CN113904781B

CN113904781B - Slice authentication method and system

Info

Publication number: CN113904781B
Application number: CN202010570536.2A
Authority: CN
Inventors: 邓娟; 何承东; 李飞
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2020-06-20
Filing date: 2020-06-20
Publication date: 2023-04-07
Anticipated expiration: 2040-06-20
Also published as: WO2021253859A1; CN113904781A

Abstract

The embodiment of the application provides a slice authentication method and a slice authentication system, wherein the method comprises the following steps: the access and mobility management function AMF sends an authentication request to an authentication and authorization function NSSAAF of a specific network slice; responding to the authentication request, and interacting the NSSAAF and a unified data management network element (UDM) to determine a first authentication result of the terminal equipment in a service network; if the first authentication result is successful, the NSSAAF interacts with the server and the AMF respectively to perform slice authentication and obtain a slice authentication result, and the NSSAAF sends the authentication result to the AMF. By implementing the technical scheme provided by the invention, the attack that the service network bypasses the main authentication and directly carries out the slice authentication can be prevented.

Description

Slice authentication method and system

Technical Field

The present application relates to the field of communications technologies, and in particular, to a slice authentication method and system.

Background

Before the terminal device accesses the operator network, the operator network needs to perform bidirectional authentication with the terminal device, and after the bidirectional authentication is successful, the terminal device is allowed to access the network. Further, after the terminal device accesses the operator network, if the terminal device wants to access the slice, it needs to perform bidirectional authentication with the slice. How to safely perform slice authentication is an urgent problem to be solved.

Disclosure of Invention

The application provides a slice authentication method and system, which can safely carry out slice authentication.

In a first aspect, the present application provides a slice authentication method, including:

an Access and Mobility Management Function (AMF) sends a first authentication request to authentication and authorization of a specific network slice (NSSAAF); in response to the first authentication request, the NSSAAF sending a second authentication request to a Unified Data Management (UDM) element; responding to the second authentication request, the UDM sends indication information to the NSSAAF, wherein the indication information is used for indicating a first authentication result of the terminal equipment in a service network; if the first authentication result is successful, the NSSAAF sends first protocol information to a server; the NSSAAF receives second protocol information sent by the server; in response to the second protocol information, the NSSAAF sending a third authentication request to the AMF; in response to the third authentication request, the AMF sending a first non-access stratum (NAS) transport message to the terminal device UE; the AMF receives a second NAS transmission message sent by the UE; in response to the second NAS transport message, the AMF sending a fourth authentication request to the NSSAAF; in response to the fourth authentication request, the NSSAAF sending third protocol information to the server; the NSSAAF receives fourth protocol information sent by the server; in response to the fourth protocol information, the NSSAAF sends a second authentication result to the AMF.

Through the technical scheme provided by the invention, the UDM returns the authentication result of the main authentication (the authentication result of the terminal equipment in the service network) to the NSSAAF, and the NSSAAF continues the subsequent slice authentication process only when the authentication result is successful, so that the attack that a malicious service network bypasses the main authentication to directly carry out slice authentication can be prevented. It should be noted that if the serving network directly requests the terminal device for the slicing authentication to the home network by bypassing the main authentication, the home network resources are consumed, but the slicing authentication is not successful finally, and then the process can be understood as an attack of the serving network to the home network.

It should be noted that the main Authentication refers to bidirectional Authentication performed by the terminal device and the network side during accessing the network, and for example, the main Authentication may be 5G Authentication and key agreement (5G Authentication and key Authentication, 5G AKA) or Authentication and key agreement (EAP AKA) Authentication of an Extensible Authentication Protocol. Among them, 5G AKA and EAP AKA refer to the standard protocol 3gpp TS 33.501.

Optionally, in an implementation manner of the present invention, the first authentication request includes a Service Network Name (SNN). Before the NSSAAF sends a second authentication request to the UDM, the NSSAAF judges whether the SNN is consistent with an expected SNN; the NSSAAF sends a second authentication request to the UDM, including: if the SNN and the desired SNN are consistent, the NSSAAF sends a second authentication request to the UDM. Further, the method further comprises: NSSAAF sends an indication to the AMF to stop authentication if the SNN does not coincide with the desired SNN. It should be noted that the first authentication request further includes a token, and the token is generated by a network storage function (NRF). The token includes the desired SNN. In addition, it should be noted that, the Token may not include the SNN but include a service network identity (SN ID), and then the NSSAAF may match the SN ID in the Token with the SN ID in the SNN. It is to be understood that if the matching is successful, the NSSAAF sends a second authentication request to the UDM; if the match is unsuccessful, NSSAAF sends an indication to the AMF to stop authentication.

In addition, in an implementation manner of the present invention, during or after the main authentication process, the UDM or AUSF may send an authentication result of the main authentication to the NSSAAF, and the NSSAAF may store the authentication result. Subsequently, after the NSSAAF receives the first authentication request, the NSSAAF may determine whether to send the first protocol information to the server according to the authentication result directly, without interacting with the UDM to obtain the authentication result of the primary authentication.

Optionally, in another implementation manner of the present invention, the method further includes: after the primary authentication is successful, the AMF sends the security context state of the terminal device to the UDM, and the UDM stores the security context state of the terminal device, where the security context state of the terminal device includes an instance identifier (instance index) of the AMF. Specifically, the second authentication request includes an identifier of the AMF; in response to the second authentication request, the UDM determines whether the identifier of the AMF is the same as the instance identifier of the AMF in the security context state of the terminal device, and if the identifier of the AMF is the same as the instance identifier of the AMF in the security context state of the terminal device, the UDM sends indication information to the NSSAAF, where the indication information is used to indicate a first authentication result of the terminal device in the service network (the first authentication result may be an authentication result of the primary authentication). Through the technical scheme, the home network can judge whether the AMF initiating the slice authentication is a legal AMF or not, and if the AMF initiating the slice authentication is the legal AMF, the indication information is sent. If the AMF is not legal, the subsequent slice authentication process is refused to be executed, thereby preventing the resource of the home network from being wasted. It should be noted that the UDM and the NSSAF belong to a home network, and the AMF belongs to a serving network.

Optionally, in another implementation manner of the present invention, the second authentication request carries a service network name of the AMF; before the UDM sends the indication information to the NSSAAF, the method further includes: the UDM determines whether there is an authentication result matching the service network name. The UDM sends indication information to the NSSAAF, including: and if the authentication result matched with the service network exists and the authentication result is successful, the UDM sends the indication information to the NSSAAF. It can be understood that if there is an authentication result matching the serving network name, indicating that the UE has passed the master authentication, then it is legal to perform the slice authentication at this time. Through the judgment process, the potential risk can be eliminated, so that the authentication safety is improved, and the signaling resource of the home network is prevented from being wasted.

Optionally, in another implementation manner of the present invention, the method further includes: and if the authentication result matched with the service network name exists but the authentication result is authentication failure, the UDM sends a message for indicating to stop authentication to the NSSAAF. It can be understood that, if the authentication result is authentication failure, which indicates that the UE has not passed the primary authentication yet, then initiating the slice authentication is impossible to be authenticated successfully, and therefore, directly terminating the slice authentication procedure can prevent the signaling resource of the home network from being wasted.

Optionally, in another implementation manner of the present invention, the method further includes: and if the authentication result matched with the service network name does not exist, the UDM sends a message for indicating to stop authentication to the NSSAAF.

For example, success of authentication may be represented by success, and failure of authentication may be represented by failure. For example, authentication success may be represented by True and authentication failure may be represented by False. In addition, there are many methods for characterizing the success or failure of authentication or not performing authentication, which are not listed and not limited herein.

Optionally, in another implementation manner of the present invention, the second authentication request carries a first identifier of the user equipment; the method further comprises the following steps: the UDM acquires a second identifier of the user equipment according to the first identifier; and the UDM sends the second identifier to the NSSAAF.

Optionally, in another implementation manner of the present invention, the method further includes: and the NSSAAF receives the second identifier and stores the mapping relation between the first identifier and the second identifier.

For example, the first identity may be a user permanent identity (SUPI) and the second identity may be a Generic Public Subscription Identity (GPSI).

It should be noted that, after the mapping relationship between the SUPI and the GPSI is saved, the NSSAAF may interact with an external server or a data network by using the GPSI to prevent the SUPI from leaking, and when the NSSAAF receives the GPSI sent by the external server, the NSSAAF may obtain the SUPI corresponding to the GPSI, and then interact with a network element inside the core network by using the SUPI, thereby ensuring efficient communication between network elements inside the core network.

For another example, the first identifier may be a GPSI, and the second identifier may be a GPSI. It is understood that GPSI is calculated by a preset function.

Optionally, in another implementation manner of the present invention, after the NSSAAF completes slice authentication of the terminal device, a state of the slice authentication (for example, authentication success or failure) may be sent to the UDM, and the UDM may store the state of the slice authentication. It is noted that subsequent other networks may interact with the UDM to query the status of the slice authentication. Specifically, for example, the method further comprises: and the NSSAAF sends an authentication result confirmation message to the UDM, wherein the authentication result confirmation message comprises the second authentication result, and the UDM stores the second authentication result. Optionally, the authentication result confirmation message further includes SUPI/GPSI, single-Network Slice Selection Assistance Information (S-NSSAI), and a service Network name. In response, the UDM will also save the SUPI/GPSI, S-NSSAI, and the serving network name.

Optionally, in an implementation manner of the present invention, the above centralized alternatives may be combined, for example, the first authentication request includes a service network name. Before the NSSAAF sends a second authentication request to the UDM, the NSSAAF judges whether the SNN is consistent with an expected SNN; the NSSAAF sends a second authentication request to the UDM, including: if the SNN is consistent with the expected SNN, the NSSAAF sends a second authentication request to the UDM; if the second authentication request includes the service network name of the AMF, the UDM determines whether an authentication result matching the service network name exists. And if an authentication result matched with the service network exists and the authentication result is successful, the UDM sends the indication information to the NSSAAF. If the second authentication request comprises the AMF identifier, the UDM judges whether the AMF identifier is the same as the AMF instance identifier in the security context state of the terminal equipment, and if so, the UDM sends indication information to the NSSAAF. Similarly, if the second authentication request includes both the service network name of the AMF and the ID of the AMF, the UDM may select one of them for verification, or may verify both of the above parameters. For example, if both parameters need to be verified, the indication may be sent to the NSSAAF only if both parameters are verified. In addition, it should be noted that the NSSAAF determines whether the SNN in the first authentication request is consistent with the expected SNN, which can prevent the AMF from carrying a forged or other name of the service network to trigger the authentication. The UDM verifies the AMF ID and can confirm whether the primary authentication has succeeded.

In a second aspect, the present application provides a slice authentication system for performing the method of slice authentication of the first aspect. Specifically, the system comprises: the AMF is used for sending a first authentication request to the NSSAAF; the NSSAAF is used for responding to the first authentication request and sending a second authentication request to the UDM; the UDM is configured to send, in response to the second authentication request, indication information to the NSSAAF, where the indication information is used to indicate a first authentication result of a terminal device in a service network; the NSSAAF is used for sending first protocol information to a server if the first authentication result is that the authentication is successful; receiving second protocol information sent by the server; sending a third authentication request to the AMF in response to the second protocol information; the AMF is used for responding to the third authentication request and sending a first NAS transmission message to the terminal equipment; receiving a second NAS transmission message sent by the UE; sending a fourth authentication request to the NSSAAF in response to the second NAS transport message; the NSSAAF is further used for responding to the fourth authentication request and sending third protocol information to a server; receiving fourth protocol information sent by the server; and sending a second authentication result to the AMF in response to the fourth protocol information.

Optionally, in another implementation manner of the present invention, the second authentication request carries a service network name of the AMF; the UDM is further used for determining whether an authentication result matched with the service network name exists. The UDM is specifically configured to send the indication information to the NSSAAF if an authentication result matching the service network exists and the authentication result is successful.

Optionally, in another implementation manner of the present invention, the UDM is further configured to send, to the NSSAAF, a message indicating to stop authentication if there is no authentication result matching the service network name.

Optionally, in another implementation manner of the present invention, the second authentication request carries a first identity SUPI of the user equipment; the UDM is further used for acquiring a second identity GPSI of the user equipment according to the SUPI; sending the GPSI to the NSSAAF.

Optionally, in another implementation manner of the present invention, the NSSAAF is further configured to receive the GPSI, and store a mapping relationship between the SUPI and the GPSI.

In a third aspect, the present application provides a communication device, where the communication device is the AMF, NSSAAF, or UDM in the system according to the second aspect. The communication device comprises a processing unit and a transceiving unit, wherein the processing unit is used for processing information according to the functions described in the first aspect or the second aspect; the transceiver unit is configured to transmit and receive information according to the function described in the first aspect or the second aspect.

In a fourth aspect, the present application provides a communication device, where the communication device is the AMF, NSSAAF, or UDM in the system according to the second aspect. The communication device comprises a processor and a transceiver, wherein the processing unit is used for processing information according to the functions described in the first aspect or the second aspect; the transceiver unit is configured to transmit and receive information according to the function described in the first aspect or the second aspect.

In a fifth aspect, the present application provides a communication device, which is the AMF, NSSAAF, or UDM in the system according to the second aspect. The communication device comprises a memory, a processor and a transceiver, wherein the processing unit performs information processing according to the functions described in the first aspect or the second aspect when program code or instructions in the memory are executed; the transceiver unit transmits and receives information according to the functions described in the first aspect or the second aspect.

In a sixth aspect, the present application provides a communication device, where the communication device is the AMF, NSSAAF, or UDM in the system according to the second aspect. The communication device comprises a processor and an interface circuit, wherein the processor is used for processing information according to the functions described in the first aspect or the second aspect; the interface circuit is configured to transmit and receive information according to the functions described in the first aspect or the second aspect.

In a seventh aspect, the present application provides a computer-readable storage medium for storing a computer program which, when run on a computer, causes the functions of the AMF, UDM or NSSAFF in the first or second aspect to be performed.

In an eighth aspect, the present application provides a computer program product comprising a computer program or computer code which, when run on a computer, causes the functions of the AMF, UDM or NSSAFF of the first or second aspect described above to be performed.

Drawings

Fig. 1 is a schematic architecture diagram of a communication system according to an embodiment of the present application;

fig. 2 is a schematic flowchart of a slice authentication method according to an embodiment of the present application;

fig. 3 is a schematic flowchart of another slice authentication method provided in an embodiment of the present application;

fig. 4 is a schematic flowchart of another slice authentication method provided in an embodiment of the present application;

fig. 5 is a schematic flowchart of another slice authentication method provided in an embodiment of the present application;

fig. 6 is a schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 9 is a schematic diagram of a wireless communication system according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described with reference to the accompanying drawings.

The terms "first" and "second," and the like in the description, claims, and drawings of the present application are used solely to distinguish between different objects and not to describe a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. Such as a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.

Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those skilled in the art can explicitly and implicitly understand that the embodiments described herein can be combined with other embodiments.

In this application, "at least one" means one or more, "a plurality" means two or more, "at least two" means two or three and three or more, "and/or" for describing an association relationship of associated objects, which means that there may be three relationships, for example, "a and/or B" may mean: only A, only B and both A and B are present, wherein A and B may be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of single item(s) or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.

The following describes a communication system to which the present application is applied:

the technical scheme provided by the application can be applied to various communication systems. In a communication system, a part operated by an operator may be referred to as a Public Land Mobile Network (PLMN) (also referred to as an operator network, etc.). A PLMN is a network established and operated by a government or an approved operator thereof for the purpose of providing a land mobile communication service to the public, and is mainly a public network in which a Mobile Network Operator (MNO) provides a mobile broadband access service to a user. The PLMN described in the present application may specifically be a network meeting the requirements of the third generation partnership project (3 rd generation partnership project,3 GPP) standard, which is referred to as a 3GPP network for short. The 3GPP network generally includes, but is not limited to, a fifth-generation mobile communication (5 th-generation, 5G) network (referred to as a 5G network), a fourth-generation mobile communication (4 th-generation, 4G) network (referred to as a 4G network), and the like. For convenience of description, the PLMN is taken as an example in the embodiment of the present application for illustration. Or, the technical solution provided by the present application may also be applied to a Long Term Evolution (LTE) system, a Frequency Division Duplex (FDD) system, a Time Division Duplex (TDD) system, a Universal Mobile Telecommunications System (UMTS), a Worldwide Interoperability for Microwave Access (WiMAX) communication system, a fifth generation (5 th generation, 5G) communication system or a New Radio (NR) system, and other future communication systems such as 6G, 7G, and the like.

With the expansion of mobile bandwidth access services, mobile networks will also develop to better support diversified business models, and meet the demands of more diversified application services and more industries. For example, 5G networks have been adjusted in network architecture relative to 4G networks in order to provide better and more sophisticated services to more industries. For example, the 5G network splits a Mobility Management Entity (MME) in the 4G network into a plurality of network functions including an access and mobility management function (AMF) and a Session Management Function (SMF).

Fig. 1 is a schematic diagram of a network architecture according to an embodiment of the present application, which is a 5G network architecture based on a service architecture in a non-roaming scenario defined in a 3GPP standardization process. The network architecture may include three parts, a terminal equipment part, a PLMN and a Data Network (DN).

The terminal equipment part may include terminal equipment 110, and the terminal equipment 110 may also be referred to as User Equipment (UE). A terminal device 110 in this application is a device having a wireless transceiving function, and may communicate with one or more Core Network (CN) devices (or may also be referred to as core devices) through an access network device (or may also be referred to as an access device) in a Radio Access Network (RAN) 140. Terminal device 110 may also be referred to as an access terminal, subscriber unit, subscriber station, mobile, remote station, remote terminal, mobile device, user terminal, user agent, or user equipment, etc. Terminal device 110 may be deployed on land, including indoors or outdoors, hand-held, or vehicle-mounted; can also be deployed on the water surface (such as a ship and the like); and may also be deployed in the air (e.g., airplanes, balloons, satellites, etc.). Terminal device 110 may be a cellular telephone (cellular phone), a cordless telephone, a Session Initiation Protocol (SIP) phone, a smart phone (smart phone), a mobile phone (mobile phone), a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), or the like. Alternatively, the terminal device 110 may also be a handheld device with wireless communication functionality, a computing device or other device connected to a wireless modem, an in-vehicle device, a wearable device, a drone device or internet of things, a terminal in the internet of vehicles, a terminal in any modality in 5G networks and future networks, a relay user equipment, a terminal in a PLMN for future evolution, or the like. The relay user equipment may be, for example, a 5G home gateway (RG). For example, the terminal device 110 may be a Virtual Reality (VR) terminal, an Augmented Reality (AR) terminal, a wireless terminal in industrial control (industrial control), a wireless terminal in self driving (self driving), a wireless terminal in remote medical (remote medical), a wireless terminal in smart grid, a wireless terminal in transportation safety (transportation safety), a wireless terminal in smart city (smart city), a wireless terminal in smart home (smart home), or the like. The embodiment of the present application does not limit the type or category of the terminal device.

The PLMN may include: AN Authentication and Authorization function (nsaaf) 131 of a Specific Network Slice, a Network storage function (NRF) 132, a Policy Control Function (PCF) 133, a Unified Data Management (UDM) 134, AN Application Function (AF) 135, AN Authentication server function (AUSF) 136, AN access and mobility management function (AMF) 137, a Session Management Function (SMF) 140, a user plane function (user plane, UPF) 139, and (radio) access Network (access) AN, and the like. In the above mentioned PLMN, the part other than the (radio) access network 140 part may be referred to as a Core Network (CN) part or a core network part.

The data network DN 120, which may also be referred to as a Packet Data Network (PDN), is typically a network located outside the PLMN, such as a third party network. Illustratively, a PLMN may have access to a plurality of data network DNs 120, and a plurality of services may be deployed on the data network DNs 120 to provide services such as data and/or voice services for the terminal device 110. For example, the data network DN 120 may be a private network of an intelligent factory, a sensor installed in a workshop of the intelligent factory may be the terminal device 110, and a control server of the sensor is disposed in the data network DN 120, and the control server may provide a service for the sensor. The sensor can communicate with the control server, obtain the instruction of the control server, transmit the sensor data gathered to the control server, etc. according to the instruction. For another example, the data network DN 120 may be an internal office network of a company, and the mobile phone or computer of the employee of the company may be the terminal device 110, and the mobile phone or computer of the employee may access information, data resources, and the like on the internal office network of the company. The terminal device 110 may establish a connection with the PLMN through an interface (e.g., an N1 interface in fig. 1) provided by the PLMN, and use data and/or voice services provided by the PLMN. Terminal device 110 may also access data network DN 120 via the PLMN, using operator services deployed on data network DN 120, and/or services provided by third parties. The third party may be a service party other than the PLMN and the terminal device 110, and may provide services such as other data and/or voice for the terminal device 110. The specific expression form of the third party may be specifically determined according to an actual application scenario, and is not limited herein.

By way of example, the network functions in the PLMN are briefly described below.

The (R) AN 140 is a sub-network of the PLMN and is the implementing system between the service node (or network function) and the terminal equipment 110 in the PLMN. The terminal device 110 accesses the PLMN by first passing through the (R) AN 140 and then connecting to the service node in the PLMN through the (R) AN 140. The access network device in the embodiment of the present application is a device that provides a wireless communication function for the terminal device 110, and may also be referred to as AN access device, (R) AN device, or a network device. Such as access devices including but not limited to: next generation base station (gNB) in 5G system, evolved node B (eNB) in LTE system, radio Network Controller (RNC), node B (NB), base Station Controller (BSC), base Transceiver Station (BTS), home base station (home evolved node B, or home node B, HNB), base Band Unit (BBU), transmission and Reception Point (TRP), transmission Point (TP), small base station equipment (pico), mobile switching center, or network equipment in future network. It is understood that the present application is not limited to the specific type of access network device. In systems using different radio access technologies, the names of devices that function as access network devices may differ.

Optionally, in some deployments of the access device, the access device may include a Centralized Unit (CU), a Distributed Unit (DU), and the like. In other deployments of access devices, CUs may also be divided into a CU-Control Plane (CP) and a CU-User Plane (UP), among others. In some other deployments of the access device, the access device may also be an Open Radio Access Network (ORAN) architecture, and the application does not limit a specific deployment manner of the access device.

An authentication and authorization function NSSAAF 131 of a specific network slice for authenticating and authorizing the slice.

The network storage function NRF 132 may be used to maintain real-time information for all network function services in the network.

The policy control function PCF 133 is a control plane function provided by an operator and is used to provide a policy of a Protocol Data Unit (PDU) session to the session management function SMF 138. The policies may include charging related policies, qoS related policies, authorization related policies, and the like.

The unified data management UDM 134 is a control plane function provided by an operator, and is responsible for storing information such as a subscriber permanent identifier (SUPI), a security context (security context), and subscription data of a subscription subscriber in a PLMN. The subscriber of the PLMN may specifically be a subscriber using services provided by the PLMN, for example, a subscriber using a core card of a terminal device of china telecommunications, or a subscriber using a core card of a terminal device of china mobile, and the like. For example, the SUPI of the subscriber may be a number of a core card of the terminal device, or the like. The security context may be data (cookie) or token (token) stored on the local terminal device (e.g. mobile phone), etc. The subscription data of the subscriber may be a service associated with the core card of the terminal device, such as a traffic package of the core card of the mobile phone.

The application function AF 135 is configured to perform data routing influenced by the application, access a network open function, perform policy control by interacting with a policy framework, and the like.

The authentication server function AUSF 136 is a control plane function provided by the operator and is typically used for a level one authentication, i.e. authentication between the terminal equipment 110 (subscriber) and the PLMN.

The access and mobility management function AMF 137 is a control plane network function provided by the PLMN and is responsible for access control and mobility management of the access to the PLMN by the terminal device 110, including functions such as mobility state management, assigning temporary identities of users, authenticating and authorizing users, and the like.

The session management function SMF 138 is a control plane network function provided by the PLMN and is responsible for managing a Protocol Data Unit (PDU) session of the terminal device 110. A PDU session is a channel for transmitting PDUs, which the terminal device needs to transmit to each other with the DN 120 through the PDU session. The PDU session may be responsible for establishment, maintenance, deletion, etc. by the SMF 138. SMF 138 includes session-related functions such as session establishment, modification, and release, including tunnel maintenance between UPF 139 and (R) AN 140, selection and control of UPF 139, service and Session Continuity (SSC) mode selection, roaming, and the like.

The user plane function UPF 139 is a gateway provided by the operator and is a gateway for the PLMN to communicate with the DN 120. The UPF 139 includes user plane related functions such as packet routing and transmission, packet detection, service usage reporting, quality of service (QoS) processing, lawful interception, uplink packet detection, downlink packet storage, and the like.

The network functions in the PLMN shown in fig. 1 may further include a Network Slice Selection Function (NSSF) (not shown in fig. 1) for being responsible for determining a network slice instance, selecting the AMF network function 137, and the like. The network functions in the PLMN shown in fig. 1 may further include unified data storage (UDR), and the embodiments of the present application do not limit other network functions included in the PLMN.

In fig. 1, nnef, nausf, nrf, npcf, numm, naf, namf, nsmf, N1, N2, N3, N4, and N6 are interface serial numbers. For example, the meaning of the above interface sequence number can be referred to the meaning defined in the 3GPP standard protocol, and the application does not limit the meaning of the above interface sequence number. It should be noted that, in fig. 1, only the terminal device 110 is taken as an example for the UE, an interface name between each network function in fig. 1 is also only an example, and in a specific implementation, the interface name of the system architecture may also be other names, which is not limited in this application.

The mobility management network function in this application may be the AMF 137 shown in fig. 1, or may be another network function having the above-mentioned access and mobility management function AMF 137 in a future communication system. Alternatively, the mobility management network function in the present application may also be a Mobility Management Entity (MME) in the LTE system.

For convenience of description, in this embodiment, the access and mobility management function AMF 137 is abbreviated as AMF, the unified data management UDM 134 is abbreviated as UDM, and the terminal device 110 is referred to as UE, that is, in this embodiment, AMF described later may be replaced by a mobility management network function, UDM may be replaced by unified data management, and UE may be replaced by a terminal device. It will be appreciated that other network functions not shown are equally applicable to this alternative approach.

A network architecture (e.g., a 5G network architecture) shown in fig. 1 employs a service-based architecture and a general interface, and a conventional network element function is split into several self-contained, self-managed, and reusable network function service modules based on a Network Function Virtualization (NFV) technology. The network architecture diagram shown in fig. 1 can be understood as a service-based 5G network architecture diagram in a non-roaming scenario. In the architecture, different network functions are combined in order according to specific scene requirements, and the customization of network capacity and service can be realized, so that the special physical network is prevented from being deployed for different services. The network slicing technology can enable an operator to respond to customer requirements more flexibly and quickly, and flexible allocation of network resources is supported.

The following describes the slicing and slice authentication related to the present application.

Slicing a simple understanding is to cut an operator's physical network into a plurality of virtual end-to-end networks, each virtual network (including devices, access networks, transport networks, and core networks within the network) is logically independent, and a failure of any one virtual network does not affect the other virtual networks. In order to meet the diversity requirement and the isolation between slices, relatively independent management and operation and maintenance between services are required, and customized service functions and analysis capability are provided. Instances of different traffic types may be deployed on different network slices, as may different instances of the same traffic type. A slice may be composed of a set of Network Functions (NFs) and/or subnetworks, etc. For example, the sub-networks (R) AN 140, AMF 137, SMF 138, UPF 139 in fig. 1 may constitute a slice. It will be appreciated that each network function in fig. 1 is only schematically depicted as one, whereas in an actual network deployment there may be many, tens or hundreds of each network function or sub-network. Many slices can be deployed in the PLMN, and each slice can have different performance to meet the requirements of different applications and different vertical industries. An operator can "tailor" a slice according to the needs of customers in different vertical industries. The operator can also allow some industry customers to have greater autonomy and participate in partial management and control functions of the slice. The slice-level authentication is a network control function which is limited to participate by industrial clients, namely, authentication and authorization are carried out on terminal equipment access slices, namely, "slice-level authentication", which can also be called "secondary authentication", and the like, and the application is referred to as "slice authentication" for short.

The terminal device needs to be bi-directionally authenticated with and authorized to access the network and/or slice before being allowed to access the network or slice. Generally, the network needs to authenticate and authorize the terminal device once or twice to access the network or slice. First, the PLMN is authenticated based on the SUPI used by the terminal device and signed with the PLMN, which is called primary authentication (primary authentication), and common primary authentication includes 5G AKA or EAP AKA. Secondly, the PLMN performs authentication, i.e. slice authentication or secondary authentication, based on the subscription identity used by the terminal device and the DN.

As shown in fig. 1, when slices are deployed in the core network and UE 110 needs to access a slice, UE 110 may provide the requested slice to the core network. The slice requested by the UE 110 may include a requested network slice selection assistance information (requested NSSAI) set. The NSSAI may include one or more pieces of single network slice selection assistance information (S-NSSAI), and one S-NSSAI is used to identify one network slice type, and may also be understood as S-NSSAI to identify a slice, or may be understood as S-NSSAI being identification information of a slice. It is understood that slices may also be referred to herein as network slices, network slice instances, or S-NSSAIs, etc., and the name of the slice is not limited herein. For convenience of understanding, in the following description, the present application does not strictly distinguish between slices or S-NSSAI, etc., and the same may apply to both.

Further, after the UE 110 sends a registration request to the network, the core network function (such as the AMF network function 137 or the NSSF network function) selects a network slice set allowing access for the UE 110 according to the subscription data of the UE 110, the network slice requested by the UE 110, the roaming agreement, and the local configuration. The set of network slices allowed to be accessed may be represented by allowed (allowed) NSSAIs, and the S-NSSAIs included in the allowed NSSAIs may be the S-NSSAIs allowed to be accessed by the UE 110 by the current PLMN.

For example, as the industry vertical and the internet of things develop, a data network DN 120 (e.g., a DN serving the industry vertical) outside the PLMN may also require authentication and authorization for a UE 110 accessing the DN 120. For example, a business company provides a game platform to provide game services to game players via a PLMN. In one aspect, since the UE 110 used by the player accesses the game platform through the PLMN, the PLMN needs to authenticate or authorize the identity (SUPI) of the UE 110, i.e., primary authentication. A game player is a client of a business company that also needs to authenticate or authorize the identity of the game player. Such as authentication or authorization of the identity of the game player, which may be a slice-based authentication, or authentication in units of slices. In this case, such authentication may be referred to as slice authentication, or network slice-specific authentication and authorization (NSSAA).

It should be noted that the actual meaning of slice authentication may be as follows: authentication performed between the terminal device and a third party network (e.g., the DN or its authentication server). The slice authentication result will determine whether the PLMN authorizes the terminal device to access the slice provided by the PLMN. It should also be understood that the method applied to slice authentication in the present application is also applicable to a session-based secondary authentication (secondary authentication) or a slice-based secondary authentication, and will not be described in detail herein.

The slice authentication method provided by the present application is described in detail below.

Fig. 2 is a flowchart illustrating a slice authentication method according to an embodiment of the present application, where the method may be applied to the network shown in fig. 1. It is understood that fig. 2 illustrates a slice authentication method, and the embodiment of the present application is not limited to a primary authentication method between the UE and the PLMN network. The server responsible for slice authentication in fig. 2 is an authentication, authorization, and accounting server (AAA-S), which may be deployed within the PLMN network; alternatively, the AAA-S may be deployed outside the PLMN network. When the AAA-S is deployed outside the network, the UE can transit the AAA-S through proxy service provided by AAA-proxy (AAA-P) deployed in the PLMN network, so as to realize the interaction of authentication messages between the UE and the AAA-S. The network slice authentication and authorization function (NSSAAF) in fig. 2 is a network function that assists in performing slice authentication. In another implementation, AUSF or other NF, etc. may assist in completing slice authentication instead of NSSAAF. Therefore, the embodiments of the present application are not limited to the network function (such as NSSAAF, AUSF, or other NF) that assists in completing slice authentication. Further, in some deployments, the AAA-P may be deployed separately from the NSSAAF; in other deployments, the AAA-P may be deployed with NSSAAF (or AUSF). Therefore, the embodiment of the present application is not limited to the deployment of AAA-P and NSSAAF (or AUSF).

Fig. 2 shows that the AAA-S is deployed outside the PLMN network, that is, the UE provides proxy service through the AAA-P inside the PLMN network, and the AAA-S is transferred to implement slice authentication, and the AAA-P and the NSSAAF (or AUSF) are deployed separately. However, for other deployment scenarios, the embodiments of the present application are equally applicable.

As shown in fig. 2, the slice authentication method includes:

201. AMF sends a first authentication request message to NSSAAF;

accordingly, the NSSAAF receives the first request message.

It is understood that, for convenience of description, when identification information of a slice is referred to below, the identification information of the slice is denoted by S-NSSAI. The identification information of the UE may be represented by a publicly available subscription identifier (GPSI) or SUPI, but should not be construed as a limitation to the embodiments of the present application.

Optionally, the first request message carries an EAP ID response, an S-NSSAI, and identity information of the UE.

Optionally, the first request message carries an EAP ID response, an S-NSSAI, identification information of the UE, and a service network name.

Optionally, the first request message carries an EAP ID response, an S-NSSAI, identification information of the UE, and an AMF ID.

Optionally, the first request message carries an EAP ID response, an S-NSSAI, identification information of the UE, a service network name, and an AMF ID.

For example, the identity information of the UE may be GPSI or SUPI.

202. In response to the first authentication request, the NSSAAF sending a second authentication request to the UDM;

for example, the first authentication request may be an Nssaaf NSSAA authentication Req message; the second Authentication request may be an Authentication info Req message.

203. Responding to the second authentication request, the UDM sends indication information to the NSSAAF, wherein the indication information is used for indicating a first authentication result of the terminal equipment in a service network;

for example, the indication information may be the first authentication result.

For example, the indication information may also be used to indicate whether slice authentication is allowed.

The indication information may also be used to indicate the registration status of the UE at the SN, for example.

The indication information may also be used to indicate whether primary authentication is required, for example. It should be noted that the primary authentication may be 5G AKA authentication or EAP AKA authentication, which is not listed here.

204. If the first authentication result is successful, the NSSAAF sends first protocol information to a server;

for example, the first protocol information may be AAA protocol message.

The server may be, for example, an AAA-S server.

205. The NSSAAF receives second protocol information sent by the server;

for example, the second protocol information may also be AAA protocol message.

206. In response to the second protocol information, the NSSAAF sends a third authentication request to the AMF;

for example, the third authentication request message may be an Nssaaf NSSAA authentication Resp message.

207. In response to the third authentication request, the AMF sends a first NAS transmission message to the terminal equipment;

208. the AMF receives a second NAS transmission message sent by the UE;

209. in response to the second NAS transport message, the AMF sending a fourth authentication request to the NSSAAF;

for example, the fourth authentication Request message may be an Nssaaf NSSAA authentication Request message.

210. In response to the fourth authentication request, the NSSAAF sending third protocol information to a server;

for example, the third protocol information may be AAA protocol message.

211. The NSSAAF receives fourth protocol information sent by the server;

for example, the fourth protocol information may be AAA protocol message.

For example, the fourth protocol information is used to characterize success or failure of slice authentication. It will be appreciated that the slice authentication process may include multiple rounds of interaction similar to steps 205-210 before the fourth protocol information is received.

For example, the fourth protocol information may include a result of slice authentication, such as authentication success or authentication failure.

212. In response to the fourth protocol information, the NSSAAF sends a second authentication result to the AMF.

For example, the NSSAAF sends an NSSAAF _ NSSAA _ authentication Resp message to the AMF. Wherein, the second authentication result may be carried in an Nssaaf _ NSSAA _ authentication Resp message.

For example, if the slice authentication result carried by the fourth protocol information is authentication success, the second authentication result sent by the NSSAAF to the AMF is authentication success (or slice authentication success). It will be appreciated that this second authentication result is used to characterize the result of the slice authentication. There are many ways to characterize, for example, success characterizes authentication success, and failure characterizes authentication failure. True characterizes authentication success, false characterizes authentication failure, and so on.

For example, if the slice authentication result carried by the fourth protocol information is authentication failure, the second authentication result sent by the NSSAAF to the AMF is authentication failure (or slice authentication failure).

According to the scheme, after the AMF triggers the slice authentication procedure, the NSSAAF interacts with the UDM to determine whether the UE successfully performs the primary authentication, if the UE successfully performs the primary authentication, the NSSAAF continues the subsequent slice authentication procedure, otherwise, the slice authentication is rejected. By the technical scheme, the AMF can be prevented from bypassing the main authentication to attack the home network, so that the security of the slice authentication is ensured. It should be noted that in the case that the UE does not pass the master authentication, if the AMF initiates the slice authentication, then signaling resources of the home network are consumed subsequently, but the slice authentication may eventually fail. Therefore, the authentication state in which the master authentication is performed before the slice authentication is performed can improve the efficiency and security of the slice authentication.

In another embodiment of the present invention, before step 201, the AMF may obtain subscription information of the slice identified as S-NSSAI of the UE from the UDM. The AMF may determine whether slice authentication for the slice needs to be performed according to identification information of a slice to be accessed by the UE and/or subscription information of the UE with respect to the slice. If slice authentication for the slice needs to be performed, the AMF sends an Extensible Authentication Protocol (EAP) ID request (request) for slice authentication to the UE; accordingly, the UE receives the EAP ID request for slice authentication, and the UE sends an EAP ID response (response) to the AMF. If slice authentication for the slice does not need to be performed, the AMF may directly send a message or the like to the UE denying access to the slice. In addition, if the AMF records (or stores) that the UE has completed slice authentication for the slice, the UE is directly allowed to access the slice. Or further, if the AMF records (or stores) that the UE has completed slice authentication for the slice and the time of authentication is within the expiration date, the UE is directly allowed to access the slice.

It should be noted that the EAP is made by the Internet Engineering Task Force (IETF), which is an international standard organization. The EAP ID request may be carried in a Non Access Stratum (NAS) message in the 3GPP network, where the NAS message may also carry slice identification information such as S-NSSAI, and the S-NSSAI may be used to indicate that the EAP ID request is a slice authentication request for the S-NSSAI.

In another embodiment of the present invention, as shown in fig. 3, fig. 3 is a decision step 301 that optimizes steps 201 and 202 and adds NSSAAF on the basis of fig. 2. Wherein, steps 201, 202 and 301 specifically include:

201. the AMF sends a first authentication request message to the NSSAAF, wherein the first authentication request comprises a service network name SNN;

it is to be understood that the first authentication request message may also be abbreviated as first authentication request. Similarly, the subsequent second authentication request message may also be abbreviated as the second authentication request, which is not listed here.

Optionally, the first request message may further carry an EAP ID response, an S-NSSAI, and identity information of the UE.

Optionally, the first request message may further carry an EAP ID response, an S-NSSAI, identification information of the UE, and an AMF ID.

For example, the identity information of the UE may be GPSI or SUPI.

301. The NSSAAF judges whether the SNN is consistent with the expected SNN;

it should be noted that the first authentication request message further includes a token. Wherein the token is generated by NRF for the AMF. In addition, optionally, the NSSAAF may further obtain a token corresponding to the AMF ID from the NRF according to the AMF ID.

For example, if the desired SNN is included in the token, the NSSAAF matches the SNN in the token with the SNN in the first authentication request.

For example, if the token includes an SN ID, the NSSAAF determines whether the SNN is consistent with a desired SNN, including: and the NSSAAF judges whether the SN ID in the token is consistent with the SNID of the SNN in the first authentication request or not. It is understood that the SNN includes a prefix code and an SNID. For example, the prefix code may be a character string "5G", "5G AKA", or "5G EAP AKA". The SN ID may be, for example, a PLMN ID.

202. If the SNN is consistent with the expected SNN, the NSSAAF sends a second authentication request to the UDM;

wherein, it should be noted that, the SNN is consistent with the desired SNN, and includes: the SNN is identical to the desired SNN. Of course, this also includes: the character strings of the first N bits are completely consistent or the intercepted character strings with the same length at the same position are completely consistent, wherein N is a positive integer.

Optionally, the method further includes: the NSSAAF sends an indication to the AMF to stop authentication if the SNN and the expected SNN are not consistent.

In addition, in an implementation manner of the present invention, during or after the main authentication process, the UDM or AUSF may send the authentication result to the NSSAAF, and the NSSAAF may store the authentication result. Then, after the NSSAAF receives the first authentication request, the NSSAAF may determine whether to send the first protocol information to the server directly according to the authentication result, without interacting with the UDM to obtain the authentication result.

According to the technical scheme, the NSSAAF can judge whether the SNN used by the AMF is legal or not, and if the SNN is illegal, the flow of slice authentication is terminated in advance, so that the waste of signaling resources is prevented.

In another embodiment of the present invention, as shown in fig. 4, fig. 5 is a flowchart of the steps 202, 203, and the step 401 of determining to add UDM, which are optimized based on fig. 2 or fig. 3. Wherein, steps 202, 203 and 401 specifically include:

202. in response to the first authentication request, the NSSAAF sending a second authentication request to the UDM, wherein the second authentication request includes the AMF ID;

401. The UDM judges whether the AMF identifier is the same as the AMF instance identifier in the security context state of the terminal equipment;

it should be noted that, if the UE successfully performs bidirectional authentication (primary authentication) with the core network before the AMF triggers the slice authentication, the AMF sends the security context state of the terminal device to the UDM, and the UDM stores the security context state of the terminal device, where the security context state of the terminal device includes the instance identifier of the AMF.

203. If the identifier of the AMF is the same as the instance identifier of the AMF in the security context state of the terminal equipment, the UDM sends indication information to the NSSAAF, wherein the indication information is used for indicating a first authentication result of the terminal equipment in a service network;

for example, the indication information may be the first authentication result. The first authentication result may be an authentication result of the primary authentication (i.e., a result of mutual authentication of the UE with the core network). The authentication result may be, for example, success or failure or non-authentication. For example, success identification, failure identification failure or non-authentication. Such as a successful True identification, a failed False identification or unauthentication. Such as 1 identifying success, 0 identifying failure or unauthentication. There are many ways to identify success or failure, which are not intended to be limiting nor exemplary.

The indication information may also be used to indicate whether a primary authentication is required, for example. It should be noted that the primary authentication may be 5G AKA authentication or EAP AKA authentication, which is not listed here.

Through the technical scheme, the home network can judge whether the AMF initiating the slice authentication is a legal AMF or not, and if the AMF initiating the slice authentication is the legal AMF, the indication information is sent. If the AMF is not legal, the subsequent slice authentication process is refused to be executed, thereby preventing the resource of the home network from being wasted. It should be noted that the UDM and the NSSAF belong to a home network, and the AMF belongs to a serving network.

In another embodiment of the present invention, as shown in fig. 5, fig. 5 is a flowchart of the steps 202, 203 and the step 501 of determining to add UDM, which are optimized based on any one of fig. 2 to 4. Wherein, steps 202, 203 and 501 specifically include:

202. in response to the first authentication request, the NSSAAF sending a second authentication request to the UDM, wherein the second authentication request comprises a service network name of the AMF;

501. The UDM determines whether an authentication result matching the service network name exists;

for example, the UDM may traverse the database according to the service network name to determine a search result, and if the search result is empty, prove that there is no authentication result matching the rain service network name; and if the search result is not null, an authentication result matched with the service network name exists.

203. If an authentication result matched with the service network exists and the authentication result is successful, the UDM sends indication information to the NSSAAF, and the indication information is used for indicating a first authentication result of the terminal equipment in the service network;

for example, the indication information may be the first authentication result (i.e., the authentication result matching the service network). The first authentication result may be an authentication result of the primary authentication (i.e., a result of mutual authentication of the UE with the core network). The authentication result may be, for example, success or failure or non-authentication. For example, success identification, failure identification failure or non-authentication. Such as a success of True identification, failure of False identification or non-authentication. Such as 1 identifying success, 0 identifying failure or unauthentication. There are many ways to identify success or failure, and this is not intended to be limiting and exemplary.

The indication information may also be used to indicate whether primary authentication is required, for example. It should be noted that the primary authentication may be 5G AKA authentication or EAP AKA authentication, which are not listed here.

It can be understood that if there is an authentication result matching the serving network name, indicating that the UE has passed the master authentication, then it is legal to perform the slice authentication at this time. Through the judgment process, the potential risk can be eliminated, so that the authentication safety is improved, and the signaling resource of the home network is prevented from being wasted.

Optionally, in another implementation manner of the present invention, the method further includes: and if the authentication result matched with the service network name exists but the authentication result is authentication failure, the UDM sends a message for indicating to stop authentication to the NSSAAF. It can be understood that, if the authentication result is authentication failure, which indicates that the UE has not passed the primary authentication, the initiating of the slice authentication is impossible to be successful, and therefore, the direct termination of the slice authentication procedure can prevent the signaling resource of the home network from being wasted.

For example, success of authentication may be represented by success, and failure of authentication may be represented by failure.

For example, authentication success may be represented by True and authentication failure may be represented by False.

For example, authentication success may be represented by 1, and authentication failure may be represented by 0.

In addition, it should be noted that there are many methods for characterizing the success or failure of authentication, and the present invention is not limited and is not enumerated again.

In addition, optionally, on the basis of any of fig. 2 to 5, a method for protecting privacy of the user identifier is further included. The specific method comprises the following steps: the second authentication request carries a first identifier of the user equipment; after the UDM receives the second authentication request, the UDM acquires a second identifier of the user equipment according to the second authentication request; and the UDM sends the second identifier to the NSSAAF. Optionally, in another implementation manner of the present invention, the method further includes: and the NSSAAF receives the second everything and stores the mapping relation between the first identifier and the second identifier.

It should be noted that, after the mapping relationship between the first identifier and the first identifier is saved, the NSSAAF may interact with an external server or data network by using the second identifier to prevent the first identifier from being leaked, and when the NSSAAF receives the second identifier sent by the external server, the NSSAAF may obtain the first identifier corresponding to the second identifier, and then interact with a network element inside the core network by using the first identifier, thereby ensuring efficient communication between network elements inside the core network. For example, when the first identity is SUPI, the second identity is GPSI; for example, when the first identifier is GPSI, the second identifier is GPSI.

In addition, optionally, on the basis of any one of fig. 2 to 5, a storage method of the slice authentication result is further included. Specifically, after the NSSAAF completes the slice authentication of the terminal device, the state of the slice authentication (for example, authentication success or failure) may be sent to the UDM, and the UDM may store the state of the slice authentication. It is noted that subsequent other networks may interact with the UDM to query the state of the slice authentication, and then perform other processes or initiate other services according to the state of the slice authentication. Specifically, for example, the method specifically comprises: and the NSSAAF sends an authentication result confirmation message to the UDM, wherein the authentication result confirmation message comprises the second authentication result, and the UDM stores the second authentication result. Optionally, the authentication result confirmation message further includes SUPI/GPSI, S-NSSAI, and/or a serving network name. Accordingly, the UDM will also save the SUPI/GPSI, S-NSSAI, and or the serving network name.

The communication apparatus provided in the present application is described in detail below.

Fig. 6 is a schematic structural diagram of a communication device according to an embodiment of the present application, where the communication device may be an AMF, may also be a UDM, and may also be an NSSAAF. Specifically, the communication apparatus includes a transceiver 601 and a processing unit 602. The processing unit 602 is coupled to the transceiver 601, and the processing unit 602 can receive and transmit data through the transceiver 601.

Illustratively, the communications apparatus may be configured to perform any of the operations of fig. 2-5 performed by NSSAAF.

A processing unit 602, configured to receive a first authentication request sent by the AMF; sending a second authentication request to the UDM in response to the first authentication request; receiving indication information sent by the UDM, wherein the indication information is used for indicating a first authentication result of the terminal equipment in a service network; if the first authentication result is successful, sending first protocol information to a server; receiving second protocol information sent by the server; sending a third authentication request to the AMF in response to the second protocol information; receiving a fourth authentication request sent by the AMF; sending third protocol information to a server in response to the fourth authentication request; receiving fourth protocol information sent by the server; sending a second authentication result to the AMF in response to the fourth protocol information.

Optionally, the second authentication request carries a first identifier of the user equipment; the processing unit 602 is further configured to receive a second identifier sent by the UDM; and storing the mapping relation between the first identifier and the second identifier.

Optionally, the first authentication request includes a service network name SNN; the processing unit 602 is further configured to determine whether the SNN is consistent with a desired SNN; if the SNN and the desired SNN are consistent, the NSSAAF sends a second authentication request to the UDM.

Illustratively, the communications apparatus may be configured to perform any of the operations of fig. 2-5 performed by the UDM.

The processing unit 602 is configured to receive a second authentication request sent by an NSSAAF; and responding to the second authentication request, and sending indication information to the NSSAAF, wherein the indication information is used for indicating a first authentication result of the terminal equipment in a service network.

Optionally, the second authentication request carries a service network name of the AMF; the processing unit 602 is further configured to determine whether there is an authentication result matching the service network name; the processing unit 602 is specifically configured to send the indication information to the NSSAAF if an authentication result matching the service network exists and the authentication result is that authentication is successful. Optionally, the processing unit 602 is further configured to send a message indicating to stop authentication to the NSSAAF if there is no authentication result matching the service network name.

Optionally, the second authentication request carries a first identity, SUPI, of the user equipment; the processing unit is further configured to obtain a second identifier of the user equipment according to the first identifier; and sending the second identifier to the NSSAAF.

Optionally, the second authentication request includes the AMF ID; the processing unit 602 is further configured to determine whether the identifier of the AMF is the same as an instance identifier of the AMF in the security context state of the terminal device; and if the AMF identifier is the same as the AMF instance identifier in the security context state of the terminal equipment, sending indication information to the NSSAAF, wherein the indication information is used for indicating a first authentication result of the terminal equipment in the service network.

Optionally, wherein the second authentication request includes a service network name of the AMF; the processing unit 602 is further configured to determine whether there is an authentication result matching the service network name; and if the authentication result matched with the service network exists and the authentication result is successful, sending indication information to the NSSAAF, wherein the indication information is used for indicating a first authentication result of the terminal equipment in the service network.

As shown in fig. 7, it is to be understood that the processing unit 602 may be one or more processors 702, the transceiver unit 601 may be the transceiver 701, or the transceiver unit 601 may also be a transmitting unit which may be a transmitter and a receiving unit which may be a receiver, and the transmitting unit and the receiving unit are integrated into one device, such as a transceiver.

As shown in fig. 8, when the above-mentioned communication apparatus is a circuit system such as a chip, the processing unit 602 may be one or more processors, or the processing unit 602 may be the processing circuit 802 or the like. The transceiving unit 601 may be an input output interface, also alternatively referred to as a communication interface, or an interface circuit 801, or an interface, etc. Or the transceiver 601 may also be a transmitter and a receiver, the transmitter may be an output interface, the receiver may be an input interface, and the transmitter and the receiver are integrated into a single unit, such as an input-output interface.

For example, a transceiver may include a receiver to perform a function (or operation) of receiving and a transmitter to perform a function (or operation) of transmitting. And transceivers for communicating with other devices/apparatuses over a transmission medium. The processor is configured to send and receive data and/or signaling via the transceiver and is configured to implement the corresponding methods described in fig. 2 to 5 in the above method embodiments, and the like.

The communications device may also include, for example, one or more memories 703 for storing program instructions and/or data. The memory 703 is coupled to the processor 702.

The coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units or modules, and may be in an electrical, mechanical or other form, which is used for information interaction between the devices, units or modules. The processor 702 may cooperate with the memory 703. The processor 702 may execute program instructions stored in the memory 703. Optionally, at least one of the one or more memories may be included in the processor.

The specific connection medium among the transceiver 701, the processor 702, and the memory 703 is not limited in this embodiment. In the embodiment of the present application, the memory 703, the processor 702, and the transceiver 701 are connected by the bus 704 in fig. 7, the bus is represented by a thick line in fig. 7, and the connection manner between other components is merely illustrative and not limited. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 7, but this is not intended to represent only one bus or type of bus.

In the embodiments of the present application, the processor may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, a discrete hardware component, or the like, which may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in a processor.

It will be appreciated that the method performed by the processor and the transceiver shown above is merely an example, and reference may be made to the method described above for the steps specifically performed by the processor and the transceiver.

It is to be understood that the core devices shown below are applicable to the above description of the connection relationship among the processor, the transceiver, and the memory, and the description of the processor or the transceiver. For example, when the communication device is any one of the AMF, the UDM, and the NSSAAF, the following description applies to each communication device, such as the description of the connection relationship between the processor, the transceiver, and the memory, and the description of the processor or the transceiver.

In other implementations, the communication device may be circuitry. In this case, the processing unit 602 may be implemented by a processing circuit, and the transceiver unit 701 may be implemented by an interface circuit. As shown in fig. 8, the communication device may include a processing circuit 802 and an interface circuit 801. The processing circuit 802 may be a chip, a logic circuit, an integrated circuit, a processing circuit, or a system on chip (SoC) chip, and the interface circuit 801 may be a communication interface, an input/output interface, and the like.

It will be appreciated that for a specific implementation of the processing circuitry and the interface circuitry, reference may be made to the methods illustrated in fig. 2-5.

In the embodiments of the present application, the processing circuit may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, a discrete hardware component, or the like, and may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present application. It will be appreciated that for the description of the processing circuitry, the circuitry shown below applies.

It will be appreciated that the methods performed by the interface circuit and the processing circuit shown above are merely examples, and reference may be made to the methods described above for the steps specifically performed by the interface circuit and the processing circuit.

Fig. 9 is a schematic diagram of a wireless communication system according to an embodiment of the present application, and as shown in fig. 9, the wireless communication system may include an AMF, an NSSAAF, and a UDM. The system may perform the methods corresponding to fig. 2 to 5, which are not described in detail herein.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one type of logical functional division, and other divisions may be realized in practice, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may also be an electric, mechanical or other form of connection.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the technical effects of the solutions provided by the embodiments of the present application.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a readable storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned readable storage medium includes: a U-disk, a portable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, an optical disk, or other various media capable of storing program codes.

Furthermore, the present application also provides a computer program, which is used to implement the operations and/or processes performed by any network element (AMF, NSSAAF or UDM) in fig. 2 to 5 provided in the present application.

The present application also provides a computer-readable storage medium having stored therein computer code, which, when executed on a computer, causes the computer to perform the operations and/or processes performed by any of the network elements of fig. 2-5.

The present application also provides a computer program product comprising computer code or a computer program, which when run on a computer causes the operations and/or processes performed by the method corresponding to any of the network elements of fig. 2 to 5 of the present application to be performed.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A slice authentication method, the method comprising:

the access and mobility management function sends a first authentication request to an authentication and authorization function of the network slice;

responding to the first authentication request, and sending a second authentication request to a unified data management network element by the authentication and authorization function of the network slice;

responding to the second authentication request, the unified data management network element sends indication information to an authentication and authorization function of the network slice, wherein the indication information is used for indicating a first authentication result of the terminal equipment in a service network;

if the first authentication result is successful, the authentication and authorization function of the network slice sends first protocol information to a server;

the authentication and authorization function of the network slice receives second protocol information sent by the server;

in response to the second protocol information, the unified data management network element sends a third authentication request to the access and mobility management function;

in response to the third authentication request, the access and mobility management function sending a first non-access stratum, NAS, transport message to the terminal device;

the access and mobility management function receives a second NAS transmission message sent by the terminal equipment;

in response to the second NAS transport message, the access and mobility management function sending a fourth authentication request to an authentication and authorization function of the network slice;

in response to the fourth authentication request, the authentication and authorization function of the network slice sending third protocol information to the server;

the authentication and authorization function of the network slice receives fourth protocol information sent by the server;

in response to the fourth protocol information, the authentication and authorization function of the network slice sends a second authentication result to the access and mobility management function.

2. The method of claim 1, wherein the second authentication request carries a service network name of the access and mobility management function;

before the unified data management network element sends the indication information to the authentication and authorization function of the network slice, the method further includes:

the unified data management network element determines whether an authentication result matched with the service network name exists;

the step of sending the indication information to the authentication and authorization function of the network slice by the unified data management network element comprises the following steps:

and if the authentication result matched with the service network exists and is successful, the unified data management network element sends the indication information to the authentication and authorization function of the network slice.

3. The method of claim 2, further comprising:

and if the authentication result matched with the service network name does not exist, the unified data management network element sends a message for indicating to stop authentication to the authentication and authorization function of the network slice.

4. The method according to any one of claims 1 to 3, wherein the second authentication request carries the first identifier of the terminal device; the method further comprises the following steps:

the unified data management network element acquires a second identifier of the terminal equipment according to the first identifier;

and the unified data management network element sends the second identifier to the authentication and authorization function of the network slice.

5. The method of claim 4, further comprising:

and the authentication and authorization function of the network slice receives the second identifier and stores the mapping relation between the first identifier and the second identifier.

6. A slice authentication system, the system comprising:

an access and mobility management function for sending a first authentication request to an authentication and authorization function of the network slice;

the authentication and authorization function of the network slice is used for responding to the first authentication request and sending a second authentication request to the unified data management network element;

the unified data management network element is configured to send, in response to the second authentication request, indication information to an authentication and authorization function of the network slice, where the indication information is used to indicate a first authentication result of a terminal device in a service network;

the authentication and authorization function of the network slice is used for sending first protocol information to the server if the first authentication result is successful authentication; receiving second protocol information sent by the server; sending a third authentication request to the access and mobility management function in response to the second protocol information;

the access and mobility management function is configured to send a first NAS transport message to the terminal device in response to the third authentication request; receiving a second NAS transmission message sent by the terminal equipment; sending a fourth authentication request to an authentication and authorization function of the network slice in response to the second NAS transport message;

the authentication and authorization function of the network slice is further configured to send third protocol information to the server in response to the fourth authentication request; receiving fourth protocol information sent by the server; in response to the fourth protocol information, sending a second authentication result to the access and mobility management function.

7. The system according to claim 6, wherein the second authentication request carries a service network name of the access and mobility management function;

the unified data management network element is further configured to determine whether an authentication result matching the service network name exists;

the unified data management network element is specifically configured to send the indication information to the authentication and authorization function of the network slice if an authentication result matching the service network exists and the authentication result is that authentication is successful.

8. The system of claim 7, wherein the unified data management network element is further configured to send a message indicating to stop authentication to the authentication and authorization function of the network slice if there is no authentication result matching the service network name.

9. The system according to any one of claims 6 to 8, wherein the second authentication request carries the first identifier of the terminal device;

the unified data management network element is further configured to obtain a second identifier of the terminal device according to the first identifier; sending the second identification to an authentication and authorization function of the network slice.

10. The system according to claim 9, wherein the authentication and authorization function of the network slice is further configured to receive the second identifier and store a mapping relationship between the first identifier and the second identifier.