CN113449286A - Method, system and equipment for safely checking S-NSSAI (S-NSSAI) sent by UE (user Equipment) - Google Patents

Method, system and equipment for safely checking S-NSSAI (S-NSSAI) sent by UE (user Equipment) Download PDF

Info

Publication number
CN113449286A
CN113449286A CN202110774784.3A CN202110774784A CN113449286A CN 113449286 A CN113449286 A CN 113449286A CN 202110774784 A CN202110774784 A CN 202110774784A CN 113449286 A CN113449286 A CN 113449286A
Authority
CN
China
Prior art keywords
nssai
authentication
user
amf
user equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110774784.3A
Other languages
Chinese (zh)
Other versions
CN113449286B (en
Inventor
成荣
孙志伟
齐坤
韦凯
王隆杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Polytechnic
Original Assignee
Shenzhen Polytechnic
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Polytechnic filed Critical Shenzhen Polytechnic
Priority to CN202110774784.3A priority Critical patent/CN113449286B/en
Publication of CN113449286A publication Critical patent/CN113449286A/en
Application granted granted Critical
Publication of CN113449286B publication Critical patent/CN113449286B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2133Verifying human interaction, e.g., Captcha
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a method, a system, equipment and a storage medium for safely verifying S-NSSAI sent by UE (user equipment), wherein the method comprises the following steps: the AMF generates an authentication request after receiving a registration request sent by the UE, wherein the authentication request comprises encrypted SUPI and S-NSSAI; sending the authentication request to the UDM, and processing the authentication request by the UDM to obtain SUPI and the decrypted S-NSSAI; judging whether the UE can use the slice corresponding to the S-NSSAI or not according to the SUPI, if so, determining a corresponding root key, generating an authentication vector, and sending the authentication vector and the S-NSSAI to the AMF; and after receiving the authentication vector and the S-NSSAI, the AMF judges whether the AMF can provide service for the S-NSSAI, if so, executes bidirectional authentication with the UE, and sends a registration acceptance message to the UE. The invention can safely carry the S-NSSAI through the first message sent by the UE, and can complete the verification of the S-NSSAI before AMF authenticates the UE, thereby efficiently realizing the purpose of the quick verification of the S-NSSAI and also meeting the purpose of the UE for quickly establishing slice connection and using slices.

Description

Method, system and equipment for safely checking S-NSSAI (S-NSSAI) sent by UE (user Equipment)
Technical Field
The invention belongs to the field of 5G communication safety, and particularly relates to a method, a system, equipment and a storage medium for safely checking S-NSSAI sent by UE.
Background
In 5G networks, the 3GPP (3rd Generation Partnership Project) standard introduces a concept of slicing. In the Release 15 standard, 3GPP defines 3 large slice modes, namely, eMBB (Enhanced Mobile Broadband), URLLC (Ultra Reliable & LowLatency Communication, low latency high reliability), mliot (Massive Machine Type Communication, mass internet of things Communication). Different slices have different network capabilities and characteristics and can adapt to different services. For example, the eMBB slice may provide a high bandwidth service, and is suitable for internet access or video service; the URLLC can provide low-delay and high-reliability services and is suitable for industrial control and other scenes. These slices are all characterized by different scheduling of resources through the 5G network.
The 5G network defines various slicing capabilities that can serve different services or terminals. If the terminal wants to access these different slices, it needs to inform the 5G network which slices the UE (User Equipment) wants to access. In the standard, the UE sends an S-NSSAI (Single Network Slice Selection Assistance Information) to indicate to the 5G Network which Slice or slices the UE wants to access.
From the security point of view, if the UE sends S-NSSAI in clear or exposes S-NSSAI, an attacker can know which slice service the UE wants to access through the exposed S-NSSAI. Therefore, when the UE sends the S-NSSAI to the network, confidentiality protection for the S-NSSAI is required. If the S-NSSAI is sent after the NAS security is established, the continuity of the use of the UE slicing service is influenced.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a method, a system, equipment and a storage medium for verifying the S-NSSAI sent by UE (user equipment) which meets the requirements of UE (user equipment) on quickly establishing slice connection and using slices and has high safety performance.
In order to solve the technical problems, the invention adopts the technical scheme that:
in a first aspect, the present invention provides a method for securely checking an S-NSSAI sent by a UE, where the method includes:
the method comprises the steps that a first access mobility function AMF generates an authentication request after receiving a registration request sent by user equipment UE, wherein the authentication request at least comprises encrypted user permanent identifiers SUPI and S-NSSAI;
sending the authentication request to a User Data Management (UDM), wherein the User Data Management (UDM) processes the authentication request to obtain the user permanent identifier (SUPI) and the decrypted S-NSSAI;
judging whether the user equipment UE can use the slice corresponding to the S-NSSAI or not according to the user permanent identifier SUPI, if so, determining a corresponding root key, generating an authentication vector, and then sending the authentication vector and the S-NSSAI to the first access mobility function AMF;
and after receiving the authentication vector and the S-NSSAI, the AMF judges whether the AMF can provide service for the S-NSSAI, if so, executes bidirectional authentication with the UE, and sends a registration acceptance message to the UE.
In a second aspect, the present invention provides a method for securely checking an S-NSSAI sent by a UE, the method including:
sending a registration request to a first access mobility function, AMF, wherein the registration request comprises at least an encrypted S-NSSAI, a user permanent identifier, SUPI, and a message authentication code, MAC;
if the first access mobility function AMF can provide a service for the S-NSSAI, performing mutual authentication with the first access mobility function AMF, and receiving a registration acceptance message.
In a third aspect, the present invention provides a system for securely checking an S-NSSAI sent by a UE, where the system includes:
a sending module: the method comprises the steps that a first access mobility function AMF generates an authentication request after receiving a registration request sent by user equipment UE, wherein the authentication request at least comprises encrypted user permanent identifiers SUPI and S-NSSAI;
a processing module: the server is used for sending the authentication request to a User Data Management (UDM), and the User Data Management (UDM) processes the authentication request to obtain the user permanent identifier (SUPI) and the decrypted S-NSSAI;
a generation module: the server is configured to determine whether the UE can use the slice corresponding to the S-NSSAI according to the SUPI, determine a corresponding root key if the slice corresponding to the S-NSSAI is available, generate an authentication vector, and send the authentication vector and the S-NSSAI to the AMF;
an authentication module: and the AMF is configured to determine whether the AMF can provide service for the S-NSSAI after receiving the authentication vector and the S-NSSAI, perform bidirectional authentication with the UE if the AMF can provide service for the S-NSSAI, and send a registration acceptance message to the UE.
In a fourth aspect, the present invention provides an electronic device, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor, when executing the computer program, implements the steps of the method for security check of S-NSSAI sent by UE according to the first aspect.
In a fifth aspect, the present invention also provides a storage medium having a computer program stored thereon, which when executed by a processor, implements the steps of the method for security check of S-NSSAI sent by a UE according to the first aspect.
The invention provides a method for safely checking S-NSSAI sent by UE (user equipment), which comprises the following steps: the method comprises the steps that a first access mobility function AMF generates an authentication request after receiving a registration request sent by user equipment UE, wherein the authentication request at least comprises encrypted user permanent identifiers SUPI and S-NSSAI; sending the authentication request to a User Data Management (UDM), wherein the User Data Management (UDM) processes the authentication request to obtain the user permanent identifier (SUPI) and the decrypted S-NSSAI; judging whether the user equipment UE can use the slice corresponding to the S-NSSAI or not according to the user permanent identifier SUPI, if so, determining a corresponding root key, generating an authentication vector, and then sending the authentication vector and the S-NSSAI to the first access mobility function AMF; and after receiving the authentication vector and the S-NSSAI, the AMF judges whether the AMF can provide service for the S-NSSAI, if so, executes bidirectional authentication with the UE, and sends a registration acceptance message to the UE. The invention can safely carry the S-NSSAI through the first message sent by the UE, and can complete the verification of the S-NSSAI before AMF authenticates the UE, thereby efficiently realizing the purpose of the quick verification of the S-NSSAI and also meeting the purpose of the UE for quickly establishing slice connection and using slices.
Drawings
The detailed structure of the invention is described in detail below with reference to the accompanying drawings
FIG. 1 is a flowchart illustrating a method for securely checking S-NSSAI transmitted by a UE according to the present invention;
FIG. 2 is a sub-flowchart of the method for securely checking the S-NSSAI transmitted by the UE according to the present invention;
FIG. 3 is a schematic view of another sub-flow of the method for securely checking S-NSSAI transmitted by UE according to the present invention;
FIG. 4 is a schematic view of another sub-flow of the method for securely checking S-NSSAI transmitted by UE according to the present invention;
FIG. 5 is a schematic view of another sub-flow of the method for securely checking S-NSSAI transmitted by UE according to the present invention;
FIG. 6 is a schematic view of another sub-flow of the method for securely checking S-NSSAI transmitted by UE according to the present invention;
fig. 7 is a block diagram of an apparatus for security verification of S-NSSAI sent by UE according to the present invention.
Detailed Description
In order to make the objects, features and advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, and not all the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
Referring to fig. 1, fig. 1 is a schematic flow chart illustrating a method for securely verifying an S-NSSAI sent by a UE in an embodiment of the present application, where the method includes:
step 101, the first access mobility function AMF generates an authentication request after receiving a registration request sent by the user equipment UE, where the authentication request at least includes encrypted user permanent identifiers SUPI and S-NSSAI.
In this embodiment, the UE sends a registration request to a first access mobility function AMF (AMF), where the registration request includes a user hidden identifier SUCI (subscription related identifier), where the user hidden identifier SUCI is a ciphertext of a user Permanent identifier supi (subscription persistent identifier) encrypted by a public key; the registration request also comprises encrypted S-NSSAI, wherein the S-NSSAI is slice information which the user equipment UE wants to access; and when the first access mobility function AMF receives a registration request sent by the user equipment UE, generating an authentication request.
Step 102, sending the authentication request to a user data management UDM, where the user data management UDM processes the authentication request to obtain the user permanent identifier SUPI and the decrypted S-NSSAI.
In this embodiment, after the first access mobility function AMF generates the authentication request, the authentication request is first sent to an authentication Server function AUSF (authentication Server function), the authentication Server function AUSF sends the authentication request to the user data management UDM, and the user data management UDM processes data in the authentication request after receiving the authentication request, so as to obtain the decrypted user permanent identifiers SUPI and S-NSSAI.
Step 103, determining whether the UE can use the slice corresponding to the S-NSSAI according to the SUPI, if so, determining a corresponding root key, generating an authentication vector, and sending the authentication vector and the S-NSSAI to the AMF.
In this embodiment, the user data management UDM determines, according to the user persistent identifiers SUPI and S-NSSAI obtained after decryption, whether the user equipment UE can use the slice corresponding to S-NSSAI through the user persistent identifier SUPI, and if the user equipment UE can use the slice corresponding to S-NSSAI, the user data management UDM generates a corresponding root key according to the user persistent identifier SUPI, generates an authentication vector, and sends the generated authentication vector and S-NSSAI to the authentication server function AUSF, which then sends the received authentication vector and S-NSSAI to the first access mobility function AMF.
Step 104, after receiving the authentication vector and the S-NSSAI, the first access mobility function AMF determines whether the first access mobility function AMF can provide a service for the S-NSSAI, and if so, performs bidirectional authentication with the user equipment UE and sends a registration acceptance message to the user equipment UE.
In this embodiment, after receiving the authentication vector and the S-NSSAI, the first access mobility function AMF determines whether the first access mobility function AMF can provide a service for a slice corresponding to the S-NSSAI, and if the first access mobility function AMF can provide the service, the first access mobility function AMF performs bidirectional authentication with the UE, and the authentication server function AUSF also performs bidirectional authentication with the UE.
The embodiment of the application provides a method for safely verifying S-NSSAI sent by UE (user equipment), which comprises the following steps: the method comprises the steps that a first access mobility function AMF generates an authentication request after receiving a registration request sent by user equipment UE, wherein the authentication request at least comprises encrypted user permanent identifiers SUPI and S-NSSAI; sending the authentication request to a User Data Management (UDM), wherein the User Data Management (UDM) processes the authentication request to obtain the user permanent identifier (SUPI) and the decrypted S-NSSAI; judging whether the user equipment UE can use the slice corresponding to the S-NSSAI or not according to the user permanent identifier SUPI, if so, determining a corresponding root key, generating an authentication vector, and then sending the authentication vector and the S-NSSAI to the first access mobility function AMF; and after receiving the authentication vector and the S-NSSAI, the AMF judges whether the AMF can provide service for the S-NSSAI, if so, executes bidirectional authentication with the UE, and sends a registration acceptance message to the UE. The invention can safely carry the S-NSSAI through the first message sent by the UE, and can complete the verification of the S-NSSAI before AMF authenticates the UE, thereby efficiently realizing the purpose of the quick verification of the S-NSSAI and also meeting the purpose of the UE for quickly establishing slice connection and using slices.
Further, referring to fig. 2, fig. 2 is a schematic sub-flow diagram of a method for securely checking an S-NSSAI sent by a UE in an embodiment of the present application, where the determining, according to the SUPI, whether the UE can use a slice corresponding to the S-NSSAI, and if yes, determining a corresponding root key and generating an authentication vector specifically includes:
step 201, determining whether the user equipment UE can use the slice corresponding to the S-NSSAI according to subscription information corresponding to the user permanent identifier SUPI, where the subscription information includes all slice information allowed to be used by the user equipment UE;
step 202, if yes, determining the corresponding root key according to the user permanent identifier SUPI through the user data management UDM, and generating the authentication vector.
In this embodiment, the user data management UDM determines whether the user equipment UE can use the slice corresponding to the S-NSSAI according to subscription information corresponding to the user permanent identifier SUPI, where the subscription information includes all slice information allowed to be used by the user equipment UE, that is, the user data management UDM compares all slice information available for the user equipment UE with slice information desired to be accessed by the user equipment UE, and determines that the user equipment UE can use the slice corresponding to the S-NSSAI if the slice information desired to be accessed by the user equipment UE is in the slice information available for the user equipment UE, and then determines a corresponding root key according to the user permanent identifier SUPI, and generates an authentication vector.
Further, referring to fig. 3, fig. 3 is a schematic view of another sub-flow of a method for securely checking an S-NSSAI sent by a UE in this embodiment of the present application, where in this embodiment, the user data management UDM processes the authentication request to obtain a message authentication code MAC, and the determining, by the user data management UDM, the corresponding root key according to the user permanent identifier SUPI and generating the authentication vector further includes:
step 301, checking the correctness of the message authentication code MAC according to the root key and the S-NSSAI;
step 302, if correct, generating the authentication vector, and if wrong, sending a registration rejection message to the user equipment UE.
In this embodiment, the registration request includes a user hidden identifier SUCI obtained by encrypting a user permanent identifier SUPI, and the user hidden identifier SUCI further includes a message authentication code MAC (message authentication code), where the message authentication code MAC is calculated based on a root K of a shared key between the user equipment UE and the user data management UDM, and the MAC is KDF (K, S-NSSAI), and the KDF (key authentication function) may be HMAC-SHA256, which is not limited herein; the user data management UDM processes a user hidden identifier SUCI to obtain a message verification code MAC, then determines a root key K according to a user permanent identifier SUPI, verifies the correctness of the message verification code MAC based on the root key K and the S-NSSAI, if the message verification code MAC is correct, the steps are continuously executed to generate an authentication vector, if the message verification code MAC is wrong, a rejection message is sent to an authentication server function AUSF, the authentication server function AUSF receives the rejection message and then sends the rejection message to a first access mobility function AMF, and the first access mobility function AMF sends a registration rejection message to user equipment UE.
Further, referring to fig. 4, fig. 4 is a schematic view of another sub-flow of a method for securely checking an S-NSSAI sent by a UE in the embodiment of the present application, where in the embodiment, the checking the correctness of the message authentication code MAC according to the root key and the S-NSSAI specifically includes:
step 401, the user data management UDM determines the root key according to the user permanent identifier SUPI, and obtains a verification message authentication code MAC based on the root key and the S-NSSAI;
step 402, comparing the verification message authentication code MAC with the message authentication code obtained by the user data management UDM, and verifying the correctness of the message authentication code.
In this embodiment, the user data management UDM decrypts the user hidden identifier SUCI to obtain the user permanent identifier SUPI, and determines the corresponding root key according to the user permanent identifier, where the calculation formula of the message authentication code MAC is MAC KDF (K, S-NSSAI); wherein, K is root key, KDF (key derivation function) can be HMAC-SHA256, etc.; and the user data management UDM obtains a verification message verification code MAC after calculation according to the root key K and the S-NSSAI, obtains the message verification code MAC when the user data management UDM decrypts the user hidden identifier SUCI, compares the verification message verification code MAC with the message verification code MAC, if the verification message verification code MAC and the message verification code MAC are the same, the message verification code MAC is proved to be correct, and if the verification message verification code MAC and the message verification code MAC are different, the message verification code MAC is wrong.
Further, after receiving the authentication vector and the S-NSSAI, the determining, by the first access mobility function AMF, whether the first access mobility function AMF can provide service for the S-NSSAI further includes:
if not, switching a second access mobility function AMF capable of providing service for the S-NSSAI, executing bidirectional authentication with the user equipment UE, and sending a registration acceptance message to the user equipment UE.
In this embodiment, after receiving the authentication vector and the S-NSSAI, the first access mobility function AMF further includes an authentication parameter; after receiving the S-NSSAI sent by the authentication server function AUSF, the first access mobility function AMF determines whether the first access mobility function AMF can provide service for the slice corresponding to the S-NSSAI, and if the first access mobility function AMF can provide service, the next step is continuously executed.
Further, the determining whether the user equipment UE can use the slice corresponding to the S-NSSAI according to the user permanent identifier SUPI further includes:
and if not, sending a registration rejection message to the user equipment UE.
In this embodiment, the user data management UDM determines whether the user equipment UE can use the slice corresponding to the S-NSSAI according to the subscription information corresponding to the user permanent identifier SUPI, where the subscription information includes all slice information allowed to be used by the user equipment UE, that is, the user data management UDM compares all slice information available to the user equipment UE with the slice information desired to be accessed by the user equipment UE, if the slice information desired to be accessed by the user equipment UE is not in the slice information available to the user equipment UE, the user data management UDM sends a reject message to the authentication server function AUSF, the authentication server function AUSF receives the reject message and then sends the reject message to the first access mobility function AMF, and the first access mobility function AMF sends the registration reject message to the user equipment UE, where the reject message carries a reject indication, indicating that the user equipment UE is not allowed to access the slice corresponding to the S-NSSAI.
Further, the registration request includes a user hidden identifier SUCI obtained by encrypting a user permanent identifier SUPI, and the user hidden identifier further includes a first indication for informing the network, where the user hidden identifier SUCI carries S-NSSAI, and when the user data management UDM decrypts the user hidden identifier SUCI in the authentication request, the user permanent identifier SUPI, S-NSSAI, the message authentication code MAC, and the first indication are obtained, and when the user data management UDM obtains the first indication, it determines that the user hidden identifier includes S-NSSAI according to the first indication, it determines to check S-NSSAI, and if the first indication is not detected, it indicates that the authentication request received by the user data management UDM does not include S-NSSAI.
Further, after the authentication server function AUSF, the first access mobility function AMF, or the second access mobility function AMF performs bidirectional authentication with the user equipment UE, and the authentication server function AUSF verifies the user equipment UE, the authentication server function AUSF sends the user permanent identifier SUPI to the corresponding first access mobility function AMF or the second access mobility function AMF, the corresponding first access mobility function AMF or the second access mobility function AMF establishes a non-access stratum NAS (non-access stratum) security protection mechanism with the user equipment UE, and the corresponding first access mobility function AMF or the second access mobility function AMF sends a registration acceptance message to the user equipment UE.
In this embodiment, the specific steps in the embodiment of the present application are as follows:
the method comprises the steps that firstly, User Equipment (UE) sends a registration request to a first Access Mobility Function (AMF), wherein the registration request carries a user hidden identifier (SUCI), and the user hidden identifier (SUCI) is an encrypted identity of a user permanent identifier (SUPI); the user hidden identifier SUCI is also encapsulated or encrypted with S-NSSAI, which is the slice information that the user equipment UE wants to access; a message authentication code MAC is further encapsulated in the user hidden identifier SUCI, and is calculated based on a shared root key K between the user equipment UE and the user data management UDM, where MAC is KDF (K, S-NSSAI); KDF (key derivation function) can be HMAC-SHA256, etc.; the user hidden identifier SUCI may also comprise a first indication to tell the network that SUCI carries S-NSSAI.
In a second step, the first access mobility function AMF sends an authentication request to the authentication server function AUSF, which also carries the user hidden identifier SUCI, which may also include a first indication.
Third, the authentication server function AUSF sends the user hidden identifier SUCI and the first indication to the user data management UDM.
And fourthly, the user data management UDM decrypts the user hidden identifier SUCI to obtain the user permanent identifier SUPI and the S-NSSAI, and determines whether the user equipment UE is allowed to use the slice corresponding to the S-NSSAI or not according to the subscription information corresponding to the user permanent identifier SUPI. Here, the subscription information includes all slice information that the user equipment UE is allowed to use. If the user equipment UE is allowed to use the slice corresponding to the S-NSSAI, the user data management UDM determines a corresponding root key K according to a user permanent identifier SUPI and generates an authentication vector; otherwise, the user data management UDM sends a rejection message to an authentication server function AUSF; the authentication server function AUSF sends a rejection message to the first access mobility function AMF; the first access mobility function AMF sends a registration rejection message to the user equipment UE. The reject message carries a reject indication for indicating that the UE is not allowed to access the slice corresponding to the S-NSSAI.
And fifthly, the user data management UDM receives the message authentication code MAC, then the root key K is determined according to the user permanent identifier SUPI, and the correctness of the message authentication code MAC is verified based on the root key K and the S-NSSAI. If the verification is correct, the execution is continued, otherwise, a rejection message is sent to an authentication server function AUSF; the authentication server function AUSF sends a rejection message to the first access mobility function AMF; the first access mobility function AMF sends a registration rejection message to the user equipment UE. And the user data management UDM receives the first indication, determines that the user hidden identifier SUCI comprises S-NSSAI information according to the first indication, and determines to execute the check aiming at the S-NSSAI.
Sixthly, the user data management UDM sends an authentication vector to an authentication server function AUSF, and also sends a user permanent identifier SUPI and an S-NSSAI; the authentication server function AUSF sends an authentication vector to the first access mobility function AMF, which includes authentication parameters (e.g. RAND and AUTN) and S-NSSAI, and the first access mobility function AMF receives the S-NSSAI sent by the authentication server function AUSF and determines whether the first access mobility function AMF is allowed to provide services for the S-NSSAI corresponding slice. If the service can be provided, the execution is continued. And if not, switching the first access mobility function AMF to the second access mobility function AMF. For example, the first access mobility function AMF is configured to allow serving slice 1 but not slice 2; in case the S-NSSAI corresponds to slice 2, the first access mobility function AMF needs to be handed over to another second access mobility function AMF capable of serving the S-NSSAI.
And seventhly, after the authentication server function AUSF, the first access mobility function AMF or the second access mobility function AMF and the user equipment UE execute bidirectional authentication, after the authentication server function AUSF verifies the user equipment UE, sending a user permanent identifier SUPI to the corresponding first access mobility function AMF or the second access mobility function AMF, establishing a non-access stratum NAS (non-access stratum) security protection mechanism between the corresponding first access mobility function AMF or the second access mobility function AMF and the user equipment UE, and sending a registration acceptance message to the user equipment UE by the corresponding first access mobility function AMF or the second access mobility function AMF. Wherein the access mobility function AMF performing the mutual authentication with the user equipment UE is an access mobility function AMF that can provide a slicing service for S-NSSAI.
Example 2
Referring to fig. 5, fig. 5 is a schematic sub-flowchart of a method for securely verifying an S-NSSAI sent by a UE in an embodiment of the present application, where the first access mobility function AMF sends a slice list supported by the first access mobility function AMF to the user data management UDM, and the determining, according to the user permanent identifier SUPI, whether the user equipment UE can use a slice corresponding to the S-NSSAI, if yes, determining a corresponding root key, and generating an authentication vector further includes:
step 501, according to the slice list supported by the first access mobility function AMF and the S-NSSAI, determining whether the first access mobility function AMF can provide a slice service for the S-NSSAI, and obtaining a check result;
step 502, if the verification result is correct, generating the authentication vector, and if the verification result is wrong, sending a registration rejection message to the user equipment UE.
In this embodiment, the registration request includes a hidden user identifier SUCI obtained by encrypting a permanent user identifier SUPI, where the hidden user identifier includes a first indication used to inform the network that the hidden user identifier SUCI carries S-NSSAI, and when the first access mobility function AMF receives the first indication, the first access mobility function AMF sends a slice list supported by the first access mobility function AMF to the user data management UDM, and if the slice list supported by the first access mobility function AMF determines that the hidden user identifier SUCI includes S-NSSAI, the first indication is not sent any more.
In this embodiment, when the user data management UDM receives the slice list supported by the first access mobility function AMF and the decrypted S-NSSAI, it determines whether the first access mobility function AMF can provide a slice service for the S-NSSAI, and obtains a check result, if the check result is correct, the first access mobility function AMF can provide the slice service for the S-NSSAI, the next step is continuously performed, if the check result is incorrect, the first access mobility function AMF cannot provide the slice service for the S-NSSAI, the user data management UDM sends a reject message to the authentication server function AUSF, the authentication server function AUSF receives the reject message and then sends the reject message to the first access mobility function AMF, the first access mobility function AMF sends the reject message to the user equipment UE, where the reject message carries a reject indication, indicating that the user equipment UE is not allowed to access the slice corresponding to the S-NSSAI.
Further, after receiving the authentication vector and the S-NSSAI, the determining, by the first access mobility function AMF, whether the first access mobility function AMF can provide a service for the S-NSSAI further includes:
and judging whether the first access mobility function AMF can provide service for the S-NSSAI or not according to the checking result.
In this embodiment, after receiving the check result, the first access mobility function AMF determines whether the first access mobility function AMF can provide a service for the slice corresponding to the S-NSSAI, and if the service can be provided, continues to perform the following steps, and if the service cannot be provided, switches the first access mobility function AMF to the second access mobility function AMF.
In this embodiment, the specific steps in the embodiment of the present application are as follows:
firstly, User Equipment (UE) sends a registration request to a first Access Mobility Function (AMF); the registration request carries a user hidden identifier SUCI, wherein the user hidden identifier SUCI is the identity of a user permanent identifier SUPI after encryption; the user hidden identifier SUCI is also encapsulated or encrypted with S-NSSAI, which is the slice information that the user equipment UE wants to access; a message authentication code MAC is further encapsulated in the user hidden identifier SUCI, and is calculated based on a shared root key K between the user equipment UE and the user data management UDM, where MAC is KDF (K, S-NSSAI); KDF (key derivation function) can be HMAC-SHA256, etc.; the user hidden identifier SUCI may also comprise a first indication to tell the network that SUCI carries S-NSSAI.
And secondly, the first access mobility function AMF sends an authentication request to an authentication server function AUSF, wherein a user hidden identifier SUCI is also carried, and if the user hidden identifier SUCI is determined to carry S-NSSAI according to the first indication, the first access mobility function AMF sends a slice list supported by the first access mobility function AMF. It is also possible to include a first indication which does not need to be sent if the authentication server function AUSF determines that the user hidden identifier SUCI comprises an S-NSSAI, according to which the first access mobility function AMF sends the list of slices it supports.
Thirdly, the authentication server function AUSF sends a user hidden identifier SUCI to a user data management UDM, and also sends a slice list supported by a first access mobility function AMF; it is also possible to include a first indication which need not be sent if the user data management UDM determines from the first access mobility function AMF sending its supported slice list that the user hidden identifier SUCI comprises an S-NSSAI.
And fourthly, the user data management UDM receives a slice list supported by the first access mobility function AMF, decrypts the user hidden identifier SUCI to obtain the user permanent identifier SUPI and the S-NSSAI, and determines whether the user equipment UE is allowed to use the slice corresponding to the S-NSSAI or not according to the subscription information corresponding to the user permanent identifier SUPI. Here, the subscription information includes all slice information that the user equipment UE is allowed to use. If the user equipment UE is allowed to use the slice corresponding to the S-NSSAI, the user data management UDM determines a corresponding root key K according to a user permanent identifier SUPI and generates an authentication vector; otherwise, the user data management UDM sends a rejection message to an authentication server function AUSF; the authentication server function AUSF sends a rejection message to the first access mobility function AMF; the first access mobility function AMF sends a registration rejection message to the user equipment UE. The reject message carries a reject indication for indicating that the UE is not allowed to access the slice corresponding to the S-NSSAI.
Fifthly, the user data management UDM determines whether the first mobility function AMF is allowed to provide service for the slice corresponding to the S-NSSAI or not according to the received slice list supported by the first access mobility function AMF and the S-NSSAI obtained by decryption; and determining a checking result. If the verification is correct, the execution is continued, otherwise, a rejection message is sent to an authentication server function AUSF; the authentication server function AUSF sends a rejection message to the first access mobility function AMF; the first access mobility function AMF sends a registration rejection message to the user equipment UE.
And sixthly, the User Data Management (UDM) receives the message authentication code MAC, then the root key K is determined according to the user permanent identifier SUPI, and the correctness of the message authentication code MAC is verified based on the root key K and the S-NSSAI. If the verification is correct, the execution is continued, otherwise, a rejection message is sent to an authentication server function AUSF; the authentication server function AUSF sends a rejection message to the first access mobility function AMF; the first access mobility function AMF sends a registration rejection message to the user equipment UE. And the user data management UDM receives the first indication, determines that the user hidden identifier SUCI comprises S-NSSAI information according to the first indication, and determines to execute the check aiming at the S-NSSAI.
Seventhly, the user data management UDM sends an authentication vector to an authentication server function AUSF, and also sends a user permanent identifier SUPI, an S-NSSAI and a verification result; the authentication server function AUSF sends an authentication vector to the first access mobility function AMF, which includes authentication parameters (e.g. RAND and AUTN) and S-NSSAI and a check result, and the first access mobility function AMF receives the S-NSSAI and the check result sent by the authentication server function AUSF. And determining whether the first access mobility function AMF is allowed to provide service for the slice corresponding to the S-NSSAI or not according to the checking result, if the checking result shows that the service is passed, continuing to execute the first mobility function AMF, and if the checking result shows that the service cannot be provided for the S-NSSAI, triggering to switch to another second access mobility function AMF capable of serving the S-NSSAI.
And eighthly, after the authentication server function AUSF, the first access mobility function AMF or the second access mobility function AMF and the user equipment UE execute bidirectional authentication, after the authentication server function AUSF verifies the user equipment UE, sending a user permanent identifier SUPI to the corresponding first access mobility function AMF or the second access mobility function AMF, establishing a non-access stratum NAS (non-access stratum) security protection mechanism between the corresponding first access mobility function AMF or the second access mobility function AMF and the user equipment UE, and sending a registration acceptance message to the user equipment UE by the corresponding first access mobility function AMF or the second access mobility function AMF. Wherein the access mobility function AMF performing the mutual authentication with the user equipment UE is an access mobility function AMF that can provide a slicing service for S-NSSAI.
Example 3
Referring to fig. 6, fig. 6 is a schematic sub-flowchart of a method for securely checking an S-NSSAI sent by a UE in the present embodiment, where the method includes:
step 601, sending a registration request to a first access mobility function AMF, wherein the registration request at least comprises an encrypted S-NSSAI, a user permanent identifier SUPI, and a message authentication code MAC;
step 602, if the first access mobility function AMF can provide service for the S-NSSAI, perform mutual authentication with the first access mobility function AMF, and receive a registration acceptance message.
In this embodiment, the user equipment UE sends a user hidden identifier SUCI, an encrypted S-NSSAI and a message authentication code MAC to the first access mobility function AMF, where the user hidden identifier SUCI is an encrypted identity of the user permanent identifier SUPI; S-NSSAI is packaged or encrypted in the user hidden identifier SUCI, and the S-NSSAI is slice information which user equipment UE wants to access; and after the verification is finished, if the first access mobility function AMF can provide service for the slice corresponding to the S-NSSAI, the user equipment UE and the first access mobility function AMF execute bidirectional verification and receive a registration acceptance message sent by the first access mobility function AMF.
In this embodiment, the S-NSSAI is encapsulated into the hidden identifier SUCI of the user, so that the S-NSSAI can be better encrypted, and the first message sent by the UE can safely carry the S-NSSAI; meanwhile, the verification of the S-NSSAI can be completed before the first access mobility function AMF authenticates the user equipment UE, and the purpose of rapidly verifying the S-NSSAI is efficiently realized.
Further, the user equipment UE further includes a root key corresponding thereto, and before sending the registration request to the first access mobility function AMF, the method includes:
and the user equipment UE obtains the message authentication code MAC according to the root key and the S-NSSAI, wherein the message authentication code MAC is used for determining that the S-NSSAI is from a legal user equipment UE.
In this embodiment, the message authentication code MAC is calculated based on a root key shared between the user equipment UE and the user data management UDM, and the user equipment UE calculates the message authentication code MAC according to the root key corresponding to the user equipment UE and the S-NSSAI, where a calculation formula of the message authentication code MAC is MAC KDF (K, S-NSSAI); k is a root key, and KDF (key derivation function) can be HMAC-SHA256 and the like; wherein the message authentication code MAC may determine that the S-NSSAI is from a legitimate user equipment UE.
Example 4
Further, an embodiment of the present application further provides a system 700 for securely checking an S-NSSAI sent by a UE, referring to fig. 7, fig. 7 is a schematic diagram of program modules of the system 700 for securely checking an S-NSSAI sent by a UE in the embodiment of the present application, where in the embodiment, the system 700 for securely checking an S-NSSAI sent by a UE includes:
a sending module 701: the method comprises the steps that a first access mobility function AMF generates an authentication request after receiving a registration request sent by user equipment UE, wherein the authentication request at least comprises encrypted user permanent identifiers SUPI and S-NSSAI;
the processing module 702: the server is used for sending the authentication request to a User Data Management (UDM), and the User Data Management (UDM) processes the authentication request to obtain the user permanent identifier (SUPI) and the decrypted S-NSSAI;
the generation module 703: the server is configured to determine whether the UE can use the slice corresponding to the S-NSSAI according to the SUPI, determine a corresponding root key if the slice corresponding to the S-NSSAI is available, generate an authentication vector, and send the authentication vector and the S-NSSAI to the AMF;
the authentication module 704: and the AMF is configured to determine whether the AMF can provide service for the S-NSSAI after receiving the authentication vector and the S-NSSAI, perform bidirectional authentication with the UE if the AMF can provide service for the S-NSSAI, and send a registration acceptance message to the UE.
The system 700 for safely checking the S-NSSAI sent by the UE according to the embodiment of the present application can implement: the method comprises the steps that a first access mobility function AMF generates an authentication request after receiving a registration request sent by user equipment UE, wherein the authentication request at least comprises encrypted user permanent identifiers SUPI and S-NSSAI; sending the authentication request to a User Data Management (UDM), wherein the User Data Management (UDM) processes the authentication request to obtain the user permanent identifier (SUPI) and the decrypted S-NSSAI; judging whether the user equipment UE can use the slice corresponding to the S-NSSAI or not according to the user permanent identifier SUPI, if so, determining a corresponding root key, generating an authentication vector, and then sending the authentication vector and the S-NSSAI to the first access mobility function AMF; and after receiving the authentication vector and the S-NSSAI, the AMF judges whether the AMF can provide service for the S-NSSAI, if so, executes bidirectional authentication with the UE, and sends a registration acceptance message to the UE. The invention can safely carry the S-NSSAI through the first message sent by the UE, and can complete the verification of the S-NSSAI before AMF authenticates the UE, thereby efficiently realizing the purpose of the quick verification of the S-NSSAI and also meeting the purpose of the UE for quickly establishing slice connection and using slices.
Example 5
Further, the present application also provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor executes the computer program to implement the steps of the method for security check of S-NSSAI sent by a UE.
Example 6
Further, the present application also provides a storage method, on which a computer program is stored, and when being executed by a processor, the computer program implements the steps of the method for security check of S-NSSAI sent by UE as described above.
Each functional module in the embodiments of the present invention may be integrated into one processing module, or each module may exist alone physically, or two or more modules are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a separate product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It should be noted that, for the sake of simplicity, the above-mentioned method embodiments are described as a series of acts or combinations, but those skilled in the art should understand that the present invention is not limited by the described order of acts, as some steps may be performed in other orders or simultaneously according to the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no acts or modules are necessarily required of the invention.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the above description, for a person skilled in the art, there are variations on the specific implementation and application scope according to the ideas of the embodiments of the present application in the method, system, device and storage medium for security verification of S-NSSAI sent by UE provided in the present invention, and in summary, the content of the present specification should not be construed as limiting the present invention.

Claims (13)

1. A method for securely checking S-NSSAI transmitted by a UE, the method comprising:
the method comprises the steps that a first access mobility function AMF generates an authentication request after receiving a registration request sent by user equipment UE, wherein the authentication request at least comprises encrypted user permanent identifiers SUPI and S-NSSAI;
sending the authentication request to a User Data Management (UDM), wherein the User Data Management (UDM) processes the authentication request to obtain the user permanent identifier (SUPI) and the decrypted S-NSSAI;
judging whether the user equipment UE can use the slice corresponding to the S-NSSAI or not according to the user permanent identifier SUPI, if so, determining a corresponding root key, generating an authentication vector, and then sending the authentication vector and the S-NSSAI to the first access mobility function AMF;
and after receiving the authentication vector and the S-NSSAI, the AMF judges whether the AMF can provide service for the S-NSSAI, if so, executes bidirectional authentication with the UE, and sends a registration acceptance message to the UE.
2. The method of claim 1, wherein the determining whether the UE can use the slice corresponding to the S-NSSAI according to the SUPI, and if so, determining a corresponding root key, and the generating the authentication vector specifically comprises:
judging whether the user equipment UE can use the slice corresponding to the S-NSSAI according to subscription information corresponding to the user permanent identifier SUPI, wherein the subscription information comprises all slice information allowed to be used by the user equipment UE;
and if so, determining the corresponding root key according to the user permanent identifier SUPI through the user data management UDM, and generating the authentication vector.
3. The method of claim 2, wherein said processing of said authentication request by said user data management UDM resulting in a message authentication code MAC, said determining by said user data management UDM a corresponding said root key from said user permanent identifier SUPI, and generating said authentication vector further comprises:
checking the correctness of the message authentication code MAC according to the root key and the S-NSSAI;
and if the authentication vector is correct, generating the authentication vector, and if the authentication vector is wrong, sending a registration rejection message to the User Equipment (UE).
4. The method according to claim 3, wherein said checking the correctness of the message authentication code MAC according to the root key and the S-NSSAI specifically comprises:
the user data management UDM determines the root key according to the user permanent identifier SUPI and obtains a verification message authentication code MAC based on the root key and the S-NSSAI;
and comparing the verification message verification code MAC with the message verification code obtained by the user data management UDM, and verifying the correctness of the message verification code.
5. The method according to claim 1, wherein the first access mobility function AMF sends a list of slices it supports to the user data management UDM, the determining whether the user equipment UE can use the slice corresponding to the S-NSSAI according to the user persistent identifier SUPI, and if so, determining a corresponding root key and generating an authentication vector further comprises:
judging whether the first access mobility function AMF can provide slice service for the S-NSSAI or not according to the slice list supported by the first access mobility function AMF and the S-NSSAI, and obtaining a verification result;
and if the verification result is correct, generating the authentication vector, and if the verification result is wrong, sending a registration rejection message to the User Equipment (UE).
6. The method of claim 4, wherein the determining, after the first access mobility function AMF receives the authentication vector and the S-NSSAI, whether the first access mobility function AMF can serve the S-NSSAI further comprises:
and judging whether the first access mobility function AMF can provide service for the S-NSSAI or not according to the checking result.
7. The method of claim 1, wherein the determining, after the first access mobility function AMF receives the authentication vector and the S-NSSAI, whether the first access mobility function AMF can serve the S-NSSAI further comprises:
if not, switching a second access mobility function AMF capable of providing service for the S-NSSAI, executing bidirectional authentication with the user equipment UE, and sending a registration acceptance message to the user equipment UE.
8. The method of claim 1, wherein the determining whether the User Equipment (UE) can use the slice corresponding to the S-NSSAI according to the user permanent identifier (SUPI) further comprises:
and if not, sending a registration rejection message to the user equipment UE.
9. A method for securely checking S-NSSAI transmitted by a UE, the method comprising:
sending a registration request to a first access mobility function, AMF, wherein the registration request comprises at least an encrypted S-NSSAI, a user permanent identifier, SUPI, and a message authentication code, MAC;
if the first access mobility function AMF can provide a service for the S-NSSAI, performing mutual authentication with the first access mobility function AMF, and receiving a registration acceptance message.
10. The method according to claim 9, wherein the user equipment UE further comprises a root key corresponding thereto, and wherein sending the registration request to the first access mobility function AMF comprises before:
and the user equipment UE obtains the message authentication code MAC according to the root key and the S-NSSAI, wherein the message authentication code MAC is used for determining that the S-NSSAI is from a legal user equipment UE.
11. A system for securely checking S-NSSAI transmitted by a UE, the system comprising:
a sending module: the method comprises the steps that a first access mobility function AMF generates an authentication request after receiving a registration request sent by user equipment UE, wherein the authentication request at least comprises encrypted user permanent identifiers SUPI and S-NSSAI;
a processing module: the server is used for sending the authentication request to a User Data Management (UDM), and the User Data Management (UDM) processes the authentication request to obtain the user permanent identifier (SUPI) and the decrypted S-NSSAI;
a generation module: the server is configured to determine whether the UE can use the slice corresponding to the S-NSSAI according to the SUPI, determine a corresponding root key if the slice corresponding to the S-NSSAI is available, generate an authentication vector, and send the authentication vector and the S-NSSAI to the AMF;
an authentication module: and the AMF is configured to determine whether the AMF can provide service for the S-NSSAI after receiving the authentication vector and the S-NSSAI, perform bidirectional authentication with the UE if the AMF can provide service for the S-NSSAI, and send a registration acceptance message to the UE.
12. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the method of security check UE transmitted S-NSSAI according to any one of claims 1 to 7 or 9 to 10 when executing the computer program.
13. A storage medium having stored thereon a computer program, characterized in that the computer program, when being executed by a processor, carries out the steps of the method of security check of S-NSSAI sent by a UE according to any of claims 1 to 7 or 9 to 10.
CN202110774784.3A 2021-07-08 2021-07-08 Method, system and equipment for safety check of S-NSSAI (S-NSSAI) sent by UE (user equipment) Active CN113449286B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110774784.3A CN113449286B (en) 2021-07-08 2021-07-08 Method, system and equipment for safety check of S-NSSAI (S-NSSAI) sent by UE (user equipment)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110774784.3A CN113449286B (en) 2021-07-08 2021-07-08 Method, system and equipment for safety check of S-NSSAI (S-NSSAI) sent by UE (user equipment)

Publications (2)

Publication Number Publication Date
CN113449286A true CN113449286A (en) 2021-09-28
CN113449286B CN113449286B (en) 2024-03-26

Family

ID=77815551

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110774784.3A Active CN113449286B (en) 2021-07-08 2021-07-08 Method, system and equipment for safety check of S-NSSAI (S-NSSAI) sent by UE (user equipment)

Country Status (1)

Country Link
CN (1) CN113449286B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024031724A1 (en) * 2022-08-12 2024-02-15 北京小米移动软件有限公司 Terminal device capability indication method and apparatus

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190098502A1 (en) * 2017-07-25 2019-03-28 Telefonaktiebolaget Lm Ericsson (Publ) Subscription concealed identifier
CN110769420A (en) * 2018-07-25 2020-02-07 中兴通讯股份有限公司 Network access method, device, terminal, base station and readable storage medium
CN110798833A (en) * 2018-08-03 2020-02-14 华为技术有限公司 Method and device for verifying user equipment identification in authentication process
CN110808830A (en) * 2019-10-21 2020-02-18 边缘智能研究院南京有限公司 IoT (Internet of things) security verification framework based on 5G network slice and service method thereof
CN111434151A (en) * 2017-12-22 2020-07-17 联想(新加坡)私人有限公司 Network slice selection assistance information configuration
CN111464324A (en) * 2019-01-18 2020-07-28 中兴通讯股份有限公司 Secure communication method, device and system
US20200305001A1 (en) * 2018-08-23 2020-09-24 Huawei Technologies Co., Ltd. Routing method, apparatus, and system
CN112105015A (en) * 2019-06-17 2020-12-18 华为技术有限公司 Secondary authentication method and device
CN112994913A (en) * 2019-12-13 2021-06-18 华为技术有限公司 Network slice selection method and related device
CN113596831A (en) * 2020-04-14 2021-11-02 华为技术有限公司 Communication method and communication equipment for identifying user equipment in slice authentication

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190098502A1 (en) * 2017-07-25 2019-03-28 Telefonaktiebolaget Lm Ericsson (Publ) Subscription concealed identifier
CN111434151A (en) * 2017-12-22 2020-07-17 联想(新加坡)私人有限公司 Network slice selection assistance information configuration
CN110769420A (en) * 2018-07-25 2020-02-07 中兴通讯股份有限公司 Network access method, device, terminal, base station and readable storage medium
CN110798833A (en) * 2018-08-03 2020-02-14 华为技术有限公司 Method and device for verifying user equipment identification in authentication process
US20200305001A1 (en) * 2018-08-23 2020-09-24 Huawei Technologies Co., Ltd. Routing method, apparatus, and system
CN111464324A (en) * 2019-01-18 2020-07-28 中兴通讯股份有限公司 Secure communication method, device and system
CN112105015A (en) * 2019-06-17 2020-12-18 华为技术有限公司 Secondary authentication method and device
CN110808830A (en) * 2019-10-21 2020-02-18 边缘智能研究院南京有限公司 IoT (Internet of things) security verification framework based on 5G network slice and service method thereof
CN112994913A (en) * 2019-12-13 2021-06-18 华为技术有限公司 Network slice selection method and related device
CN113596831A (en) * 2020-04-14 2021-11-02 华为技术有限公司 Communication method and communication equipment for identifying user equipment in slice authentication

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
JIANGBING NI;XIAODONG LIN: "Efficient and Secure Service Oriented Authentication Supporting Network Slicing for 5G Enabled IoT", IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, vol. 36, no. 3, pages 644 - 657, XP055841647, DOI: 10.1109/JSAC.2018.2815418 *
陆海涛;李刚;高旭昇: "5G网络的设备及其接入安全", 中兴通讯技术, vol. 25, no. 4, pages 19 - 24 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024031724A1 (en) * 2022-08-12 2024-02-15 北京小米移动软件有限公司 Terminal device capability indication method and apparatus

Also Published As

Publication number Publication date
CN113449286B (en) 2024-03-26

Similar Documents

Publication Publication Date Title
RU2663972C1 (en) Security assurance at connection between communication device and network device
CN109699031B (en) Verification method and device adopting shared secret key, public key and private key
CN106028331B (en) Method and equipment for identifying pseudo base station
CN101983517B (en) Security for a non-3gpp access to an evolved packet system
CN107800539B (en) Authentication method, authentication device and authentication system
US9189632B2 (en) Method for protecting security of data, network entity and communication terminal
US9668139B2 (en) Secure negotiation of authentication capabilities
US9516501B2 (en) Authentication in a communications system
US8881235B2 (en) Service-based authentication to a network
EP2037620B1 (en) A realizing method for push service of gaa and a device
CN112291064B (en) Authentication system, registration and authentication method, device, storage medium and electronic equipment
KR20180057665A (en) Access method, device and system for user equipment (UE)
Xu et al. An anonymous handover authentication scheme based on LTE‐A for vehicular networks
CN111641498B (en) Key determination method and device
WO2020147856A1 (en) Authentication processing method and device, storage medium, and electronic device
CN113449286B (en) Method, system and equipment for safety check of S-NSSAI (S-NSSAI) sent by UE (user equipment)
KR102095136B1 (en) A method for replacing at least one authentication parameter for authenticating a secure element, and a corresponding secure element
US20240064006A1 (en) Identity authentication method and apparatus, storage medium, program, and program product
WO2018126791A1 (en) Authentication method and device, and computer storage medium
CN111404669B (en) Key generation method, terminal equipment and network equipment
CN112839329B (en) Verification method, device, equipment and computer readable storage medium
MX2007015841A (en) Apparatus, method and computer program product providing mobile node identities in conjunction with authentication preferences in generic bootstrapping architecture (gba).
CN111866870B (en) Key management method and device
Odarchenko et al. RESEARCH OF CYBER SECURITY MECHANISMS IN MODERN 5G CELLULAR NETWORKS
CN117098111A (en) Registration method and device of user equipment, computer readable medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant