CN113286300B - Block chain-based network fragment authentication method, system, network element and storage medium - Google Patents

Block chain-based network fragment authentication method, system, network element and storage medium Download PDF

Info

Publication number
CN113286300B
CN113286300B CN202110534521.5A CN202110534521A CN113286300B CN 113286300 B CN113286300 B CN 113286300B CN 202110534521 A CN202110534521 A CN 202110534521A CN 113286300 B CN113286300 B CN 113286300B
Authority
CN
China
Prior art keywords
result
single network
network
authentication
block chain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110534521.5A
Other languages
Chinese (zh)
Other versions
CN113286300A (en
Inventor
张伦泳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202110534521.5A priority Critical patent/CN113286300B/en
Publication of CN113286300A publication Critical patent/CN113286300A/en
Application granted granted Critical
Publication of CN113286300B publication Critical patent/CN113286300B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present disclosure provides a network fragmentation authentication method, system, access and mobility management function network element based on a block chain, wherein the method comprises: receiving a registration request of a user terminal, wherein the registration request carries a single network fragment identifier which needs to be subjected to identity authentication and authorization specific to a network fragment; and judging whether a first result of the single network fragment corresponding to the single network fragment identifier of the user terminal about identity authentication and authorization specific to the network fragment exists in the block chain, and if so, allowing or rejecting the use of the single network fragment based on the first result. By using the characteristics of synchronicity, tamper resistance, safety and the like of the block chain, when the AMF receives the registration request of the UE each time, the AMF allows or rejects the single-network fragmentation according to the NSSAA result in the block chain without frequently executing the NSSAA process, so that the service of accidental disconnection of the UE is quickly recovered, and the terminal use experience of the user is improved.

Description

Block chain-based network fragment authentication method, system, network element and storage medium
Technical Field
The present disclosure relates to the field of blockchain technologies, and in particular, to a network segment authentication method based on a blockchain, a network segment authentication system based on a blockchain, an access and mobility management network element, and a computer-readable storage medium.
Background
The service subscription information of the 5G (5 th-Generation, fifth Generation mobile communication technology) network user includes indication information of whether authentication and authorization are required separately for a specific single network segment. The subscription information indicates the segments that need to be individually authenticated and authorized, and when the user requests a corresponding service, in addition to completing the Authentication and Authorization operations when accessing the 5G Network, the user also needs to perform an nsaa (Network Slice-Specific Authentication and Authorization, authentication and Authorization Specific to the Network segments) process on the segments.
NSSAA is currently performed by AMF (Access and Mobility Management Function). And when the UE remains in a registration (RM-REGISTERED) state, the AMF does not need to perform the NSSAA procedure again for a periodic registration update procedure or a mobility registration update procedure of the UE. However, due to poor radio signal quality, network management events, etc., the UE (User Equipment) may enter a deregistered state, and then the UE must re-initiate the initial registration process. Since the nsfas process is invoked by the AMF (Network Slice Selection Assistance Information) of the NSSAI (Network Slice Selection Assistance Information) that needs to be performed every time the UE initiates initial registration to the Network (if the NSSAI included in the registration request contains the S-NSSAI), it is not favorable to quickly recover the service that the UE is accidentally disconnected, and further affects the terminal use experience of the user.
Disclosure of Invention
The present disclosure provides a block chain-based network segment authentication method, system, access and mobility management network element and computer readable storage medium, which utilize the characteristics of tamper resistance and synchronicity of a block chain, and allow or reject a single network segment according to the NSSAA result in the block chain without frequently performing the NSSAA process when an AMF receives a registration request of a UE each time, so as to at least solve the above technical problems.
According to an aspect of the embodiments of the present disclosure, a method for network segment authentication based on a block chain is provided, including:
receiving a registration request of a user terminal, wherein the registration request carries a single network fragment identifier which needs to be subjected to identity authentication and authorization specific to a network fragment; and the number of the first and second groups,
and judging whether a first result of the single network fragment corresponding to the single network fragment identifier of the user terminal on identity authentication and authorization specific to the network fragment exists in the block chain, and if so, allowing or refusing the use of the single network fragment based on the first result.
In this embodiment, after determining whether there is a first result of authentication and authorization of a single network segment corresponding to the single network segment identifier of the user terminal in a block chain with respect to a network segment, and before allowing or denying use of the single network segment based on the first result, the method further includes:
and judging whether the first result exceeds the preset valid period, and if not, executing the step of allowing or refusing the use of the single network fragment based on the first result.
In one embodiment, after determining whether there is a first result of the single network segment of the user terminal corresponding to the single network segment identifier with respect to network segment-specific authentication and authorization in the block chain, the method further includes:
if the first result does not exist in the block chain, executing the authentication and authorization process specific to the network fragment aiming at the single network fragment to obtain a second result of the authentication and authorization specific to the network fragment of the single network fragment; and the number of the first and second groups,
allowing or denying use of the single network slice based on the second result.
In one embodiment, after performing the network slice-specific authentication and authorization process for the single network slice, obtaining a second result of the network slice-specific authentication and authorization for the single network slice, further comprising:
creating description information based on the second result, wherein the description information comprises a user identity identifier of the user terminal, the single network fragment identifier, the second result and the validity period of the second result; and the number of the first and second groups,
and signing the description information and sending the description information to the user terminal so that the user terminal sends the description information to the unified data management function network element after additionally signing the description information, and the unified data management function network element broadcasts the description information to a block chain after additionally signing the description information again.
In one embodiment, after signing and sending the description information to the user terminal, the method further includes:
judging whether update information of the user terminal on the validity period of the second result in the description information is received or not;
if so, re-executing the authentication and authorization process specific to the network fragment aiming at the single network fragment to obtain a third result of the authentication and authorization specific to the network fragment of the single network fragment;
generating new description information based on the update information of the validity period of the second result and the third result, wherein the new description information comprises the user identity identifier of the user terminal, the single network segment identifier, the third result and the update information of the validity period of the second result; and the number of the first and second groups,
and signing the new description information and sending the new description information to the user terminal so that the user terminal sends the new description information to the unified data management function network element after additionally signing the new description information, and the unified data management function network element broadcasts the new description information to the block chain after additionally signing the new description information again.
According to another aspect of the embodiments of the present disclosure, there is provided a network segment authentication system based on a block chain, including:
the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving a registration request of a user terminal, and the registration request carries a single network fragment identifier which needs to be subjected to identity authentication and authorization specific to a network fragment; and the number of the first and second groups,
the judging module is set to judge whether a first result of the single network fragment of the user terminal corresponding to the single network fragment identification about identity authentication and authorization specific to the network fragment exists in a block chain;
a first execution module configured to allow or deny use of the single network segment based on the first result when the determination module determines that the first result exists.
In an embodiment, the determining module is further configured to determine, after determining whether there is a first result of authentication and authorization specific to a network segment of a single network segment corresponding to the single network segment identifier of the user equipment in a segment chain, and before the first executing module allows or rejects the use of the single network segment based on the first result, whether the first result exceeds a preset validity period, and if not, execute a step of allowing or rejecting the use of the single network segment based on the first result.
In one embodiment, the system further comprises:
a second execution module configured to execute a network-segment-specific authentication and authorization process for the single network segment when the judgment module judges that the first result does not exist in the block chain, and obtain a second result of the network-segment-specific authentication and authorization of the single network segment; and allowing or denying use of the single network slice based on the second result.
According to another aspect of the embodiments of the present disclosure, there is provided an access and mobility management function network element, including a memory and a processor, where the memory stores a computer program, and when the processor runs the computer program stored in the memory, the processor executes the method for authentication of network segments based on a blockchain.
According to still another aspect of the embodiments of the present disclosure, there is provided a computer-readable storage medium having a computer program stored thereon, where when the computer program is executed by a processor, the processor executes the method for authentication of network segments based on a blockchain.
The technical scheme provided by the embodiment of the disclosure can have the following beneficial effects:
the network fragment authentication method based on the block chain provided by the embodiment of the disclosure receives a registration request of a user terminal, wherein the registration request carries a single network fragment identifier which needs to be subjected to identity verification and authorization specific to a network fragment; and judging whether a first result of the single network fragment corresponding to the single network fragment identifier of the user terminal about identity authentication and authorization specific to the network fragment exists in the block chain, and if so, allowing or rejecting the use of the single network fragment based on the first result. By using the characteristics of synchronicity, tamper resistance, safety and the like of the block chain, when the AMF receives the registration request of the UE each time, the AMF allows or rejects the single-network fragmentation according to the NSSAA result in the block chain without frequently executing the NSSAA process, so that the service of accidental disconnection of the UE is quickly recovered, and the terminal use experience of the user is improved.
Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the disclosure. The objectives and other advantages of the disclosure may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the disclosed embodiments and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the example serve to explain the principles of the disclosure and not to limit the disclosure.
Fig. 1 is a schematic flowchart of a network segment authentication method based on a block chain according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of another block chain-based network segment authentication method according to an embodiment of the present disclosure;
fig. 3 is a schematic flowchart of another block chain-based network segment authentication method according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a network segment authentication system based on a block chain according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an access and mobility management functional network element according to an embodiment of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, specific embodiments of the present disclosure are described below in detail with reference to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present disclosure, are given by way of illustration and explanation only, not limitation.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order; also, the embodiments and features of the embodiments in the present disclosure may be arbitrarily combined with each other without conflict.
In the following description, suffixes such as "module", "component", or "unit" used to denote elements are used only for the convenience of explanation of the present disclosure, and have no specific meaning in themselves. Thus, "module", "component" or "unit" may be used mixedly.
Currently, the NSSAA method defined in the specification of the 5g ts23.501 r16 version is completed by an AMF (Access and Mobility Management Function) calling an EAP (Extensible Authentication Protocol) process. And when the UE remains in a registration (RM-REGISTERED) state, the AMF does not need to perform the NSSAA procedure again for a periodic registration update procedure or a mobility registration update procedure of the UE.
However, due to factors such as poor radio signal quality and network management events, the UE may enter a DEREGISTERED (RM-DEREGISTERED) state, and in these cases, the station is in the user's perspective, which is an unexpected situation, that is, the user cannot predict the occurrence of these events directly causing the UE to enter the DEREGISTERED state. The UE must then reinitiate the initial registration procedure. Since the UE (user equipment) initiates initial registration to the Network each time (if NSSAI (single Network Slice Selection Assistance Information) included in the registration request includes S-NSSAI (single Network Slice Selection Assistance Information) requiring NSSAA, the AMF invokes the NSSAA procedure. Particularly, if all the S-NSSAIs included in the NSSAI requested by the UE need to execute NSSAI, the AMF can only return an empty list of allowed NSSAIs to the UE, and update the allowed NSSAI list after the NSSAI process corresponding to the S-NSSAI is completed. During this time, the terminal cannot use other services than emergency services (e.g., alarm).
This does not allow for a UE that has accidentally entered the deregistered state to quickly recover the services that were previously in use. Especially services using a single network segment in which the subscription information indicates that separate authentication and authorization is required, are generally important, even if paid for. Unexpected service disconnection without rapid recovery reduces the user service experience.
In order to solve the above technical problem, an embodiment of the present disclosure proposes that, using a block chain technique, for a registration request of a UE, an AMF allows or rejects the use of S-NSSAI according to an NSSAA procedure execution result in a block chain, and does not need to execute an NSSAA procedure frequently. Specifically, an authentication and authorization contract for a single network segment requiring separate authentication and authorization may be agreed upon between the UE and the network based on a form of an intelligent contract, and a contract validity period may be established, within which the AMF does not have to perform the NSSAA procedure regardless of an initial registration procedure or a periodic registration update procedure of the UE and a mobility registration update procedure. Therefore, the UE which accidentally enters the logged-off state can quickly recover the service which is accidentally disconnected without waiting for the delay caused by the existing NSSAA process.
Referring to fig. 1, fig. 1 is a schematic flowchart of a block chain-based network segment authentication method applied to an AMF according to an embodiment of the present disclosure, where the method includes steps S101 to S103.
In step S101, a registration request of a user terminal is received, where the registration request carries a single network segment identifier that needs to perform authentication and authorization specific to a network segment.
The registration request of the user terminal may be a registration request initiated to the network side in the initial registration process, or a registration request initiated to the network side in the registration update process.
It can be understood that the single network segment identifier is the auxiliary information S-NSSAI selected for the single network segment, and the S-NSSAI of this embodiment is the S-NSSAI that needs to execute the NSSAA procedure in the S-NSSAI set of the network segment NSSAI requested by the user.
In step S102, it is determined whether a first result of the single network segment of the user equipment corresponding to the single network segment identifier regarding authentication and authorization specific to the network segment exists in the block chain, if so, step S103 is performed, otherwise, step S104 is performed.
In this embodiment, the NSSAA result of the S-NSSAI performed by the ue is uploaded to the block chain, and if the ue performs the NSSAA process on the S-NSSAI, the AMF directly obtains the NSSAA result of the S-NSSAI required to perform the NSSAA process from the block chain without performing the NSSAA process on the NSSAI result.
In some embodiments, after step S101 and before step S102, the AMF first checks whether the execution result of NSSAA of S-NSSAI carried in the registration request of the UE is locally saved, if not, step S102 is executed again.
In step S103, the usage of the single network slice is allowed or denied based on the first result.
Specifically, the result of performing NSSAA may include success and failure of verification, and if the result of verification is successful, the AMF may add the S-NSSAI to an "allow list" to allow the user terminal to use the S-NSSAI, otherwise, add a "reject list" to reject the user terminal to use the S-NSSAI.
It should be noted that, if the NSSAI requested by the ue includes a plurality of S-NSSAIs that need to execute the NSSAI procedure, the AMF may simultaneously determine whether there is an execution result of the NSSAI of each S-NSSAI in the block chain, and allow or deny the use of the NSSAI, respectively.
In step S104, a network-slice-specific authentication and authorization procedure for the single network slice is performed, resulting in a second result of the single network slice with respect to network-slice-specific authentication and authorization.
In step S105, the use of the single network slice is allowed or denied based on the second result.
Referring to fig. 2, fig. 2 is another block chain-based network fragment authentication method provided by the embodiment of the present disclosure, based on the previous embodiment, the present embodiment considers the validity period of the use of the NSSAA execution result of the S-NSSAI, and avoids the indefinite use of the NSSAA execution result, specifically, after determining whether a first result of the single network fragment of the user terminal corresponding to the single network fragment identifier with respect to the authentication and authorization specific to the network fragment exists in the block chain (step S102), and before allowing or rejecting the use of the single network fragment based on the first result (step S103), further including step S201.
In step S201, it is determined whether the first result exceeds a preset validity period, if not, step S103 is executed to allow or deny the use of the single network segment based on the first result, otherwise, step S104 is executed.
In some embodiments, if the S-NSSAI of the ue performs NSSAA, the block chain node uploads its validity period together with the first result of NSSAA when uploading it to the block chain, the first result of NSSAA being valid for the validity period.
It can be understood that although the blockchain has the functional characteristics of synchronous updating and tamper resistance, the blockchain can be reused for the information recorded in the blockchain, for example, if the service subscription information of the UE changes, the current NSSAA execution result is no longer applicable, so the validity period of the NSSAA in the blockchain is set in the present application to avoid the indefinite use of the NSSAA execution result.
Referring to fig. 3, fig. 3 is a flowchart illustrating a method for authenticating a network segment based on a block chain according to another embodiment of the present disclosure, based on the above embodiment, after an AMF of this embodiment performs an NSSAA procedure, generates description information including a second result of the NSSAA, and uploads the description information to the block chain, when a UE initiates a registration request again, any AMF may allow or deny use of a corresponding S-NSSAI based on the second result in the block chain, specifically, after performing a network segment-specific authentication and authorization procedure for a single network segment, and obtaining the second result of the network segment-specific authentication and authorization for the single network segment (i.e., step S104), further includes step S301 and step S302.
In step S301, creating description information based on the second result, where the description information includes the user identity identifier of the user equipment, the single network segment identifier, the second result, and its validity period.
If there are multiple S-NSSAIs that need to execute the NSSAA process, the description information may be created based on the execution results of the multiple S-NSSAIs, that is, the description information may include the execution results of multiple sets of S-NSSAIs. Of course, in some embodiments, a description information may also be established for each execution result of S-NSSAI, which is not limited in this disclosure.
The validity period of the second result may be preset by the AMF, and the validity period may be modified and updated, and both the user terminal and a UDM (Unified Data Management, unified Data Management function network element) device on the network side may modify and update the validity period.
In step S302, the description information is signed and sent to the user terminal, so that the user terminal sends the description information to the unified data management function network element after adding the signature to the description information, and the unified data management function network element broadcasts the description information to the block chain after adding the signature to the description information again.
In this embodiment, to ensure the security of the NSSAA execution result, the description information needs to pass through the signature of the user terminal, the AMF and the UDM, and is broadcasted to the block chain by the UDM to be valid (for a specific principle, see the content of the signature step in the following embodiments). The UDM has the functions of generating 3GPP AKA authentication credentials, processing user identification, supporting unhidking of privacy-protected user identifiers (suici), subscription data-based access authentication (e.g., roaming restrictions), NF registration management of UE services (e.g., storing service AMF for UE), supporting service/session continuity, and the like.
In some embodiments, if the second result needs to be used, the AMF needs to verify the UDM signature and the UE signature to ensure the security of the second result, and correspondingly, for the first result in step S102, the above corresponding steps are also performed before uploading to the block chain, it is required to verify whether the first result has the UDM signature and the UE signature, if so, it is determined that the first result exists, otherwise, it is determined that the first result is false, or no subsequent step S103 is performed.
In this process, the mobile network of this embodiment signs the authentication and authorization information obtained by the UE through the NSSAA process, and then sends the signed authentication and authorization information to the UE. The UE decides itself whether or not to broadcast to the block chain. If the UE broadcasts the information to the blockchain, the information is signed and sent to the UDM. The UDM decides whether or not broadcasting to the block chain is required. If the information is broadcast to the blockchain, the mobile network will not perform NSSAA procedures for the S-NSSAI and UE contained in the information for the validity period of the information.
Further, after uploading the second result to the block chain, the UE of this embodiment may modify and update the validity period in the description information, specifically, after signing and sending the description information to the user terminal (step S302), further include the following steps:
judging whether update information of the user terminal on the validity period of the second result in the description information is received or not;
if so, re-executing the authentication and authorization process specific to the network fragment aiming at the single network fragment to obtain a third result of the authentication and authorization specific to the network fragment of the single network fragment;
generating new description information based on the update information of the validity period of the second result and the third result, wherein the new description information comprises the user identity identifier of the user terminal, the single network segment identifier, the third result and the update information of the validity period of the second result; and the number of the first and second groups,
and signing the new description information and sending the new description information to the user terminal so that the user terminal adds the signature to the new description information and sends the new description information to the unified data management function network element, and the unified data management function network element adds the signature to the new description information again and broadcasts the new description information to the block chain.
It should be noted that, in this embodiment, both the UE and the UDM may modify and update the validity period, considering that the AMF does not know the UE service subscription information process, the AMF needs to re-execute the NSSAA process for updating the validity period initiated by the UE to implement the authentication and authorization of the slice information, and the UDM may store the service subscription information, and the modification and update initiated by the UDM does not need to re-execute the NSSAA process any more.
On the basis of the foregoing embodiment, an embodiment of the present disclosure provides another network segment authentication method based on a block chain, where this embodiment implements the technical solution of the present disclosure in a form of creating an intelligent contract, where the intelligent contract includes the following steps (1) to (7):
(1) The registration request of the UE includes a certain S-NSSAI that needs to execute NSSAA process
(2) The AMF checks whether the execution result of NSSAA of S-NSSAI carried in the registration request of the UE is locally stored. Skip (3) to (6) if any.
(3) AMF checks whether there is description information D { GPSI, (S-NSSAI, RESULT), EXPIRATION-TIME } on the block chain, wherein GPSI matches GPSI of UE initiating the registration request, and S-NSSAI matches S-NSSAI in the UE registration request, and EXPIRATION-TIME has not arrived:
a) If there is any, the number of the first and second,
1. verifying UDM signatures and UE signatures
2. According to the value of RESULT, S-NSSAI is added to the corresponding list:
1) If the RESULT value is success, S-NSSAI is added to the "allow list"
2) If the RESULT value is failure, then S-NSSAI is added to the "reject list"
3. Skip the steps (3) b) and (4) to (7)
b) Carry out (4) to (7)
(A) It should be noted that the AMF refers to an AMF that serves the UE when the UE initiates a registration request, and thus the AMF may be an AMF of a home network of the UE or an AMF of a roaming network. And (3) the UDM in (3) a) 1 always refers to the UDM of the UE home network. After the UE returns to the home network, if the UE has not expired, the UE is valid or not, which belongs to the business policy of the operator. Similarly, the description information D generated when the UE is in the home network is valid or not after the UE enters the roaming network if the validity has not expired, which also belongs to the business policy of the operator. GPSI: general Public Subscription Identifier, i.e., a user identity Identifier in this disclosure.
(4) AMF executes NSSAA process, and creates description information D { GPSI (gigabit Passive optical network) according to execution result of NSSAA process UE ,(S-NSSAI,RESULT),EXPIRATION-TIME UE&S-NSSAI }
EXPIRATION-TIME OF AMF SETTING UE&S-NSSAI The value of (c) may be based on the local policy of the AMF or may query the PCF for a policy configured on the mobile communications network.
Wherein, there may be multiple groups or only one group of (S-NSSAI, RESULT) in D. That is, a plurality of different S-NSSAIs and authentication and authorization results thereof may be written in one piece of description information D, or each piece of description information may only include one S-NSSAI and authentication and authorization results thereof. The AMF may decide based on local Policy or dynamic Policy from PCF (Policy Control Function). The UE may also split (according to local policy or user settings) D containing multiple different S-NSSAIs and their authentication and authorization results, then send to the AMF, and then perform (5) to (7).
(5) AMF signs D, and then sends D to UE
(6) UE appends signature to D and then sends D to UDM
In this process, if the RESULT value in (4) is failure, the UE may choose not to send D to the UDM. I.e., for S-NSSAI where NSSAA authentication and authorization fails, the UE chooses to perform NSSAA each time it makes an initial registration. Thereby avoiding affecting the updating of the S-NSSAI authentication and authorization result due to the presence of D.
(7) UDM appends a signature to D, which is then broadcast to the block chain
Wherein the UDM may modify the value of the explicit-timing & S-NSSAI before broadcasting D to the blockchain, send the modified D to the AMF, and then perform (5) to (7). For example, the UDM checks whether there is information of UE service subscription information change after receiving D with AMF and UE signature from the UE, and modifies the value of explicit-timing & S-nsai to eliminate such influence if the change of service subscription information causes the change of authentication and authorization relationship of S-NSSAI in D. The UDM may also choose not to broadcast D, thus going back to the existing standard procedure.
In some embodiments, the intelligent contract further comprises an update process for the description information D:
(1) The UE will detect the EXPIRATION-TIME of D on the block chain, which is still valid for a certain S-NSSAI UE&S-NSSAI Is modified to an expected value EXPIRATION-TIME renew To obtain D renew {GPSI UE ,(S-NSSAI,RESULT),EXPIRATION-TIME renew }
Where the UE may choose to automatically (background) update D in the idle state. Thus D can be always in an active state.
(2) UE pair D renew Signature, send to AMF.
(3) AMF pair D renew The S-NSSAI in (1) executes the NSSAA process, and the obtained execution RESULT is RESULT renew Write D renew To obtain D renew {GPSI UE ,(S-NSSAI,RESULT renew ),EXPIRATION-TIME renew }
The AMF can modify the value of EXPIRATION-TIMELENEW according to the local policy or the policy of the network side queried by the PCF.
(4) AMF pair D renew Sending the signature to UE
(5) UE pair D renew Appending the signature and then converting D renew Sent to UDM
Accordingly, if the result new value in (4) is failure, the UE may choose not to sign D and not send D to the UDM.
(6) UDM to D renew Appending a signature, and then adding D renew Broadcast to block chain
In particular, the UDM may modify EXPIRATION-TIME before broadcasting D to the blockchain renew Sends the modified D to AMF, and then performs (4) to (6)
It should be noted that, according to the specification in the TS 23.501R 16 version specification, an AAA (Authentication Authorization access) server, an AMF, and the like of the NSSAA process may all restart to re-execute the NSSAA process on a certain S-NSSAI at any time according to a local policy or a dynamic network policy. If the result obtained is different from the result obtained in D still in the validity period. The result of the same UE-initiated execution of the update procedure contract may also face a NSSAA procedure result for a certain S-NSSAI that is different from that in the existing description information. In the above two cases, which result belongs to the business policy of the operator is specifically applied, and whether the operator and the user have another agreement is not limited in this embodiment. But if this does occur, the present embodiment does not prevent the UE and the AMF from performing the specified operations in the manner defined in the existing 5G specification. For example, if the RESULT of performing the NSSAA procedure is failure if the RESULT of a certain s-nssai in the description information is success, the AMF may notify the UE to close the service session associated with the s-nssai according to the definition in the existing 5G specification.
For ease of understanding, the present embodiment makes the following example of the implementation process of the above-described smart contract, and provides example 1 for initial registration of a user terminal:
(1) GPSI of UE is GPSI, and 4S-NSSAI, S-NSSAI are carried in the registration request initiated by the GPSI 1 、s-nssai 2 、s-nssai 3 And s-nssai 4 . Wherein, s-nssai 2 、s-nssai 3 And s-nssai 4 The NSSAA process needs to be performed.
(2) The AMF does not locally save the execution result of the NSSAA procedure of the S-NSSAI of the UE since it is the initial registration. Thus continuing to execute (3)
(3) The current time is time 0 AMF checks whether there is description information D on block chain 1 {gpsi,(s-nssai 2 ,success),expiration-time 1 }、D 2 {gpsi,(s-nssai 3 ,failure),expiration-time 2 } and D 3 {gpsi,(s-nssai 4 ,success),expiration-time 3 }. Wherein expiration-time 2 And expiration-time 3 Are all at time 0 Before, it is overdue.
a)D 1 To satisfy the descriptive information of the condition, therefore:
AMF validation D 1 With both UDM and UE signatures valid
2. Will s-nssai 2 Join permission list
3. For s-nssai 3 And s-nssai 4 Executing the above-mentioned intelligent contracts (4) to (7)
(4) AMF pair s-nssai 3 And s-nssai 4 The NSSAA process is executed, and the results are success. Creation of description information D 4 {gpsi,(s-nssai 3 ,success),(s-nssai 4 ,success),expiration-time 4 }
(5) AMF pair D 4 Signing, then D 4 Is sent to UE
(6) UE pair D 4 Appending the signature and then converting D 4 Sent to UDM
(7) UDM to D 4 Appending the signature and then converting D 4 Broadcast to the blockchain.
It should be noted that example 1 describes a mixture of a plurality of S-NSSAIs included in UE registration together in a process, and the description manner of the above-mentioned smart contract is described for each S-NSSAI.
Further, on the basis of example 1, example 2 is provided:
(1) UDM receives D from UE 4 Later, the expiration-time is found 4 (e.g., 24 o 'clock 1 month) after the service change lifetime scheduled by the UE (e.g., 0 o' clock 1 month), e.g., D is 4 Modified to D 5 {gpsi,(s-nssai 3 ,success),(s-nssai 4 ,success),expiration-time 5 }, pair D 5 And sending the signature to the AMF. Wherein expiration-time 5 Before the scheduled service change validity period or effective period (e.g. 1 day 0 click of a certain month; or 1 day 0 click 1 second before a certain month, namely 23 click 59 minutes and 59 seconds at the last 1 day of the previous month)
(2) AMF pair D 5 Appending a signature, and then adding D 5 Is sent to UE
(3) UE pair D 5 Appending a signature, and then adding D 5 Sent to UDM
(4) UDM will D 5 Broadcast to block chain
Further, on the basis of example 1, example 3 is provided:
(1) Example 1 (6), the UE now considers s-nssai 3 And s-nssai 4 Arranged in the same description information D 4 Does not comply with the local policy (or does not comply with the user settings) and will then D 4 Splitting into D 5 {gpsi,(s-nssai 3 ,success),expiration-time 4 And D 6 {gpsi,(s-nssai 4 ,success),expiration-time 4 }. Then to D 5 And D 6 And respectively signing and sending the signals to the AMF.
(2) AMF pair D 5 And D 6 Respectively adding signatures, and then adding D 5 And D 6 Sent to UDM
(3) UDM to D 5 And D 6 Respectively adding signatures, and then adding D 5 And D 6 Broadcast to blockchain further, on the basis of example 1, example 4 is provided in which description information update can be made:
(1) The UE is in RM-REGISTERED state, and the UE identifies D on the block chain 1 Will expire, then the expiration-time will be extended according to the local policy 1 Increased by 86400 seconds (i.e., 24 hours), yielding an expiration-time 6 D is 1 Modified as D 6 {gpsi,(s-nssai 2 ,success),expiration-time 6 }
(2) UE pair D 6 Signature, sent to AMF
(3) AMF pair D 6 S-nssai in (1) 2 NSSAA process is performed with failure, and D is then determined 6 Modified to D 7 {gpsi,(s-nssai 2 ,failure),expiration-time 6 }
(4) AMF pair D 7 Sending the signature to UE
(5) UE discovery D 7 RESULT of (c) is failure, and no subsequent operation is performed.
Note that (1) the UE does not perform the subsequent processingOperation, indicating that the UE wishes to maintain s-nssai according to an intelligent contract on the blockchain 2 Success status of. And the description information which takes failure as the NSSAA result and exists on the block chain is concerned to influence the subsequent service. (2) However, as explained above with respect to the embodiment regarding expiration, whether the mobile communication network maintains s-nssai according to the intelligent contract on the block chain or not 2 Is known as D 1 The expiration of the validity period may depend on the business policies of the operator and whether the operator has another engagement with the user.
Further, on the basis of example 4, example 5 is provided:
(1) Step (5) in example 5, the UE discovers D 7 RESULT of (1) is failure, but still on D 7 And adding the signature and sending the signature to the UDM.
(2) UDM to D 7 Appending the signature and then converting D 7 Broadcast to the block chain.
It should be noted that the UE continues to perform subsequent operations, which indicates that the UE does not need to continue to maintain the success state of s-nssai 2. And the influence of the description information which takes failure as an NSSAA result and exists on the block chain on the subsequent service is not concerned.
Further, on the basis of example 4, example 6 is provided:
(1) Step (3) in example 4, AMF vs D 6 S-nssai in (1) 2 The NSSAA process is performed with success as a result. And expiration-time 6 Not conflicting with local policy and not with dynamic policy from PCF, and will then D 6 Modified to D 7 {gpsi,(s-nssai 2 ,sucess),expiration-time 6 }
(2) AMF pair D 7 Sending the signature to UE
(3) UE pair D 7 And adding the signature and sending the signature to the UDM.
(4) UDM judges expiration-time 6 No conflict is generated, for D 7 Appending a signature, and then adding D 7 Broadcast to the blockchain.
On the other hand, for the user terminal segment periodic registration update or the mobility registration update, example 7 is provided:
(1) GPSI of UE is GPSI, and 4S-NSSAI, S-NSSAI are carried in the registration request initiated by the GPSI 1 、s-nssai 2 、s-nssai 3 And s-nssai 4 . Wherein, s-nssai 2 、s-nssai 3 And s-nssai 4 The NSSAA process needs to be performed.
(2) AMF locally saves s-nssai 2 The NSSAA of (1) performs the result success.
(3) For s-nssai 3 And s-nssai 4 Executing the steps (3) to (7) of the intelligent contract
It should be noted that example 7 describes a mixture of multiple S-NSSAIs involved in UE registration together within a single procedure. The intelligent contract is described for each S-NSSAI.
Based on the same technical concept, the embodiment of the present disclosure correspondingly provides a network fragmentation authentication system based on a block chain, as shown in fig. 4, the system includes a receiving module 41, a determining module 42, and a first executing module 43, wherein,
the receiving module 41 is configured to receive a registration request of a user terminal, where the registration request carries a single network segment identifier that needs to perform identity authentication and authorization specific to a network segment; and the number of the first and second groups,
the determining module 42 is configured to determine whether a first result of the single network segment of the ue corresponding to the single network segment identifier regarding authentication and authorization specific to the network segment exists in the block chain;
the first executing module 43 is configured to allow or deny the use of the single network segment based on the first result when the determining module determines that the first result exists.
In an embodiment, the determining module is further configured to determine whether the first result exceeds a preset validity period after determining whether a single network segment corresponding to the single network segment identifier of the user equipment is related to the single network segment in the block chain and before the first executing module allows or rejects the use of the single network segment based on the first result, and if not, execute the step of allowing or rejecting the use of the single network segment based on the first result.
In one embodiment, the system further comprises:
a second execution module configured to execute a network-segment-specific authentication and authorization process for the single network segment of the user terminal when the judgment module judges that the first result does not exist in the block chain, and obtain a second network-segment-specific authentication and authorization result for the single network segment; and allowing or denying use of the single network slice based on the second result.
Based on the same technical concept, an access and mobility management function network element is further provided in the embodiments of the present disclosure, as shown in fig. 5, the access and mobility management function network element includes a memory 51 and a processor 52, a computer program is stored in the memory 51, and when the processor 52 runs the computer program stored in the memory, the processor executes the network fragmentation authentication method based on the blockchain.
Based on the same technical concept, the embodiment of the present disclosure correspondingly provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the processor executes the block chain based network segment authentication method.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present disclosure, and not for limiting the same; while the present disclosure has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present disclosure.

Claims (10)

1.A network fragmentation authentication method based on a block chain is characterized in that the method is applied to AMF and comprises the following steps:
receiving a registration request of a user terminal, wherein the registration request carries a single network fragment identifier which needs to be subjected to identity authentication and authorization specific to a network fragment; and (c) a second step of,
and judging whether a first result of the single network fragment of the user terminal corresponding to the single network fragment identification about identity authentication and authorization specific to the network fragment exists in the block chain, and if so, allowing or rejecting the use of the single network fragment based on the first result.
2. The method according to claim 1, further comprising, after determining whether there is a first result of authentication and authorization for a single network slice of the user terminal corresponding to the single network slice identity with respect to a network slice specific and before allowing or denying use of the single network slice based on the first result in a block chain, the method further comprising:
and judging whether the first result exceeds the preset valid period, and if not, executing the step of allowing or refusing the use of the single network fragment based on the first result.
3. The method according to claim 1, further comprising, after determining whether there is a first result of authentication and authorization specific to a network segment for a single network segment of the user equipment corresponding to the single network segment identity in the block chain:
if the first result does not exist in the block chain, executing the authentication and authorization process specific to the network fragment aiming at the single network fragment to obtain a second result of the authentication and authorization specific to the network fragment of the single network fragment; and the number of the first and second groups,
allowing or denying use of the single network slice based on the second result.
4. The method of claim 3, further comprising, after performing a network-slice-specific authentication and authorization process for the single network slice, obtaining a second result of the single network slice with respect to network-slice-specific authentication and authorization, further comprising:
creating description information based on the second result, wherein the description information comprises a user identity identifier of the user terminal, the single network fragment identifier, the second result and an effective period of the second result; and the number of the first and second groups,
and signing the description information and sending the description information to the user terminal so that the user terminal adds the signature to the description information and sends the description information to the unified data management function network element, and the unified data management function network element adds the signature again to the description information and broadcasts the description information to the block chain.
5. The method of claim 4, wherein after signing and sending the description information to the user terminal, further comprising:
judging whether update information of the user terminal on the validity period of the second result in the description information is received or not;
if so, re-executing the authentication and authorization process specific to the network fragment aiming at the single network fragment to obtain a third result of the authentication and authorization specific to the network fragment of the single network fragment;
generating new description information based on the update information of the validity period of the second result and the third result, wherein the new description information comprises the user identity identifier of the user terminal, the single network segment identifier, the third result and the update information of the validity period of the second result; and the number of the first and second groups,
and signing the new description information and sending the new description information to the user terminal so that the user terminal adds the signature to the new description information and sends the new description information to the unified data management function network element, and the unified data management function network element adds the signature to the new description information again and broadcasts the new description information to the block chain.
6. A network fragmentation authentication system based on a block chain is applied to AMF and comprises:
the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving a registration request of a user terminal, and the registration request carries a single network fragment identifier which needs to be subjected to identity authentication and authorization specific to a network fragment; and the number of the first and second groups,
the judging module is set to judge whether a first result of the single network fragment of the user terminal corresponding to the single network fragment identification about identity authentication and authorization specific to the network fragment exists in a block chain;
a first execution module configured to allow or deny use of the single network segment based on the first result when the determination module determines that the first result exists.
7. The system according to claim 6, wherein the determining module is further configured to determine whether the first result exceeds a predetermined validity period after determining whether a first result regarding network slice-specific authentication and authorization of the single network slice of the user terminal corresponding to the single network slice identifier exists in the block chain and before the first executing module allows or rejects the use of the single network slice based on the first result, and if not, execute the step of allowing or rejecting the use of the single network slice based on the first result.
8. The system of claim 6, further comprising:
a second execution module configured to execute a network-segment-specific authentication and authorization process for the single network segment when the judgment module judges that the first result does not exist in the block chain, and obtain a second result of the network-segment-specific authentication and authorization of the single network segment; and allowing or denying use of the single network slice based on the second result.
9. An access and mobility management function network element comprising a memory and a processor, wherein the memory stores a computer program, and when the processor runs the computer program stored in the memory, the processor executes the block chain based network segment authentication method according to any one of claims 1 to 5.
10. A computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, performs the method for authentication of network partitions based on blockchains according to any of claims 1 to 5.
CN202110534521.5A 2021-05-17 2021-05-17 Block chain-based network fragment authentication method, system, network element and storage medium Active CN113286300B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110534521.5A CN113286300B (en) 2021-05-17 2021-05-17 Block chain-based network fragment authentication method, system, network element and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110534521.5A CN113286300B (en) 2021-05-17 2021-05-17 Block chain-based network fragment authentication method, system, network element and storage medium

Publications (2)

Publication Number Publication Date
CN113286300A CN113286300A (en) 2021-08-20
CN113286300B true CN113286300B (en) 2023-01-17

Family

ID=77279542

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110534521.5A Active CN113286300B (en) 2021-05-17 2021-05-17 Block chain-based network fragment authentication method, system, network element and storage medium

Country Status (1)

Country Link
CN (1) CN113286300B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115168872B (en) * 2022-09-07 2023-01-10 南方科技大学 Decentralized trust-based method for protecting TEE state continuity under public cloud

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105450616A (en) * 2014-09-23 2016-03-30 中国电信股份有限公司 Terminal authentication method, trusted determination gateway, authentication server and system
CN112272181A (en) * 2020-10-26 2021-01-26 中国联合网络通信集团有限公司 Live broadcast method based on block chain, electronic equipment and computer readable storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108476406A (en) * 2016-01-08 2018-08-31 瑞典爱立信有限公司 For the access control in the network including network fragment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105450616A (en) * 2014-09-23 2016-03-30 中国电信股份有限公司 Terminal authentication method, trusted determination gateway, authentication server and system
CN112272181A (en) * 2020-10-26 2021-01-26 中国联合网络通信集团有限公司 Live broadcast method based on block chain, electronic equipment and computer readable storage medium

Also Published As

Publication number Publication date
CN113286300A (en) 2021-08-20

Similar Documents

Publication Publication Date Title
US11223947B2 (en) Enhanced registration procedure in a mobile system supporting network slicing
RU2391796C2 (en) Limited access to functional sets of mobile terminal
US11638141B1 (en) Remote sim unlock (RSU) implementation using blockchain
CN112235798B (en) Method, terminal and newly added network element for redirecting to AMF in idle state
US8185936B1 (en) Automatic device-profile updates based on authentication failures
US10542433B2 (en) Connection establishment method, device, and system
US20190124512A1 (en) A method and an apparatus for publishing assertions in a distributed database of a mobile telecommunication network and for personalising internet-of-things devices
EP2466759B1 (en) Method and system for changing a selected home operator of a machine to machine equipment
US20180098219A1 (en) Securing access to vehicles
CN113841429B (en) Communication network component and method for initiating slice specific authentication and authorization
CN113286300B (en) Block chain-based network fragment authentication method, system, network element and storage medium
CN113498060B (en) Method, device, equipment and storage medium for controlling network slice authentication
WO2021196913A1 (en) Terminal parameter updating protection method and communication device
DK2698964T3 (en) Operation of a subscriber identity module
EP2745560B1 (en) Method for switching a subscription from a first mno to a second mno
CN112968868B (en) Service opening method and device
CN111464324A (en) Secure communication method, device and system
CN116250289A (en) Delivery method for network slice authentication authorization state
CN113498059B (en) Authentication and authorization result notification and processing method, equipment, device and medium thereof
CN113316144B (en) Wireless network access method, wireless access equipment and terminal equipment
CN110536295B (en) Initial access control method, device, terminal, smart card and storage medium
WO2020147509A1 (en) Method and device for capability report and key negotiation, terminal, communication device and system
CN115996377A (en) Slice authentication and authorization method and device, terminal and network equipment
GB2597915A (en) Network slice registration
GB2610352A (en) Network slice registration

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant