Policy control functions (Policy Control Function, PCF): the foundation for UE session provides control strategy. Assume that description realizes that the strategy of slice safety also is stored in PCF in the present embodiment.Slice security strategy describes specified UE It is no to need to be implemented the mode and relevant information for being sliced and authenticating in interior authentication process and execution slice.
Network slice authentication agent function (Network Slice Authentication Proxy Function, NSAPF): for the safe anchor point in network slice, being responsible for UE and can realize the entity interaction of authentication functions in slice, complete UE Authentication process in slice, and be responsible for being dispersed out according to the new slice master key obtained after authenticating successfully for realizing slice The new key code system of safety, and these keys are distributed to corresponding function entity, thus the slice safety needed for realizing.
In the present embodiment, belongs to the functional entity authenticated in third-party responsible UE slice and is described below:
Third party's authentication functions (3rd party Authentication,Authorization and Account Function, AAA): it is interacted by NSAPF with UE and is authenticated in the slice for completing UE, and new cut can be generated after authenticating successfully Piece secret master key, the master key will be supplied to NSAPF.
In addition, in the present embodiment, being sliced in security strategy in order to achieve the purpose that authentication and including at least following information:
Certification mark in UE slice: for judging whether specified UE carries out being sliced interior certification.
Authentication mode mark: mark realizes the mode authenticated in slice.It is identified based on authentication mode, NSAPF can determine Which kind of technical solution should be used to realize authentication in the slice of UE, and how the authentication entity with UE and outside slice carries out Interaction.Authentication mode in slice can be identical as the external authentication mode used of slice, can also use with slice outside Authentication mode is different.It can be the authentication method based on symmetric key, be also possible to the method for authenticating based on unsymmetrical key.It can To be to obtain Ciphering Key from slice external authentication entity by NSAPF, and act on behalf of the external authentication entity and authenticated with UE completion Journey is also possible to directly execute authentication process with UE by slice external authentication entity.
NSAPF can support authentication mode in 2 kinds of basic slices:
Agent way: NSAPF is by " the authentication side address " that provides in slice security strategy to the authentication outside being sliced Entity sends Ciphering Key request, and receives the Ciphering Key from the external authentication entity.Then NSAPF uses acquisition Ciphering Key and UE, which are executed, is sliced interior authentication process.
Trunking scheme: NSAPF is by " the authentication side address " that provides in slice security strategy to the authentication outside being sliced Entity establishes security association, and then the external authentication entity is executed by NSAPF and UE is sliced interior authentication process.
Authentication side address: the reality for being capable of providing Ciphering Key or executing authentication functions in slice being located at outside slice is provided The address of body.
Based on above-mentioned realization framework, the method authenticated in network slice provided in this embodiment is as shown in Figure 4, comprising:
Step 41:UE sends attach request Attach request to network.Rule is selected based on specific network function, It accesses net (Access Network, AN) and attach request is routed into mobile management function to ps domain (Mobility Management Function, MMF).MMF further routes the request to being used as the SEAF of network security anchor point, and triggers two-way authentication process.
Step 42: certification and the main key export-Authentication and session master key of session derivation。
UE carries out two-way authentication by SEAF and AUSF in two-way authentication process (SEAF sends certification request to AUSF). Successfully certification will lead to the generation session master key Kseaf between UE and AUSF.Network side slicing selection function should simultaneously UE distributes to suitable slice example (ARPF exports session master key Kseaf).
Step 43: generating session master key [Kseaf]-Providing session master key [Kseaf].
The session master key Kseaf of generation is supplied to SEAF by AUSF, and SEAF passes to session master key Kseaf SCMF。
Step 44: control plane master key [Kcn-mm, Kns]-CP master key install [Kcn-mm, Kns].
SCMF exports for realizing the control plane master key Kcn-mm of control plane safety and cutting for realizing slice safety Piece master key Kns, and it is supplied to MMF.
Step 45: control plane establishes safely CP security establish.
MMF carries out necessary key dispersion using Kcn-mm, and derived key is supplied to corresponding control plane function Entity, to realize control plane safety.
Step 46: creation session, including [Kns]-Session creation [Kns].
Session establishment instruction is sent to conversation management functional (the Session Management in UE slice by MMF Session, SMF), it include slice master key Kns in instruction.
Step 47: slice security strategy inspection request (carrying slice mark, terminal iidentification)-Control policy check request[Slice ID,UE ID]。
SMF sends slice safety control strategy inspection to policy control functions (Policy Control Function, PCF) It makes a thorough investigation of and asks, wherein include UE mark (UE ID) and slice mark (Slice ID), to obtain slice security strategy, the strategy In include the information for whether carrying out being sliced interior authentication and how carrying out being sliced interior authentication.
Certainly, SMF can also obtain slice security strategy from local, so there is no need to step 48, other steps without It changes.
Step 48: slice security strategy inspection response (carrying slice security strategy)-Control policy check response[control policy]。
PCF is identified according to slice and UE identification retrieval is to the control strategy for being suitable for the UE, and passes through slice security strategy Check that response returns to SMF.
Being sliced in security strategy inspection response includes control strategy.Slice relevant to interior certification is sliced is pacified in control strategy Full strategy includes at least following content:
Authentication mark in-UE slice;
Authentication mode mark;
Authentication side address.
Step 49: re-authentication request-Secondary authentication request can carry the safe plan of slice Slightly.
If the slice security strategy in the control strategy that PCF is provided requires to carry out the UE secondary authentication (in network slice Authentication), then certification (re-authentication) process in SMF triggering slice, sends re-authentication request to NSAPF and (reflects in network slice Power request) and slice security strategy.
Step 410: re-authentication+key export-Secondary authentication and key derivation。
In being sliced in authentication process UE by NSAPF and AUSF and ARPF, or by NSAPF with belong to it is third-party 3rdAAA carries out being sliced interior certification (re-authentication+key export).
NSAPF is proceeded as follows according to the setting of authentication mode:
If authentication mode is " agent way ", it is handled as follows:
(1) " the authentication side address " provided in NSAPF tangential section security strategy to corresponding authentication entity send certification to Amount request." UE mark " should be included at least in request, and optionally comprising " slice mark ".
(2) " the UE Ciphering Key " that authentication entity utilizes " UE mark " and/or " slice mark " generates or retrieval is applicable.
(3) " UE Ciphering Key " is returned to NSAPF by authentication entity.
(4) NSAPF carries out being sliced interior authentication using the Ciphering Key and UE.
If authentication mode is " trunking scheme ", it is handled as follows:
(1) " the authentication side address " that provides specified authentication entity establishes security association in NSAPF and slice security strategy.
(2) UE and authentication entity are executed by NSAPF is sliced interior authentication process, and NSAPF realizes relay forwarding function.
Step 411: new user face master key-New UP master key install [Kns'].
It can lead to after authenticating successfully and generate new slice master key (user face master key) Kns'.If there is new slice master close Key Kns' is generated, and NSAPF will obtain the key, and the key is supplied to SMF.
Step 412: user face key [Kup]-UP key install [Kup].
SMF sends user face key [Kup] to user plane functions UPF.
It is also understood that SMF carries out necessary key dispersion process according to rule, and the key of generation is supplied to and is cut Corresponding functional entity in piece, to realize slice safety.
Step 413: user face safety foundation-UP security established.
SMF, UE, UPF and AN pass through corresponding safe mode command (Security Model Command, SMC) process Safe context and key needed for generating, and it is supplied to corresponding functional entity, to set up user face safety.
The interior method authenticated is sliced to network provided in an embodiment of the present invention below with reference to above content to be illustrated.
Citing one:
Above content provides the scheme comprising authenticating in the outer authentication of slice and the slice participated in by third party.Herein Assuming that third party's authentication entity can provide Ciphering Key.Detailed process as shown in figure 5, and be described as follows:
Step 51 is identical (41-step 49 of Same as step) to step 49 as above-mentioned steps 41 to step 59.Assuming that SMF requires to carry out being sliced interior certification to UE from the control strategy that PCF is obtained, and particular content is as follows:
Authentication mark in-UE slice: " needing to be sliced interior authentication ";
Authentication mode mark: " agent way ";
Authentication side address: " 3rdThe address AAA ".
Step 510.1: Ciphering Key request (carried terminal mark, slice mark)-authentication vector request[UE ID,Slice ID]。
NSAPF is to 3rdAAA, which is sent, is sliced interior Ciphering Key request, includes " UE ID " and " slice ID " in request.
Step 510.2: Ciphering Key response (carrying Ciphering Key)-authentication vector response [authentication vector]。
3rdAAA provides Ciphering Key to NSAPF according to " UE ID " and " slice ID " information.
Step 510.3: two-way authentication and key export-Mutual authentication and key derivation。
NSAPF and UE, which is executed, is sliced interior authentication process, and derives new user face master key Kns' after the authentication has been successful.
Step 511 is to step 513 and above-mentioned steps 411 to the identical (411-step of Same as step of step 413 413)。
Citing two:
Authentication side address in citing one is also possible to be directed toward local AUSF or ARPF.Detailed process and one phase of citing Together.
Citing three:
When the authentication mode mark instruction " trunking scheme " in citing one, NSAPF serves as UE and 3rdIt is communicated between AAA Relaying role.Upon successful authentication, 3rdAAA needs new user face secret master key being supplied to NSAPF.
Citing four:
When illustrate the authentication mode mark instruction " trunking scheme " in one when, step 510.3 can also only carry out two-way recognizing Card, without exporting new slice master key.It is directly close using the slice master that outer SCMF is provided is sliced in slice in this case Key;Also step 511- step 513 is no longer needed to be implemented.
Described herein as, the network in the present embodiment is sliced authentication agent function NSAPF: for the safety anchor in network slice Point, be responsible for UE and can realize be sliced in authentication functions positioned at be sliced outside authentication entity interact, be sliced with completing UE Interior authentication process.Successfully authentication can lead to and generate new slice master key in slice.NSAPF mentions new slice master key SMF is supplied, and necessary key dispersion is carried out by SMF, and the key of dispersion is distributed to corresponding functional entity to realize The slice safety needed.
Whether carry out being sliced interior certification in the present embodiment in being sliced and is determined by SMF according to slice security strategy.SMF can lead to It crosses 2 kinds of modes and obtains slice security strategy:
(1) SMF is obtained from policy control functions (PCF);
(2) SMF is obtained from local.
Authentication is executed by NSAPF in being sliced in the present embodiment.Authentication should support authentication side in 2 kinds of basic slices in slice Formula:
Agent way: NSAPF is by " the authentication side address " that provides in slice security strategy to the authentication outside being sliced Entity sends Ciphering Key request, and receives the Ciphering Key from external authentication entity.Then NSAPF recognizing using acquisition Syndrome vector and UE carry out being sliced interior authentication process.After successful authentication, NSAPF and UE can obtain new slice master key respectively.
Trunking scheme: NSAPF is by the authentication entity outside " the authentication side address " and slice provided in slice security strategy Security association is established, then UE is executed by NSAPF and the authentication entity being located at outside slice and is sliced interior authentication process.Success is reflected External authentication entity needs the new slice master key of generation being supplied to NSAPF after power.
It is sliced security strategy in the present embodiment and describes whether UE needs to be implemented authentication process in slice and how to execute slice Interior authentication.Slice security strategy, which includes at least, to be had:
Certification mark in-UE slice: for determining whether specified UE carries out being sliced interior authentication;
Authentication mode mark: it should use for determination and be authenticated in which kind of method realization UE slice;
Authentication side address: which slice external authentication entity request relevant to authentication should be sent to for describing.
SMF includes at least " UE mark " and " slice mark into the slice security strategy request that PCF is sent in the present embodiment Know ".PCF retrieves the slice security strategy for being suitable for specified UE according to " UE mark " and " slice mark ", and returns to SMF.
Authentication process, which can lead to, in being successfully sliced in the present embodiment generates new slice master key, the key alternatively by The slice master key that SCMF outside slice is provided, and the new key body for realizing slice safety is generated according to new slice master key System.
Embodiment three
As shown in fig. 6, the embodiment of the present invention three provides a kind of network slice authentication agent entity, comprising:
First receiving module 61, the network for receiving session management entity transmission are sliced interior certification request and slice safety Strategy;
First processing module 62 is carried out for certification request and the slice security strategy in being sliced according to the network The operation authenticated in network slice.
The network slice authentication agent entity that the embodiment of the present invention three provides is sent by receiving session management entity Network be sliced in certification request and slice security strategy, and according to the network be sliced in certification request and the slice it is safe Strategy carries out the operation authenticated in network slice;The authentication in network slice can be completed, further ensures slice safety, solution It has determined and has been sliced the incomplete problem of safe authentication scheme in the prior art.
In view of in actual use, the specific implementation of first processing module can there are many, in the present embodiment, provide with Lower two kinds of examples:
The first example, the slice security strategy includes authentication mode mark and authentication side address, in the authentication side When formula mark instruction agent way, the first processing module includes: the first sending submodule, for according to the slice safety Authentication side address in strategy sends Ciphering Key request to corresponding authentication entity;First receiving submodule, for receiving Authentication entity is stated according to the terminal authentication vector of Ciphering Key request feedback;First processing submodule, described in utilizing Terminal authentication vector and counterpart terminal carry out authentication in network slice.
Wherein, terminal authentication vector includes for carrying out authenticating required information with terminal, and counterpart terminal refers to Attach request is sent to network, mobility management entity is promoted to send session establishment instruction to session management entity, so that Session management entity can be sliced authentication agent entity to network and send certification request and slice security strategy (tool in network slice The process of body as shown in Figure 4) terminal.
Second of example, the slice security strategy includes authentication mode mark and authentication side address, in the authentication side When formula mark instruction trunking scheme, the first processing module includes: the first setting up submodule, for according to the slice safety Authentication side address in strategy is established with corresponding authentication entity to be associated with;Second processing submodule, for being turned by the association The authentication information between counterpart terminal and the authentication entity is sent out, to carry out authentication in network slice.
Wherein, the association can be the channel that can transmit communication information, and counterpart terminal refers to sending to network attached Request, promote mobility management entity to session management entity send session establishment instruction so that session management entity Authentication agent entity can be sliced to network to send certification request in network slice and be sliced security strategy (specifically as shown in Figure 4 Process) terminal.
Specifically, the authentication entity is certificate server or third party's authentication entity.
Further, the network is sliced authentication agent entity further include: the first generation module, in network slice After authenticating successfully, slice master key is generated;First sending module, for the slice master key to be sent to the session pipe Manage entity.
From the foregoing, it will be observed that the network provided in this embodiment is sliced authentication agent entity very good solution in the prior art It is sliced the incomplete problem of the authentication scheme of safety.
Wherein, the realization of the method authenticated in the above-mentioned network slice for being related to network slice authentication agent entity side is real Example is applied suitable for the embodiment of network slice authentication agent entity, can also reach identical technical effect.
Example IV
As shown in fig. 7, the present embodiment provides a kind of networks to be sliced authentication agent entity, comprising:
Processor 71;And the memory 73 being connected by bus interface 72 with the processor 71, the memory 73 for storing the processor 71 used program and data when executing operation, when processor 71 calls and executes described When the program and data that are stored in memory 73, following process is executed:
The network that session management entity is sent, which is received, by transceiver 74 is sliced interior certification request and slice security strategy;
It is sliced interior certification request and the slice security strategy according to the network, carries out the behaviour authenticated in network slice Make.
Wherein, transceiver 74 is connect with bus interface 72, for sending and receiving data under the control of processor 71.
It should be noted that bus architecture may include the bus and bridge of any number of interconnection in Fig. 7, specifically by The various circuits for the memory that the one or more processors and memory 73 that processor 71 represents represent link together.Bus Framework can also link together various other circuits of such as peripheral equipment, voltage-stablizer and management circuit or the like, These are all it is known in the art, and therefore, it will not be further described herein.Bus interface provides interface.Transmitting-receiving Machine 74 can be multiple element, that is, includes transmitter and transceiver, provide for logical with various other devices over a transmission medium The unit of letter.Processor 71, which is responsible for management bus architecture and common processing, memory 73, can store processor 71 and is executing Used data when operation.
It will be understood by those skilled in the art that realize above-described embodiment all or part of step can by hardware come It completes, relevant hardware can also be indicated by computer program to complete, the computer program includes executing above-mentioned side The instruction of some or all of step of method;And the computer program can store in a readable storage medium storing program for executing, storage medium It may be any type of storage medium.
Embodiment five
As shown in figure 8, the embodiment of the present invention five provides a kind of session management entity, comprising:
First obtains module 81, in the session establishment instruction for receiving mobility management entity transmission, acquisition to be cut Piece security strategy;
Second sending module 82, for carrying out mirror in network slice to corresponding terminal in slice security strategy instruction Temporary, certification request and the slice security strategy in network slice are sent to network slice authentication agent entity.
The session management entity that the embodiment of the present invention five provides is by receiving mobility management entity transmission When session establishment instructs, slice security strategy is obtained, and network is carried out to corresponding terminal in slice security strategy instruction In slice when authentication, certification request and the slice security strategy in network slice are sent to network slice authentication agent entity; Enable network slice authentication agent entity to be sliced interior certification request and the slice security strategy according to the network, carries out The operation authenticated in network slice;The authentication in network slice is completed, slice safety is further ensured, solves in the prior art It is sliced the incomplete problem of the authentication scheme of safety.
Wherein, the first acquisition module includes: the first acquisition submodule, for locally obtaining slice security strategy; Or slice security strategy is obtained from policy control entity.
Specifically, first acquisition submodule includes: the first transmission unit, controlled for being sent to policy control entity Strategy request includes terminal iidentification and slice mark in control strategy request;First receiving unit, for receiving the plan Slightly controlled entity includes slice in the control strategy according to the control strategy of the terminal iidentification and the slice identification feedback Security strategy.
Further, the slice security strategy includes authenticating mark in terminal slice, and the session management entity is also wrapped It includes: the first confirmation module, for sending certification request and described in network slice to network slice authentication agent entity described It is sliced before security strategy, when the instruction of authentication mark carries out being sliced interior authentication in the terminal is sliced, confirms the slice peace Full strategy instruction carries out authentication in network slice to the terminal.
Further, the session management entity further include: the second receiving module, for reflecting in described be sliced to network It weighs agent entity transmission network to be sliced after interior certification request and the slice security strategy, receives the network slice authentication generation Reason entity is sent, network is sliced the interior slice master key generated after authenticating successfully;Second processing module, for according to default rule Scatter operation then is carried out to the slice master key generated after authenticating successfully in original slice master key and network slice.
From the foregoing, it will be observed that the session management entity very good solution provided in this embodiment slice safety in the prior art The incomplete problem of authentication scheme.
Wherein, the realization embodiment of the method authenticated in the above-mentioned network slice for being related to session management entity side is suitable For can also reach identical technical effect in the embodiment of the session management entity.
Embodiment six
As shown in figure 9, the present embodiment provides a kind of session management entities, comprising:
Processor 91;And the memory 93 being connected by bus interface 92 with the processor 91, the memory 93 for storing the processor 91 used program and data when executing operation, when processor 91 calls and executes described When the program and data that are stored in memory 93, following process is executed:
When receiving the session establishment instruction of mobility management entity transmission by transceiver 94, obtains and be sliced safe plan Slightly;
The slice security strategy instruction to corresponding terminal carry out network slice in authentication when, by transceiver 94 to Network is sliced authentication agent entity and sends certification request and the slice security strategy in network slice.
Wherein, transceiver 94 is connect with bus interface 92, for sending and receiving data under the control of processor 91.
It should be noted that bus architecture may include the bus and bridge of any number of interconnection in Fig. 9, specifically by The various circuits for the memory that the one or more processors and memory 93 that processor 91 represents represent link together.Bus Framework can also link together various other circuits of such as peripheral equipment, voltage-stablizer and management circuit or the like, These are all it is known in the art, and therefore, it will not be further described herein.Bus interface provides interface.Transmitting-receiving Machine 94 can be multiple element, that is, includes transmitter and transceiver, provide for logical with various other devices over a transmission medium The unit of letter.Processor 91, which is responsible for management bus architecture and common processing, memory 93, can store processor 91 and is executing Used data when operation.
It will be understood by those skilled in the art that realize above-described embodiment all or part of step can by hardware come It completes, relevant hardware can also be indicated by computer program to complete, the computer program includes executing above-mentioned side The instruction of some or all of step of method;And the computer program can store in a readable storage medium storing program for executing, storage medium It may be any type of storage medium.
Wherein, this many functional component described in this description is all referred to as module/submodule/unit, so as to more Particularly emphasize the independence of its implementation.
In the embodiment of the present invention, module/submodule/unit can use software realization, so as to by various types of processors It executes.For example, one mark executable code module may include computer instruction one or more physics or Logical block, for example, it can be built as object, process or function.Nevertheless, the executable code of institute's mark module It needs not be physically located together, but may include the different instructions being stored in different positions, when in these command logics When being combined together, constitutes module and realize the regulation purpose of the module.
In fact, executable code module can be the either many item instructions of individual instructions, and can even be distributed It on multiple and different code segments, is distributed in distinct program, and is distributed across multiple memory devices.Similarly, it grasps Making data can be identified in module, and can realize according to any form appropriate and be organized in any appropriate class In the data structure of type.The operation data can be used as individual data collection and be collected, or can be distributed on different location (including in different storage device), and at least partly can only be present in system or network as electronic signal.
When module can use software realization, it is contemplated that the level of existing hardware technique, it is possible to implemented in software Module, without considering the cost, those skilled in the art can build corresponding hardware circuit to realize correspondence Function, the hardware circuit includes conventional ultra-large integrated (VLSI) circuit or gate array and such as logic core The existing semiconductor of piece, transistor etc either other discrete elements.Module can also use programmable hardware device, such as Field programmable gate array, programmable logic array, programmable logic device etc. are realized.
Above-described is the preferred embodiment of the present invention, it should be pointed out that the ordinary person of the art is come It says, under the premise of not departing from principle of the present invention, can also make several improvements and retouch, these improvements and modifications should also regard For protection scope of the present invention.

Claims (20)

1. a kind of method authenticated in network slice, is applied to network and is sliced authentication agent entity characterized by comprising
It receives the network that session management entity is sent and is sliced interior certification request and slice security strategy;
It is sliced interior certification request and the slice security strategy according to the network, carries out the operation authenticated in network slice;
Wherein, the slice security strategy be used to indicate whether in executing network for default terminal is sliced authentication operations and Execute the strategy that network is sliced used parameter information when interior authentication operations;
The slice security strategy includes authentication mark in terminal slice, authentication mode mark and authentication side address.
2. the method according to claim 1, wherein the authentication mode identify instruction agent way when, institute Stating the step of carrying out the operation of authentication in network slice includes:
Ciphering Key request is sent to corresponding authentication entity according to the authentication side address in the slice security strategy;
The authentication entity is received according to the terminal authentication vector of Ciphering Key request feedback;
Network, which is carried out, using the terminal authentication vector and counterpart terminal is sliced interior authentication.
3. the method according to claim 1, wherein the authentication mode identify instruction trunking scheme when, institute Stating the step of carrying out the operation of authentication in network slice includes:
It is established and is associated with corresponding authentication entity according to the authentication side address in the slice security strategy;
By the authentication information between the association forwarding counterpart terminal and the authentication entity, to carry out mirror in network slice Power.
4. according to the method in claim 2 or 3, which is characterized in that the authentication entity is certificate server or third party Authentication entity.
5. the method according to claim 1, wherein the method is also after authenticating successfully in network slice Include:
Generate slice master key;
The slice master key is sent to the session management entity.
6. a kind of method authenticated in network slice, is applied to session management entity characterized by comprising
In the session establishment instruction for receiving mobility management entity transmission, slice security strategy is obtained;
When slice security strategy instruction carries out authentication in network slice to corresponding terminal, authentication agent is sliced to network Entity sends network and is sliced interior certification request and the slice security strategy;
Wherein, the slice security strategy be used to indicate whether in executing network for default terminal is sliced authentication operations and Execute the strategy that network is sliced used parameter information when interior authentication operations;
The slice security strategy includes authentication mark in terminal slice, authentication mode mark and authentication side address.
7. according to the method described in claim 6, it is characterized in that, the acquisition includes: the step of being sliced security strategy
Locally obtaining slice security strategy;Or
Slice security strategy is obtained from policy control entity.
8. the method according to the description of claim 7 is characterized in that described obtain slice security strategy from policy control entity The step of include:
Control strategy request is sent to policy control entity, includes terminal iidentification and slice mark in the control strategy request;
The policy control entity is received according to the control strategy of the terminal iidentification and the slice identification feedback, the control It include slice security strategy in strategy.
9. according to the method described in claim 6, it is characterized in that, sending network to network slice authentication agent entity described It is sliced before interior certification request and the slice security strategy, the method also includes:
When the instruction of authentication mark carries out being sliced interior authentication in the terminal is sliced, confirm the slice security strategy instruction to institute It states terminal and carries out authentication in network slice.
10. according to the method described in claim 6, it is characterized in that, sending net to network slice authentication agent entity described Network is sliced after interior certification request and the slice security strategy, the method also includes:
It receives the network slice authentication agent entity is sent, network and is sliced the interior slice master key generated after authenticating successfully;
The slice master key generated after authenticating successfully in original slice master key and network slice is divided according to preset rules Dissipate operation.
11. a kind of network is sliced authentication agent entity characterized by comprising
First receiving module, the network for receiving session management entity transmission are sliced interior certification request and slice security strategy;
First processing module carries out network and cuts for certification request and the slice security strategy in being sliced according to the network The operation authenticated in piece;
Wherein, the slice security strategy be used to indicate whether in executing network for default terminal is sliced authentication operations and Execute the strategy that network is sliced used parameter information when interior authentication operations;
The slice security strategy includes authentication mark in terminal slice, authentication mode mark and authentication side address.
12. network according to claim 11 is sliced authentication agent entity, which is characterized in that identified in the authentication mode When indicating agent way, the first processing module includes:
First sending submodule, for being sent according to the authentication side address in the slice security strategy to corresponding authentication entity Ciphering Key request;
First receiving submodule, for receive the authentication entity according to the Ciphering Key request feedback terminal authentication to Amount;
First processing submodule, for carrying out authentication in network slice using the terminal authentication vector and counterpart terminal.
13. network according to claim 11 is sliced authentication agent entity, which is characterized in that identified in the authentication mode When indicating trunking scheme, the first processing module includes:
First setting up submodule, for being established according to the authentication side address in the slice security strategy with corresponding authentication entity Association;
Second processing submodule, for forwarding the authentication information between counterpart terminal and the authentication entity by the association, To carry out authentication in network slice.
14. network according to claim 12 or 13 is sliced authentication agent entity, which is characterized in that the authentication entity is Certificate server or third party's authentication entity.
15. network according to claim 11 is sliced authentication agent entity, which is characterized in that the network slice authentication generation Manage entity further include:
First generation module generates slice master key after authenticating successfully in network slice;
First sending module, for the slice master key to be sent to the session management entity.
16. a kind of session management entity characterized by comprising
First obtains module, for obtaining slice safety in the session establishment instruction for receiving mobility management entity transmission Strategy;
Second sending module is used for when slice security strategy instruction authenticate in network slice to corresponding terminal, Certification request and the slice security strategy in network slice are sent to network slice authentication agent entity;
Wherein, the slice security strategy be used to indicate whether in executing network for default terminal is sliced authentication operations and Execute the strategy that network is sliced used parameter information when interior authentication operations;
The slice security strategy includes authentication mark in terminal slice, authentication mode mark and authentication side address.
17. session management entity according to claim 16, which is characterized in that described first, which obtains module, includes:
First acquisition submodule, for locally obtaining slice security strategy;Or
Slice security strategy is obtained from policy control entity.
18. session management entity according to claim 17, which is characterized in that first acquisition submodule includes:
First transmission unit includes eventually in the control strategy request for sending control strategy request to policy control entity End mark and slice mark;
First receiving unit, for receiving the policy control entity according to the terminal iidentification and the slice identification feedback Control strategy includes slice security strategy in the control strategy.
19. session management entity according to claim 16, which is characterized in that the session management entity further include:
First confirmation module, for sending certification request and described in network slice to network slice authentication agent entity described It is sliced before security strategy, when the instruction of authentication mark carries out being sliced interior authentication in the terminal is sliced, confirms the slice peace Full strategy instruction carries out authentication in network slice to the terminal.
20. session management entity according to claim 16, which is characterized in that the session management entity further include:
Second receiving module, for sending certification request and described in network slice to network slice authentication agent entity described Be sliced after security strategy, receive it is that network slice authentication agent entity is sent, authenticated successfully in network slice after generate Slice master key;
Second processing module, for according to preset rules to being generated after being authenticated successfully in original slice master key and network slice It is sliced master key and carries out scatter operation.
CN201710055047.1A 2017-01-24 2017-01-24 Network is sliced interior method for authenticating, slice authentication agent entity and session management entity Active CN108347729B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201710055047.1A CN108347729B (en) 2017-01-24 2017-01-24 Network is sliced interior method for authenticating, slice authentication agent entity and session management entity
PCT/CN2018/075604 WO2018137713A1 (en) 2017-01-24 2018-02-07 Internal network slice authentication method, slice authentication proxy entity, and session management entity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710055047.1A CN108347729B (en) 2017-01-24 2017-01-24 Network is sliced interior method for authenticating, slice authentication agent entity and session management entity

Publications (2)

Publication Number Publication Date
CN108347729A CN108347729A (en) 2018-07-31
CN108347729B true CN108347729B (en) 2019-08-02

Family

ID=62962949

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710055047.1A Active CN108347729B (en) 2017-01-24 2017-01-24 Network is sliced interior method for authenticating, slice authentication agent entity and session management entity

Country Status (2)

Country Link
CN (1) CN108347729B (en)
WO (1) WO2018137713A1 (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110831249B (en) * 2018-08-13 2021-10-01 华为技术有限公司 Communication method and device
JP7261872B2 (en) * 2018-09-18 2023-04-20 オッポ広東移動通信有限公司 Method and apparatus for network slice authentication
CN111031571B (en) * 2018-10-09 2022-01-14 华为技术有限公司 Network slice access control method and device
CN111031538B (en) * 2018-10-09 2021-12-03 华为技术有限公司 Authentication method and device
ES2900513T3 (en) * 2019-04-01 2022-03-17 Ntt Docomo Inc Communication network components and methods for initiating segment-specific authentication and authorization
CN115835218A (en) * 2019-06-17 2023-03-21 华为技术有限公司 Secondary authentication method and device
CN114097261B (en) * 2019-06-24 2024-07-05 上海诺基亚贝尔股份有限公司 Dynamic allocation of network slice specific credentials
CN112291784B (en) * 2019-07-09 2022-04-05 华为技术有限公司 Communication method and network element
MX2022001926A (en) * 2019-08-15 2022-03-11 Huawei Tech Co Ltd Communication method and related devices.
CN114208111B (en) * 2019-08-18 2023-08-04 华为技术有限公司 Communication method, device and system
CN113746649B (en) * 2020-05-14 2022-12-06 华为技术有限公司 Network slice control method and communication device
CN113904781B (en) * 2020-06-20 2023-04-07 华为技术有限公司 Slice authentication method and system
CN117118841A (en) * 2020-06-28 2023-11-24 中兴通讯股份有限公司 Network slice connection management method, terminal and computer readable storage medium
CN112073969B (en) * 2020-09-07 2022-09-13 中国联合网络通信集团有限公司 5G network security protection method and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104092668B (en) * 2014-06-23 2017-08-08 北京航空航天大学 A kind of reconfigurable network security service building method
JP6562434B2 (en) * 2015-06-01 2019-08-21 ホアウェイ・テクノロジーズ・カンパニー・リミテッド Systems and methods for virtualized functions in the control and data plane

Also Published As

Publication number Publication date
WO2018137713A1 (en) 2018-08-02
CN108347729A (en) 2018-07-31

Similar Documents

Publication Publication Date Title
CN108347729B (en) Network is sliced interior method for authenticating, slice authentication agent entity and session management entity
CN104205891B (en) Virtual SIM card cloud platform
CN111783068B (en) Device authentication method, system, electronic device and storage medium
US20050188219A1 (en) Method and a system for communication between a terminal and at least one communication equipment
CN110267270B (en) Identity authentication method for sensor terminal access edge gateway in transformer substation
CN107094127B (en) Processing method and device, and obtaining method and device of security information
JPWO2005101727A1 (en) Communication apparatus, communication system, and authentication method
EP4057658A1 (en) Machine-card verification method applied to minimalist network, and related device
JP2003188885A5 (en)
CN109218263A (en) A kind of control method and device
CN109890029B (en) Automatic network distribution method of intelligent wireless equipment
CN104270250A (en) WiFi Internet surfing connecting authentication method and system based on asymmetric full-process encryption
CN108234119B (en) Digital certificate management method and platform
CN107733652A (en) For sharing the method for unlocking and system and lock of the vehicles
CN106790080A (en) Secure communication of network method and apparatus between operation system and electronic certificate system
CN102868531A (en) Networked transaction certification system and method
CN109583154A (en) A kind of system and method based on Web middleware access intelligent code key
CN107846676A (en) Safety communicating method and system based on network section security architecture
CN102255904B (en) Communication network and terminal authentication method thereof
CN106790078A (en) Safety communicating method and device between a kind of SDK and electronic certificate system
WO2018076298A1 (en) Security capability negotiation method and related device
CN107135228B (en) Authentication system and authentication method based on central node
CN105828330A (en) Access method and access device
CN102202291B (en) Card-free terminal, service access method and system thereof, terminal with card and bootstrapping server function (BSF)
CN116599719A (en) User login authentication method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 100191 No. 40, Haidian District, Beijing, Xueyuan Road

Patentee after: CHINA ACADEMY OF TELECOMMUNICATIONS TECHNOLOGY

Address before: 100191 No. 40, Haidian District, Beijing, Xueyuan Road

Patentee before: CHINA ACADEMY OF TELECOMMUNICATIONS TECHNOLOGY

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20210604

Address after: 100085 1st floor, building 1, yard 5, Shangdi East Road, Haidian District, Beijing

Patentee after: DATANG MOBILE COMMUNICATIONS EQUIPMENT Co.,Ltd.

Address before: 100191 No. 40, Haidian District, Beijing, Xueyuan Road

Patentee before: CHINA ACADEMY OF TELECOMMUNICATIONS TECHNOLOGY