CN113449286B - Method, system and equipment for safety check of S-NSSAI (S-NSSAI) sent by UE (user equipment) - Google Patents

Method, system and equipment for safety check of S-NSSAI (S-NSSAI) sent by UE (user equipment) Download PDF

Info

Publication number
CN113449286B
CN113449286B CN202110774784.3A CN202110774784A CN113449286B CN 113449286 B CN113449286 B CN 113449286B CN 202110774784 A CN202110774784 A CN 202110774784A CN 113449286 B CN113449286 B CN 113449286B
Authority
CN
China
Prior art keywords
nssai
user
authentication
mobility function
access mobility
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110774784.3A
Other languages
Chinese (zh)
Other versions
CN113449286A (en
Inventor
成荣
孙志伟
齐坤
韦凯
王隆杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Polytechnic
Original Assignee
Shenzhen Polytechnic
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Polytechnic filed Critical Shenzhen Polytechnic
Priority to CN202110774784.3A priority Critical patent/CN113449286B/en
Publication of CN113449286A publication Critical patent/CN113449286A/en
Application granted granted Critical
Publication of CN113449286B publication Critical patent/CN113449286B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2133Verifying human interaction, e.g., Captcha
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a method, a system, equipment and a storage medium for safely checking S-NSSAI sent by UE, wherein the method comprises the following steps: the AMF receives a registration request sent by the UE and generates an authentication request, wherein the authentication request comprises encrypted SUPI and S-NSSAI; sending the authentication request to the UDM, and processing the authentication request by the UDM to obtain SUPI and decrypted S-NSSAI; judging whether the UE can use the slice corresponding to the S-NSSAI according to the SUPI, if so, determining a corresponding root key, generating an authentication vector, and then sending the authentication vector and the S-NSSAI to the AMF; after the AMF receives the authentication vector and the S-NSSAI, the AMF judges whether the AMF can provide service for the S-NSSAI, if so, the AMF executes the mutual authentication with the UE, and sends a registration acceptance message to the UE. The invention safely carries the S-NSSAI through the first message sent by the UE, and can finish the verification of the S-NSSAI before the AMF authenticates the UE, thereby efficiently realizing the purpose of quick verification of the S-NSSAI and also meeting the purpose of quick establishment of slice connection and use of slices by the UE.

Description

Method, system and equipment for safety check of S-NSSAI (S-NSSAI) sent by UE (user equipment)
Technical Field
The invention belongs to the field of 5G communication security, and particularly relates to a method, a system, equipment and a storage medium for safely checking S-NSSAI sent by UE.
Background
In 5G networks, the 3GPP (3 rd Generation Partnership Project, third generation partnership project) standard introduced a sliced concept. In Release 15 standard, 3GPP defines a 3 large slice approach, namely eMBB (Enhanced Mobile Broadband ), URLLC (Ultra Release & LowLatency Communication, low latency high reliability), mhlot (Massive Machine Type Communication, mass internet of things communication). Different slices have different network capabilities and characteristics and can be adapted to different services. For example, the eMBB slice can provide high bandwidth services, and is applicable to internet surfing or video services; the URLLC can provide low-delay and high-reliability service, and is suitable for industrial control and other scenes. The characteristics of these slices can be achieved by different scheduling of resources through the 5G network.
The 5G network defines a wide variety of slicing capabilities that can serve different services or terminals. If the terminal wants to access these different slices, it needs to inform the 5G network which slices the UE (User Equipment) wants to access. In the standard, the UE will send S-nsai (Single Network Slice Selection Assistance Information ) to indicate which slice or slices the UE wants to access to the 5G network.
From the security point of view, if the UE sends the S-nsai in clear text or exposes the S-nsai, then the attacker can learn through the exposed S-nsai which slice traffic the UE wants to access. Therefore, when the UE sends the S-nsai to the network, confidentiality protection is required for the S-nsai. And if the S-nsai is retransmitted after NAS security is established, the continuity of UE slice service usage will be affected.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a method, a system, equipment and a storage medium for checking the S-NSSAI sent by UE, which can meet the requirements of the UE on quick establishment of slice connection and use of slices and has high safety performance.
In order to solve the technical problems, the invention adopts the following technical scheme:
in a first aspect, the present invention provides a method for securely checking an S-nsai transmitted by a UE, the method comprising:
the method comprises the steps that after receiving a registration request sent by User Equipment (UE), a first Access Mobility Function (AMF) generates an authentication request, wherein the authentication request at least comprises encrypted user permanent identifiers (SUPI) and S-NSSAI;
the authentication request is sent to a User Data Management (UDM), and the User Data Management (UDM) processes the authentication request to obtain a user permanent identifier (SUPI) and the decrypted S-NSSAI;
Judging whether the User Equipment (UE) can use the slice corresponding to the S-NSSAI according to the user permanent identifier (SUPI), if so, determining a corresponding root key, generating an authentication vector, and then sending the authentication vector and the S-NSSAI to the first Access Mobility Function (AMF);
after the first access mobility function AMF receives the authentication vector and the S-nsai, it determines whether the first access mobility function AMF can provide services for the S-nsai, if yes, performs bidirectional authentication with the UE, and sends a registration accept message to the UE.
In a second aspect, the present invention provides a method for securely checking an S-nsai transmitted by a UE, the method comprising:
sending a registration request to a first access mobility function AMF, wherein the registration request at least comprises an encrypted S-NSSAI, a user permanent identifier SUPI and a message authentication code MAC;
and if the first access mobility function AMF can provide service for the S-NSSAI, performing bidirectional authentication with the first access mobility function AMF and receiving a registration acceptance message.
In a third aspect, the present invention provides a system for securely checking an S-nsai transmitted by a UE, where the system includes:
And a sending module: the method comprises the steps that after receiving a registration request sent by User Equipment (UE), an AMF generates an authentication request, wherein the authentication request at least comprises encrypted user permanent identifiers (SUPI) and S-NSSAI;
the processing module is used for: the authentication request is sent to a User Data Management (UDM), and the User Data Management (UDM) processes the authentication request to obtain the user permanent identifier (SUPI) and the decrypted S-NSSAI;
the generation module is used for: the method comprises the steps of judging whether the User Equipment (UE) can use a slice corresponding to the S-NSSAI according to the user permanent identifier (SUPI), if so, determining a corresponding root key, generating an authentication vector, and then sending the authentication vector and the S-NSSAI to the first Access Mobility Function (AMF);
and an authentication module: after receiving the authentication vector and the S-nsai, the first access mobility function AMF determines whether the first access mobility function AMF can provide services for the S-nsai, if yes, performs mutual authentication with the UE, and sends a registration accept message to the UE.
In a fourth aspect, the present invention provides an electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, the processor implementing each step in the method for securely checking the S-nsai transmitted by the UE according to the first aspect, when the computer program is executed by the processor.
In a fifth aspect, the present invention also provides a storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method for security checking S-nsai transmitted by a UE as described in the first aspect above.
The invention provides a method for safely checking S-NSSAI sent by UE, which comprises the following steps: the method comprises the steps that after receiving a registration request sent by User Equipment (UE), a first Access Mobility Function (AMF) generates an authentication request, wherein the authentication request at least comprises encrypted user permanent identifiers (SUPI) and S-NSSAI; the authentication request is sent to a User Data Management (UDM), and the User Data Management (UDM) processes the authentication request to obtain a user permanent identifier (SUPI) and the decrypted S-NSSAI; judging whether the User Equipment (UE) can use the slice corresponding to the S-NSSAI according to the user permanent identifier (SUPI), if so, determining a corresponding root key, generating an authentication vector, and then sending the authentication vector and the S-NSSAI to the first Access Mobility Function (AMF); after the first access mobility function AMF receives the authentication vector and the S-nsai, it determines whether the first access mobility function AMF can provide services for the S-nsai, if yes, performs bidirectional authentication with the UE, and sends a registration accept message to the UE. The invention safely carries the S-NSSAI through the first message sent by the UE, and can finish the verification of the S-NSSAI before the AMF authenticates the UE, thereby efficiently realizing the purpose of quick verification of the S-NSSAI and also meeting the purpose of quick establishment of slice connection and use of slices by the UE.
Drawings
The following details the specific construction of the present invention with reference to the accompanying drawings
Fig. 1 is a flow chart of a method for securely checking S-nsai transmitted by a UE according to the present invention;
fig. 2 is a schematic sub-flowchart of a method for securely checking S-nsai transmitted by a UE according to the present invention;
fig. 3 is a schematic diagram of still another sub-flowchart of a method for securely checking S-NSSAI transmitted by UE according to the present invention;
fig. 4 is another sub-flowchart of a method for securely checking the S-nsai transmitted by the UE according to the present invention;
fig. 5 is another sub-flowchart of a method for securely checking the S-nsai transmitted by the UE according to the present invention;
fig. 6 is another sub-flowchart of a method for securely checking the S-nsai transmitted by the UE according to the present invention;
fig. 7 is a schematic program module of an apparatus for security checking S-NSSAI sent by UE according to the present invention.
Detailed Description
In order to make the objects, features and advantages of the present invention more comprehensible, the technical solutions in the embodiments of the present application will be clearly described in conjunction with the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1
Referring to fig. 1, fig. 1 is a flowchart of a method for securely checking S-nsai sent by a UE in an embodiment of the present application, where the method includes:
step 101, the first access mobility function AMF generates an authentication request after receiving a registration request sent by the user equipment UE, where the authentication request at least includes an encrypted user permanent identifier SUPI and an S-NSSAI.
In this embodiment, the UE sends a registration request to the first access mobility function AMF (access and mobility function, AMF), where the registration request includes a user hidden identifier SUCI (SUbscription Concealed Identifier), and the user hidden identifier sui is a ciphertext obtained by encrypting the user permanent identifier SUPI (SUbscription Permanent Identifier) with a public key; the registration request also comprises encrypted S-NSSAI, wherein the S-NSSAI is slice information which the user equipment UE wants to access; and after the first access mobility function AMF receives the registration request sent by the user equipment UE, generating an authentication request.
Step 102, the authentication request is sent to a user data management UDM, and the user data management UDM processes the authentication request to obtain the user permanent identifier SUPI and the decrypted S-nsai.
In this embodiment, after the first access mobility function AMF generates an authentication request, the authentication request is sent to the authentication server function AUSF (Authentication Server Function), the authentication server function AUSF sends the authentication request to the user data management UDM, and after receiving the authentication request, the user data management UDM processes the data in the authentication request to obtain decrypted user permanent identifiers SUPI and S-NSSAI.
Step 103, judging whether the UE can use the slice corresponding to the S-nsai according to the user permanent identifier SUPI, if yes, determining a corresponding root key, generating an authentication vector, and then sending the authentication vector and the S-nsai to the first access mobility function AMF.
In this embodiment, the user data management UDM determines, according to the decrypted user permanent identifier SUPI and the S-nsai, whether the user equipment UE can use the slice corresponding to the S-nsai through the user permanent identifier SUPI, if the user equipment UE can use the slice corresponding to the S-nsai, the user data management UDM generates a corresponding root key according to the user permanent identifier SUPI, generates an authentication vector, and sends the generated authentication vector and the S-nsai to the authentication server function AUSF, and the authentication server function AUSF sends the received authentication vector and the S-nsai to the first access mobility function AMF.
Step 104, after the first access mobility function AMF receives the authentication vector and the S-nsai, it is determined whether the first access mobility function AMF can provide services for the S-nsai, if yes, bidirectional authentication with the UE is performed, and a registration accept message is sent to the UE.
In this embodiment, after the first access mobility function AMF receives the authentication vector and the S-nsai, it is determined whether the first access mobility function AMF can provide services for a slice corresponding to the S-nsai, if so, the first access mobility function AMF performs bidirectional authentication with the UE, and the authentication server function AUSF also performs bidirectional authentication with the UE, and after the performing is completed, the first access mobility function AMF sends a registration accept message to the UE.
The embodiment of the application provides a method for safely checking S-NSSAI sent by UE, which comprises the following steps: the method comprises the steps that after receiving a registration request sent by User Equipment (UE), a first Access Mobility Function (AMF) generates an authentication request, wherein the authentication request at least comprises encrypted user permanent identifiers (SUPI) and S-NSSAI; the authentication request is sent to a User Data Management (UDM), and the User Data Management (UDM) processes the authentication request to obtain a user permanent identifier (SUPI) and the decrypted S-NSSAI; judging whether the User Equipment (UE) can use the slice corresponding to the S-NSSAI according to the user permanent identifier (SUPI), if so, determining a corresponding root key, generating an authentication vector, and then sending the authentication vector and the S-NSSAI to the first Access Mobility Function (AMF); after the first access mobility function AMF receives the authentication vector and the S-nsai, it determines whether the first access mobility function AMF can provide services for the S-nsai, if yes, performs bidirectional authentication with the UE, and sends a registration accept message to the UE. The invention safely carries the S-NSSAI through the first message sent by the UE, and can finish the verification of the S-NSSAI before the AMF authenticates the UE, thereby efficiently realizing the purpose of quick verification of the S-NSSAI and also meeting the purpose of quick establishment of slice connection and use of slices by the UE.
Further, referring to fig. 2, fig. 2 is a schematic sub-flowchart of a method for securely checking an S-nsai sent by a UE in an embodiment of the present application, where determining, according to the user permanent identifier SUPI, whether the UE can use a slice corresponding to the S-nsai, if yes, determining a corresponding root key, and generating an authentication vector specifically includes:
step 201, judging whether the user equipment UE can use the slice corresponding to the S-nsai according to subscription information corresponding to the user permanent identifier SUPI, where the subscription information includes all slice information allowed to be used by the user equipment UE;
and step 202, if yes, determining the corresponding root key according to the user permanent identifier SUPI through the user data management UDM, and generating the authentication vector.
In this embodiment, the user data management UDM determines whether the slice corresponding to the S-nsai can be used by the user equipment UE according to subscription information corresponding to the user permanent identifier SUPI, where the subscription information includes all slice information that allows the user equipment UE to use, that is, the user data management UDM compares all slice information that the user equipment UE can use with slice information that the user equipment UE wants to access, if the slice information that the user equipment UE wants to access is in the slice information that the user equipment UE can use, it determines that the slice corresponding to the S-nsai can be used in the user equipment UE, then the user data management UDM determines a corresponding root key according to the user permanent identifier SUPI, and generates the authentication vector.
Further, referring to fig. 3, fig. 3 is a schematic diagram of another sub-flow of a method for securely checking S-nsai sent by a UE in the embodiment of the present application, in this embodiment, after the user data management UDM processes the authentication request to obtain a message authentication code MAC, the determining, by the user data management UDM, the corresponding root key according to the user permanent identifier SUPI, and generating the authentication vector further includes:
step 301, checking the correctness of the message authentication code MAC according to the root key and the S-nsai;
step 302, if the authentication vector is correct, generating the authentication vector, and if the authentication vector is incorrect, sending a registration rejection message to the user equipment UE.
In this embodiment, the registration request includes a user hidden identifier sui obtained by encrypting a user permanent identifier SUPI, and the user hidden identifier sui further includes a message authentication code MAC (message authentication code), where the message authentication code MAC is calculated based on a shared key root K between the user equipment UE and the user data management UDM, and the mac=kdf (K, S-nsai), KDF (key derivation function) may be HMAC-SHA256, and the like, which is not limited herein; after the user data management UDM processes the user hidden identifier sui to obtain the message authentication code MAC, determining the root key K according to the user permanent identifier SUPI, checking the correctness of the message authentication code MAC based on the root key K and the S-nsai, if the message authentication code MAC is correct, continuing to execute the steps to generate an authentication vector, if the message authentication code MAC is wrong, sending a rejection message to the authentication server function AUSF, after the authentication server function AUSF receives the rejection message, sending the rejection message to the first access mobility function AMF, and sending the registration rejection message to the user equipment UE by the first access mobility function AMF.
Further, referring to fig. 4, fig. 4 is a schematic diagram of another sub-flow of a method for securely checking S-nsai sent by a UE in the embodiment of the present application, and in this embodiment, the checking the correctness of the message authentication code MAC according to the root key and the S-nsai specifically includes:
step 401, the user data management UDM determines the root key according to the user permanent identifier SUPI, and obtains a verification message verification code MAC based on the root key and the S-nsai;
step 402, comparing the verification code MAC with the message verification code obtained by the user data management UDM, to verify the correctness of the message verification code.
In this embodiment, after decrypting the user hidden identifier sui, the user data management UDM obtains the user permanent identifier sui, and the user data management UDM determines a corresponding root key according to the user permanent identifier, where a calculation formula of the message authentication code MAC is mac=kdf (K, S-NSSAI); where K is the root key, KDF (key derivation function) may be HMAC-SHA256, etc.; the user data management UDM obtains the verification information verification code MAC after calculating according to the root key K and the S-NSSAI, the user data management UDM obtains the information verification code MAC when decrypting the user hidden identifier SUCI, the verification information verification code MAC is compared with the information verification code MAC, if the verification information verification code MAC and the information verification code MAC are the same, the information verification code MAC is proved to be correct, and if the verification information verification code MAC is different, the information verification code MAC is wrong.
Further, after the first access mobility function AMF receives the authentication vector and the S-nsai, determining whether the first access mobility function AMF can provide services for the S-nsai further includes:
if not, switching a second access mobility function AMF for providing service for the S-NSSAI, executing bidirectional authentication with the UE, and sending a registration acceptance message to the UE.
In this embodiment, after the first access mobility function AMF receives the authentication vector and the S-NSSAI, the authentication vector further includes an authentication parameter; after the first access mobility function AMF receives the S-nsai sent by the authentication server function AUSF, it is determined whether the first access mobility function AMF can provide services for the slice corresponding to the S-nsai, if the first access mobility function AMF can provide services, the next steps are continued, if the first access mobility function AMF cannot provide services, the first access mobility function AMF is switched to the second access mobility function AMF capable of providing services for the slice corresponding to the S-nsai, when the second access mobility function AMF is switched to the second access mobility function AMF capable of providing services for the slice corresponding to the S-nsai, the second access mobility function AMF performs bidirectional authentication with the user equipment UE, and the authentication server function AUSF also performs bidirectional authentication with the user equipment UE.
Further, the determining, according to the user permanent identifier SUPI, whether the user equipment UE can use the slice corresponding to the S-NSSAI further includes:
if not, a registration rejection message is sent to the user equipment UE.
In this embodiment, the user data management UDM determines, according to subscription information corresponding to the user permanent identifier SUPI, whether the user equipment UE can use a slice corresponding to the S-nsai, where the subscription information includes all slice information that allows the user equipment UE to use, that is, the user data management UDM compares, according to all slice information that the user equipment UE can use, slice information that the user equipment UE wants to access with slice information that the user equipment UE wants to access, if the slice information that the user equipment UE wants to access is not in the slice information that the user equipment UE can use, the user data management UDM sends a rejection message to the authentication server function AUSF, and after the authentication server function AUSF receives the rejection message, the authentication server function AUSF sends a registration rejection message to the user equipment UE, where the rejection message carries a rejection indication that indicates that the user equipment UE is not allowed to access to the slice corresponding to the S-nsai.
Further, the registration request includes a user hidden identifier sui obtained by encrypting the user permanent identifier sui, the user hidden identifier further includes a first indication, the first indication is used for telling the network that the user hidden identifier sui carries the S-nsai, when the user data management UDM decrypts the user hidden identifier sui in the authentication request, the user permanent identifier sui, the S-nsai, the message authentication code MAC and the first indication are obtained, and after the user data management UDM obtains the first indication, it is determined that the user hidden identifier includes the S-nsai according to the first indication, it is determined that the S-nsai is checked, and if the first indication is not detected, it is indicated that the authentication request received by the user data management UDM does not include the S-nsai.
Further, after the authentication server function AUSF, the first access mobility function AMF or the second access mobility function AMF performs the mutual authentication with the user equipment UE, the authentication server function AUSF checks the user equipment UE, and then sends the user permanent identifier SUPI to the corresponding first access mobility function AMF or second access mobility function AMF, and the corresponding first access mobility function AMF or second access mobility function AMF establishes a non-access stratum NAS (non-access stratum) security protection mechanism with the user equipment UE, and the corresponding first access mobility function AMF or second access mobility function AMF sends a registration accept message to the user equipment UE.
In this embodiment, the specific steps in the embodiment of the present application are:
the method comprises the steps that firstly, user Equipment (UE) sends a registration request to a first Access Mobility Function (AMF), wherein the registration request carries a user hidden identifier (SUCI), and the user hidden identifier (SUCI) is an encrypted identity of a user permanent identifier (SUPI); the user hiding identifier SUCI also encapsulates or encrypts S-NSSAI which is slice information that the user equipment UE wants to access; the user hidden identifier sui also encapsulates a message authentication code MAC calculated based on a shared root key K between the user equipment UE and the user data management UDM, mac=kdf (K, S-nsai); KDF (key derivation function) may be HMAC-SHA256 or the like; the user hidden identifier sui may also include a first indication to tell the network that the sui carries the S-nsai.
The second step, the first access mobility function AMF sends an authentication request to the authentication server function AUSF, which also carries the user hidden identifier sui, possibly including the first indication.
Third, the authentication server function AUSF sends the user hidden identifier sui and the first indication to the user data management UDM.
And fourthly, decrypting the user hidden identifier SUCI by the user data management UDM to obtain a user permanent identifier SUPI and an S-NSSAI, and determining whether the user equipment UE is allowed to use the slice corresponding to the S-NSSAI according to subscription information corresponding to the user permanent identifier SUPI by the user data management UDM. The subscription information here includes all slice information that the user equipment UE is allowed to use. If the user equipment UE is allowed to use the slice corresponding to the S-NSSAI, the user data management UDM determines a corresponding root key K according to a user permanent identifier SUPI and generates an authentication vector; otherwise, the user data management UDM sends a rejection message to an authentication server function AUSF; the authentication server function AUSF sends a rejection message to the first access mobility function AMF; the first access mobility function AMF sends a registration reject message to the user equipment UE. The rejection message carries a rejection indication, which is used for indicating that the UE is not allowed to access the slice corresponding to the S-nsai.
And fifthly, the user data management UDM receives the message verification code MAC, determines a root key K according to a user permanent identifier SUPI, and verifies the correctness of the message verification code MAC based on the root key K and the S-NSSAI. If the verification is correct, continuing to execute, otherwise, sending a rejection message to an authentication server function AUSF; the authentication server function AUSF sends a rejection message to the first access mobility function AMF; the first access mobility function AMF sends a registration reject message to the user equipment UE. Wherein the user data management UDM receives the first indication and determines that the S-nsai information is included in the user hidden identifier sui according to the first indication, and determines that the above-mentioned check for the S-nsai is to be performed.
Sixthly, the user data management UDM sends an authentication vector to an authentication server function AUSF, and also sends a user permanent identifier SUPI and an S-NSSAI; the authentication server function AUSF sends an authentication vector to the first access mobility function AMF, which includes authentication parameters (e.g., RAND and AUTN) and S-nsai, and the first access mobility function AMF receives the S-nsai sent by the authentication server function AUSF and determines whether the first access mobility function AMF is allowed to serve the S-nsai corresponding slice. If the service can be provided, the execution is continued. If not, the first access mobility function AMF is switched to the second access mobility function AMF. For example, the first access mobility function AMF is configured to allow serving slice 1 but not slice 2; if the S-nsai corresponds to slice 2, the first access mobility function AMF needs to switch to another second access mobility function AMF capable of serving the S-nsai.
Seventh, after the authentication server function AUSF, the first access mobility function AMF or the second access mobility function AMF performs mutual authentication with the user equipment UE, after the authentication server function AUSF verifies the user equipment UE, the user permanent identifier SUPI is sent to the corresponding first access mobility function AMF or second access mobility function AMF, and the corresponding first access mobility function AMF or second access mobility function AMF establishes a non-access stratum NAS (non-access stratum) security protection mechanism with the user equipment UE, and the corresponding first access mobility function AMF or second access mobility function AMF sends a registration accept message to the user equipment UE. The access mobility function AMF performing mutual authentication with the user equipment UE is an access mobility function AMF that can provide a slice service for the S-NSSAI.
Example 2
Referring to fig. 5, fig. 5 is another sub-flowchart of a method for securely checking an S-nsai transmitted by a UE in the embodiment of the present application, where the first access mobility function AMF transmits a slice list supported by the first access mobility function AMF to the user data management UDM, and determines whether the UE can use a slice corresponding to the S-nsai according to the user permanent identifier SUPI, if yes, determining a corresponding root key, and generating an authentication vector further includes:
Step 501, judging whether the first access mobility function AMF can provide a slice service for the S-nsai according to the slice list supported by the first access mobility function AMF and the S-nsai, and obtaining a verification result;
step 502, if the verification result is correct, the authentication vector is generated, and if the verification result is incorrect, a registration rejection message is sent to the user equipment UE.
In this embodiment, the registration request includes a user hidden identifier sui obtained by encrypting a user permanent identifier SUPI, where the user hidden identifier further includes a first indication, where the first indication is used to tell the network that the user hidden identifier sui carries an S-nsai, and when the first access mobility function AMF receives the first indication, the first access mobility function AMF sends a slice list supported by the first access mobility function AMF to the user data management UDM, and if the slice list supported by the first access mobility function AMF determines that the user hidden identifier sui includes the S-nsai, the first indication is not sent any more.
In this embodiment, when the user data management UDM receives the slice list supported by the first access mobility function AMF and the decrypted S-nsai, it is determined whether the first access mobility function AMF can provide the slice service for the S-nsai, a check result is obtained, if the check result is correct, the first access mobility function AMF can provide the slice service for the S-nsai, then the next step is continuously executed, if the check result is incorrect, the first access mobility function AMF can not provide the slice service for the S-nsai, then the user data management UDM sends a rejection message to the authentication server function AUSF, the authentication server function AUSF sends the rejection message to the first access mobility function AMF after receiving the rejection message, and the first access mobility function AMF sends the registration rejection message to the user equipment UE, where the rejection message carries a rejection indication for indicating that the user equipment UE is not allowed to access the slice corresponding to the S-nsai.
Further, after the first access mobility function AMF receives the authentication vector and the S-nsai, determining whether the first access mobility function AMF can provide services for the S-nsai further includes:
and judging whether the first access mobility function AMF can provide service for the S-NSSAI or not according to the check result.
In this embodiment, after the first access mobility function AMF receives the verification result, it is determined whether the first access mobility function AMF can provide services for the slice corresponding to the S-nsai, if the service can be provided, the next step is continuously performed, and if the service cannot be provided, the first access mobility function AMF is switched to the second access mobility function AMF.
In this embodiment, the specific steps in the embodiment of the present application are:
the method comprises the steps that firstly, user Equipment (UE) sends a registration request to a first Access Mobility Function (AMF); the registration request carries a user hidden identifier SUCI, wherein the user hidden identifier SUCI is the encrypted identity of a user permanent identifier SUPI; the user hiding identifier SUCI also encapsulates or encrypts S-NSSAI which is slice information that the user equipment UE wants to access; the user hidden identifier sui also encapsulates a message authentication code MAC calculated based on a shared root key K between the user equipment UE and the user data management UDM, mac=kdf (K, S-nsai); KDF (key derivation function) may be HMAC-SHA256 or the like; the user hidden identifier sui may also include a first indication to tell the network that the sui carries the S-nsai.
And a second step, the first access mobility function AMF sends an authentication request to an authentication server function AUSF, wherein the authentication server function AUSF also carries a user hidden identifier SUCI, wherein according to the first indication, the user hidden identifier SUCI carries S-NSSAI, and the first access mobility function AMF sends a slice list supported by the first access mobility function AMF. Wherein it may also comprise a first indication that the authentication server function AUSF does not need to send if it determines from the list of slices that the first access mobility function AMF sent its support that the user hidden identifier sui comprises S-NSSAI.
Thirdly, the authentication server function AUSF sends a user hidden identifier SUCI to a user data management UDM and also sends a slice list supported by a first access mobility function AMF; wherein it is also possible to include a first indication that the user data management UDM does not need to send if it determines from the list of slices that the first access mobility function AMF sent that it supports that the user hidden identifier sui comprises an S-NSSAI.
Fourth, the user data management UDM receives the slice list supported by the first access mobility function AMF, decrypts the user hidden identifier sui to obtain the user permanent identifier SUPI and the S-NSSAI, and determines whether the user equipment UE is allowed to use the slice corresponding to the S-NSSAI according to subscription information corresponding to the user permanent identifier SUPI. The subscription information here includes all slice information that the user equipment UE is allowed to use. If the user equipment UE is allowed to use the slice corresponding to the S-NSSAI, the user data management UDM determines a corresponding root key K according to a user permanent identifier SUPI and generates an authentication vector; otherwise, the user data management UDM sends a rejection message to an authentication server function AUSF; the authentication server function AUSF sends a rejection message to the first access mobility function AMF; the first access mobility function AMF sends a registration reject message to the user equipment UE. The rejection message carries a rejection indication, which is used for indicating that the UE is not allowed to access the slice corresponding to the S-nsai.
Fifthly, the user data management UDM determines whether the first mobility function AMF is allowed to provide service for the corresponding slice of the S-NSSAI according to the received slice list supported by the first access mobility function AMF and the S-NSSAI obtained through decryption; and determining a verification result. If the verification is correct, continuing to execute, otherwise, sending a rejection message to an authentication server function AUSF; the authentication server function AUSF sends a rejection message to the first access mobility function AMF; the first access mobility function AMF sends a registration reject message to the user equipment UE.
And step six, the user data management UDM receives the message verification code MAC, determines a root key K according to the user permanent identifier SUPI, and verifies the correctness of the message verification code MAC based on the root key K and the S-NSSAI. If the verification is correct, continuing to execute, otherwise, sending a rejection message to an authentication server function AUSF; the authentication server function AUSF sends a rejection message to the first access mobility function AMF; the first access mobility function AMF sends a registration reject message to the user equipment UE. Wherein the user data management UDM receives the first indication and determines that the S-nsai information is included in the user hidden identifier sui according to the first indication, and determines that the above-mentioned check for the S-nsai is to be performed.
Seventh, the user data management UDM sends authentication vectors to an authentication server function AUSF, and also sends user permanent identifiers SUPI, S-NSSAI and a verification result; the authentication server function AUSF sends an authentication vector to the first access mobility function AMF, which includes authentication parameters (such as RAND and AUTN) and S-nsai and a check result, and the first access mobility function AMF receives the S-nsai and the check result sent by the authentication server function AUSF. And determining whether the first access mobility function AMF is allowed to provide service for the corresponding slice of the S-NSSAI or not through the check result determination, if the check result shows that the first access mobility function AMF is passed, continuing to execute the first access mobility function AMF, and if the check result shows that the first access mobility function AMF cannot provide service for the S-NSSAI, triggering switching to another second access mobility function AMF capable of serving the S-NSSAI.
Eighth, after the authentication server function AUSF, the first access mobility function AMF or the second access mobility function AMF performs mutual authentication with the UE, the authentication server function AUSF checks the UE, and then sends the user permanent identifier SUPI to the corresponding first access mobility function AMF or second access mobility function AMF, and the corresponding first access mobility function AMF or second access mobility function AMF establishes a non-access stratum NAS (non-access stratum) security protection mechanism with the UE, and the corresponding first access mobility function AMF or second access mobility function AMF sends a registration accept message to the UE. The access mobility function AMF performing mutual authentication with the user equipment UE is an access mobility function AMF that can provide a slice service for the S-NSSAI.
Example 3
Referring to fig. 6, fig. 6 is another sub-flowchart of a method for securely checking S-nsai transmitted by a UE in an embodiment of the present application, where the method includes:
step 601, a registration request is sent to a first access mobility function AMF, wherein the registration request at least comprises an encrypted S-nsai, a user permanent identifier SUPI and a message authentication code MAC;
step 602, if the first access mobility function AMF can provide services for the S-NSSAI, performing two-way authentication with the first access mobility function AMF, and receiving a registration acceptance message.
In this embodiment, the user equipment UE sends a user hidden identifier sui, an encrypted S-nsai and a message authentication code MAC to the first access mobility function AMF, where the user hidden identifier sui is an encrypted identity of the user permanent identifier SUPI; the user hiding identifier SUCI encapsulates or encrypts S-NSSAI which is slice information that the user equipment UE wants to access; and after the verification is completed, if the first access mobility function AMF can provide services for the slice corresponding to the S-NSSAI, the user equipment UE and the first access mobility function AMF execute bidirectional verification and receive a registration acceptance message sent by the first access mobility function AMF.
In this embodiment, the S-nsai is encapsulated in the subscriber hidden identifier sui, so that the S-nsai can be better encrypted, so that the first message sent by the UE can safely carry the S-nsai; meanwhile, the verification of the S-NSSAI can be completed before the first access mobility function AMF authenticates the user equipment UE, and the purpose of quick verification of the S-NSSAI is efficiently achieved.
Further, the UE further includes a root key corresponding to the UE, and before sending the registration request to the first access mobility function AMF, the method includes:
and the user equipment UE obtains the message authentication code MAC according to the root key and the S-NSSAI, wherein the message authentication code MAC is used for determining that the S-NSSAI is sourced from a legal user equipment UE.
In this embodiment, the message authentication code MAC is calculated based on a shared root key between the user equipment UE and the user data management UDM, and the user equipment UE calculates the message authentication code MAC according to the root key corresponding to the user equipment UE and the S-nsai, where the calculation formula of the message authentication code MAC is mac=kdf (K, S-nsai); k is a root key, KDF (key derivation function) may be HMAC-SHA256, etc.; wherein the message authentication code MAC may determine that the S-nsai is from a legitimate user equipment UE.
Example 4
Further, the embodiment of the present application further provides a system 700 for security check of S-nsai sent by UE, referring to fig. 7, fig. 7 is a schematic program module of the system 700 for security check of S-nsai sent by UE in the embodiment of the present application, where in the embodiment, the system 700 for security check of S-nsai sent by UE includes:
the sending module 701: the method comprises the steps that after receiving a registration request sent by User Equipment (UE), an AMF generates an authentication request, wherein the authentication request at least comprises encrypted user permanent identifiers (SUPI) and S-NSSAI;
the processing module 702: the authentication request is sent to a User Data Management (UDM), and the User Data Management (UDM) processes the authentication request to obtain the user permanent identifier (SUPI) and the decrypted S-NSSAI;
the generating module 703: the method comprises the steps of judging whether the User Equipment (UE) can use a slice corresponding to the S-NSSAI according to the user permanent identifier (SUPI), if so, determining a corresponding root key, generating an authentication vector, and then sending the authentication vector and the S-NSSAI to the first Access Mobility Function (AMF);
authentication module 704: after receiving the authentication vector and the S-nsai, the first access mobility function AMF determines whether the first access mobility function AMF can provide services for the S-nsai, if yes, performs mutual authentication with the UE, and sends a registration accept message to the UE.
The system 700 for securely checking the S-nsai sent by the UE provided in the embodiment of the present application may implement: the method comprises the steps that after receiving a registration request sent by User Equipment (UE), a first Access Mobility Function (AMF) generates an authentication request, wherein the authentication request at least comprises encrypted user permanent identifiers (SUPI) and S-NSSAI; the authentication request is sent to a User Data Management (UDM), and the User Data Management (UDM) processes the authentication request to obtain a user permanent identifier (SUPI) and the decrypted S-NSSAI; judging whether the User Equipment (UE) can use the slice corresponding to the S-NSSAI according to the user permanent identifier (SUPI), if so, determining a corresponding root key, generating an authentication vector, and then sending the authentication vector and the S-NSSAI to the first Access Mobility Function (AMF); after the first access mobility function AMF receives the authentication vector and the S-nsai, it determines whether the first access mobility function AMF can provide services for the S-nsai, if yes, performs bidirectional authentication with the UE, and sends a registration accept message to the UE. The invention safely carries the S-NSSAI through the first message sent by the UE, and can finish the verification of the S-NSSAI before the AMF authenticates the UE, thereby efficiently realizing the purpose of quick verification of the S-NSSAI and also meeting the purpose of quick establishment of slice connection and use of slices by the UE.
Example 5
Further, the application also provides an electronic device, which comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein when the processor executes the computer program, the steps in the method for safely checking the S-NSSAI sent by the UE are realized.
Example 6
Further, the present application also provides a storage method, on which a computer program is stored, which when executed by a processor, implements the steps of the method for securely checking the S-NSSAI sent by the UE as described above.
The functional modules in the embodiments of the present invention may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module. The integrated modules may be implemented in hardware or in software functional modules. The integrated modules, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
It should be noted that, for the sake of simplicity of description, the foregoing method embodiments are all expressed as a series of combinations of actions, but it should be understood by those skilled in the art that the present invention is not limited by the order of actions described, as some steps may be performed in other order or simultaneously in accordance with the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily all required for the present invention.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.
The foregoing describes a method, a system, a device and a storage medium for securely verifying an S-nsai sent by a UE, which are provided in the present invention, and therefore, those skilled in the art, according to the concepts of the embodiments of the present application, may change the specific implementation and the application scope, and in summary, the disclosure should not be construed as limiting the present invention.

Claims (10)

1. A method for securely verifying an S-nsai transmitted by a UE, the method comprising:
The method comprises the steps that after receiving a registration request sent by User Equipment (UE), a first Access Mobility Function (AMF) generates an authentication request, wherein the authentication request at least comprises a user hidden identifier (SUCI);
the authentication request is sent to a User Data Management (UDM), the User Data Management (UDM) decrypts the user hidden identifier (SUCI), whether the decrypted data comprises a user permanent identifier (SUPI) and a first indication or not is detected, if yes, the user hidden identifier (SUCI) comprises an S-NSSAI, and the decrypted data comprises the S-NSSAI; wherein the first indication is used for indicating to the UDM that the user hidden identifier sui carries an S-nsai;
judging whether the User Equipment (UE) can use the slice corresponding to the S-NSSAI according to the user permanent identifier (SUPI), if so, determining a corresponding root key, generating an authentication vector, and then sending the authentication vector and the S-NSSAI to the first Access Mobility Function (AMF);
after the first access mobility function AMF receives the authentication vector and the S-NSSAI, judging whether the first access mobility function AMF can provide service for the S-NSSAI, if so, executing bidirectional authentication with the user equipment UE, and sending a registration acceptance message to the user equipment UE;
Or the first access mobility function AMF sends a slice list supported by the first access mobility function AMF to the user data management UDM; judging whether the first access mobility function AMF can provide slicing service for the S-NSSAI according to a slicing list supported by the access first access mobility function AMF and the S-NSSAI, and obtaining a checking result; and if the verification result is correct, generating the authentication vector to execute bidirectional authentication with the User Equipment (UE), and sending a registration acceptance message to the User Equipment (UE).
2. The method of claim 1, wherein the determining, according to the user permanent identifier SUPI, whether the slice corresponding to the S-NSSAI can be used by the user equipment UE, if yes, determining a corresponding root key, and the generating an authentication vector specifically includes:
judging whether the User Equipment (UE) can use the slice corresponding to the S-NSSAI according to subscription information corresponding to the user permanent identifier (SUPI), wherein the subscription information comprises all slice information which allows the User Equipment (UE) to use;
if yes, determining the corresponding root key according to the user permanent identifier SUPI through the user data management UDM, and generating the authentication vector.
3. The method of claim 2, wherein the processing of the authentication request by the user data management UDM to obtain a message authentication code MAC, the determining, by the user data management UDM, the corresponding root key from the user permanent identifier SUPI, and generating the authentication vector further comprises:
checking the correctness of the message authentication code MAC according to the root key and the S-NSSAI;
if the authentication vector is correct, generating the authentication vector, and if the authentication vector is incorrect, sending a registration rejection message to the User Equipment (UE).
4. The method of claim 3 wherein said verifying the correctness of said message authentication code MAC based on said root key and said S-nsai comprises:
the user data management UDM determines the root key according to the user permanent identifier SUPI, and obtains a verification message verification code MAC based on the root key and the S-NSSAI;
and comparing the verification message verification code MAC with the message verification code obtained by the user data management UDM to verify the correctness of the message verification code.
5. The method of claim 4 wherein the first access mobility function AMF, upon receiving the authentication vector and the S-nsai, determining whether the first access mobility function AMF can serve the S-nsai further includes:
And judging whether the first access mobility function AMF can provide service for the S-NSSAI or not according to the check result.
6. The method of claim 1, wherein after the first access mobility function AMF receives the authentication vector and the S-nsai, determining whether the first access mobility function AMF can serve the S-nsai further includes:
if not, switching a second access mobility function AMF for providing service for the S-NSSAI, executing bidirectional authentication with the UE, and sending a registration acceptance message to the UE.
7. The method of claim 1, wherein the determining whether the user equipment UE can use the slice corresponding to the S-NSSAI based on the user permanent identifier SUPI further comprises:
if not, a registration rejection message is sent to the user equipment UE.
8. A system for securely verifying a UE transmitted S-nsai, the system comprising:
and a sending module: the method comprises the steps that after receiving a registration request sent by User Equipment (UE), an AMF generates an authentication request, wherein the authentication request at least comprises a user hidden identifier (SUCI); or, the first access mobility function AMF sends the slice list supported by the first access mobility function AMF to a user data management UDM;
The processing module is used for: the authentication request is sent to a User Data Management (UDM), the User Data Management (UDM) decrypts the user hidden identifier (SUCI), whether the decrypted data comprises a user permanent identifier (SUPI) and a first indication or not is detected, if yes, the user hidden identifier (SUCI) comprises an S-NSSAI, and the decrypted data comprises the S-NSSAI; wherein the first indication is used for indicating to the UDM that the user hidden identifier sui carries an S-nsai;
the generation module is used for: the method comprises the steps of judging whether the User Equipment (UE) can use a slice corresponding to the S-NSSAI according to the user permanent identifier (SUPI), if so, determining a corresponding root key, generating an authentication vector, and then sending the authentication vector and the S-NSSAI to the first Access Mobility Function (AMF); or, the method is used for judging whether the first access mobility function AMF can provide a slice service for the S-NSSAI according to the slice list supported by the access first access mobility function AMF and the S-NSSAI, so as to obtain a verification result; if the verification result is correct, generating the authentication vector to execute bidirectional authentication with the User Equipment (UE), and sending a registration acceptance message to the User Equipment (UE);
And an authentication module: after receiving the authentication vector and the S-nsai, the first access mobility function AMF determines whether the first access mobility function AMF can provide services for the S-nsai, if yes, performs mutual authentication with the UE, and sends a registration accept message to the UE.
9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor, when executing the computer program, performs the steps of the method of securely checking the S-nsai transmitted by the UE according to any one of claims 1 to 7.
10. A storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the method of security checking a S-nsai transmitted by a UE in accordance with any one of claims 1 to 7.
CN202110774784.3A 2021-07-08 2021-07-08 Method, system and equipment for safety check of S-NSSAI (S-NSSAI) sent by UE (user equipment) Active CN113449286B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110774784.3A CN113449286B (en) 2021-07-08 2021-07-08 Method, system and equipment for safety check of S-NSSAI (S-NSSAI) sent by UE (user equipment)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110774784.3A CN113449286B (en) 2021-07-08 2021-07-08 Method, system and equipment for safety check of S-NSSAI (S-NSSAI) sent by UE (user equipment)

Publications (2)

Publication Number Publication Date
CN113449286A CN113449286A (en) 2021-09-28
CN113449286B true CN113449286B (en) 2024-03-26

Family

ID=77815551

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110774784.3A Active CN113449286B (en) 2021-07-08 2021-07-08 Method, system and equipment for safety check of S-NSSAI (S-NSSAI) sent by UE (user equipment)

Country Status (1)

Country Link
CN (1) CN113449286B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024031724A1 (en) * 2022-08-12 2024-02-15 北京小米移动软件有限公司 Terminal device capability indication method and apparatus

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110769420A (en) * 2018-07-25 2020-02-07 中兴通讯股份有限公司 Network access method, device, terminal, base station and readable storage medium
CN110798833A (en) * 2018-08-03 2020-02-14 华为技术有限公司 Method and device for verifying user equipment identification in authentication process
CN110808830A (en) * 2019-10-21 2020-02-18 边缘智能研究院南京有限公司 IoT (Internet of things) security verification framework based on 5G network slice and service method thereof
CN111434151A (en) * 2017-12-22 2020-07-17 联想(新加坡)私人有限公司 Network slice selection assistance information configuration
CN111464324A (en) * 2019-01-18 2020-07-28 中兴通讯股份有限公司 Secure communication method, device and system
CN112105015A (en) * 2019-06-17 2020-12-18 华为技术有限公司 Secondary authentication method and device
CN112994913A (en) * 2019-12-13 2021-06-18 华为技术有限公司 Network slice selection method and related device
CN113596831A (en) * 2020-04-14 2021-11-02 华为技术有限公司 Communication method and communication equipment for identifying user equipment in slice authentication

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA3070876C (en) * 2017-07-25 2022-07-19 Telefonaktiebolaget Lm Ericsson (Publ) Subscription concealed identifier
CN110858992A (en) * 2018-08-23 2020-03-03 华为技术有限公司 Routing method, device and system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111434151A (en) * 2017-12-22 2020-07-17 联想(新加坡)私人有限公司 Network slice selection assistance information configuration
CN110769420A (en) * 2018-07-25 2020-02-07 中兴通讯股份有限公司 Network access method, device, terminal, base station and readable storage medium
CN110798833A (en) * 2018-08-03 2020-02-14 华为技术有限公司 Method and device for verifying user equipment identification in authentication process
CN111464324A (en) * 2019-01-18 2020-07-28 中兴通讯股份有限公司 Secure communication method, device and system
CN112105015A (en) * 2019-06-17 2020-12-18 华为技术有限公司 Secondary authentication method and device
CN110808830A (en) * 2019-10-21 2020-02-18 边缘智能研究院南京有限公司 IoT (Internet of things) security verification framework based on 5G network slice and service method thereof
CN112994913A (en) * 2019-12-13 2021-06-18 华为技术有限公司 Network slice selection method and related device
CN113596831A (en) * 2020-04-14 2021-11-02 华为技术有限公司 Communication method and communication equipment for identifying user equipment in slice authentication

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
5G网络的设备及其接入安全;陆海涛;李刚;高旭昇;中兴通讯技术;第25卷(第4期);19-24 *
Efficient and Secure Service Oriented Authentication Supporting Network Slicing for 5G Enabled IoT;Jiangbing Ni;Xiaodong Lin;IEEE Journal on Selected Areas in Communications;第36卷(第3期);644-657 *

Also Published As

Publication number Publication date
CN113449286A (en) 2021-09-28

Similar Documents

Publication Publication Date Title
US11824981B2 (en) Discovery method and apparatus based on service-based architecture
RU2663972C1 (en) Security assurance at connection between communication device and network device
CN107800539B (en) Authentication method, authentication device and authentication system
EP2039199B1 (en) User equipment credential system
KR101485230B1 (en) Secure multi-uim authentication and key exchange
US20200162913A1 (en) Terminal authenticating method, apparatus, and system
JP6727294B2 (en) User equipment UE access method, access device, and access system
KR100978052B1 (en) Apparatus, method and computer program product providing mobile node identities in conjunction with authentication preferences in generic bootstrapping architecture GBA
US9693226B2 (en) Method and apparatus for securing a connection in a communications network
US9516501B2 (en) Authentication in a communications system
CN104145465B (en) The method and apparatus of bootstrapping based on group in machine type communication
Xu et al. An anonymous handover authentication scheme based on LTE‐A for vehicular networks
AU2020200523B2 (en) Methods and arrangements for authenticating a communication device
CN111641498A (en) Key determination method and device
WO2020147856A1 (en) Authentication processing method and device, storage medium, and electronic device
CN113449286B (en) Method, system and equipment for safety check of S-NSSAI (S-NSSAI) sent by UE (user equipment)
CN112333705B (en) Identity authentication method and system for 5G communication network
WO2018126791A1 (en) Authentication method and device, and computer storage medium
CN112839329B (en) Verification method, device, equipment and computer readable storage medium
WO2021115686A1 (en) Enhancement of authentication
EP3125595A1 (en) Method to provide identification in privacy mode
MX2007015841A (en) Apparatus, method and computer program product providing mobile node identities in conjunction with authentication preferences in generic bootstrapping architecture (gba).
US12021867B2 (en) Authentication processing method and device, storage medium, and electronic device
US20230108626A1 (en) Ue challenge to a network before authentication procedure
CN117098111A (en) Registration method and device of user equipment, computer readable medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant