CN114079872A

CN114079872A - Method and communication device for authentication

Info

Publication number: CN114079872A
Application number: CN202010815001.7A
Authority: CN
Inventors: 李濛; 杨艳梅
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2020-08-13
Filing date: 2020-08-13
Publication date: 2022-02-22
Also published as: WO2022033491A1

Abstract

In the technical scheme of the application, the first SMF sends the first user identification information and the identification information of multicast data to the application server, the application server executes the authentication operation when the user equipment joins the group, and the application server does not need to provide the first SMF with the member information of the specific multicast group in real time, so that the authentication operation when the user equipment joins the group can be still realized under the condition that the first SMF does not have the member information of the multicast group, and the public safety problem is avoided.

Description

Method and communication device for authentication

Technical Field

The present application relates to the field of communications, and more particularly, to a method and communication device for authentication.

Background

At present, if a core network of a fifth generation (5th generation, 5G) system needs to send the same service to multiple user equipments, a multicast user plane connection may be established to send data, so that only one part of the data with the same content sent to different user equipments is selected to be sent, which is beneficial to improving the utilization efficiency of air interface side resources and core network resources.

In a multicast scenario, when a ue joins a multicast group, an authentication operation is required for a join request of the ue. In the current authentication mode, the application server needs to provide the complete member list information of the multicast group to the core network, and then the core network performs authentication operation on the join request of the user equipment.

Confidentiality is an important requirement of public security, but in the current authentication mode, a core network needs to master member information of a multicast group, which may cause a security problem and cannot meet the requirement of public security on confidentiality.

Disclosure of Invention

The application provides a method and a communication device for authentication, which can realize the authentication operation when user equipment joins in a group under the condition that an application server does not provide multicast group member list information, and are beneficial to avoiding public safety problems.

In a first aspect, the present application provides a method for authentication, the method comprising: a first session management function network element SMF acquires first information and first identification information of multicast data, wherein the first information is used for determining first user identification information of the user equipment; the first SMF sends a first message to an application server, wherein the first message is used for requesting authentication of a request of joining a multicast group by the user equipment, the first message comprises the first user identification information and second identification information of multicast data, and the first identification information and the second identification information correspond to the multicast group; and the first SMF receives a second message sent by the application server, wherein the second message comprises authentication result information.

The first user identification information is information that uniquely identifies the user equipment and is recognizable by the application server.

For example, the first user identification information may be a general public user identifier (GPSI).

The second user identification information may be information that is used to uniquely identify the user equipment and is recognizable to the core network device and the access network device.

For example, the second user identification information may include at least one of a user permanent identifier (SUPI), a universal unique temporary identifier (GUTI), and a user hidden identifier (SUCI).

The first identification information and the second identification information of the Multicast data correspond to a Multicast group to which the user equipment requests to join, and may include at least one of a Temporary Mobile Group Identifier (TMGI) of the Multicast group to which the Multicast data corresponds, an IP address of an Application server providing the Multicast data, a service identifier (service ID) of the Multicast data, packet filter (packet filter) information of the Multicast data, a Service Data Flow (SDF) identification rule of the Multicast data, an ID of a Multicast PDU Session for transmitting the Multicast data, ID information (Application ID) of an Application, target IP address information (IP Multicast address) of the Multicast data, and Context identification information (Multicast Session ID) of the Multicast Session to which the Multicast group corresponds.

Alternatively, the first identification information and the second identification information may be the same.

Alternatively, the first identification information and the second identification information may be different. Specifically, after acquiring the first identification information, the first SMF may determine the second identification information according to the first identification information, and then send the second identification information to the application server. For example, the first identification information acquired by the first SMF is a TMGI of the multicast group, and the first SMF determines an ID of a PDU session corresponding to the TMGI according to the TMGI and sends the ID of the PDU session to the application server through a first message.

In the embodiment of the application, the first SMF sends the first user identification information and the second identification information to the application server, and the application server executes the authentication operation when the user equipment joins the group, without providing explicit member information of the multicast group to the first SMF in real time, so that the authentication operation when the user equipment joins the group can be still realized under the condition that the first SMF does not have the member information of the multicast group, which is helpful for avoiding public security problems.

With reference to the first aspect, in a possible implementation manner, the method further includes: and the first SMF determines that the application server is required to authenticate the request of the user equipment for joining the multicast group according to the first identification information.

For example, the first SMF may determine whether an authentication authorization by the application server is required based on locally stored policies. The policy may be pre-configured in the first SMF or may be provided by other network elements (e.g., PCF, UDM or UDR). The policy is used to indicate whether the first SMF needs to perform an authentication and authorization procedure to the originating application server for the join request carrying the identification information.

For another example, the first SMF may determine whether member list information of the multicast group corresponding to the first identification information is stored, and when the member list information includes the first subscriber identity, the first SMF determines that the application server is required to perform authentication and authorization; otherwise, the first SMF determines that the joining request of the user equipment is illegal, and returns an indication of group joining failure to the user equipment.

With reference to the first aspect or any one of implementation manners of the first aspect, in another possible implementation manner, the first information includes the first user identification information and/or second user identification information of the user equipment.

With reference to the first aspect or any one of the implementation manners of the first aspect, in another possible implementation manner, the method further includes: and the first SMF acquires the first user identification information according to the second user identification information.

With reference to the first aspect or any one implementation manner of the first aspect, in another possible implementation manner, the acquiring, by the first SMF, the first user identification information according to the second user identification information includes: and the first SMF acquires the first subscriber identification information from a first network element according to the second subscriber identification information, wherein the first network element comprises an access and mobility management function network element AMF, a unified data management network element UDM and a unified data repository UDR.

With reference to the first aspect or any one of its implementation manners, in another possible implementation manner, the acquiring, by the first SMF, the first information and the first identification information of the multicast data includes: and the first SMF acquires the first information and the first identification information from a second SMF, an access and mobility management function network element AMF or a second user plane function network element UPF.

With reference to the first aspect or any implementation manner of the first aspect, in another possible implementation manner, the sending, by the first SMF, a first message to the application server includes: the first SMF determines the identification information of the application server according to the first identification information; and the first SMF directly sends the first message to the application server, or the first SMF sends the first message to the application server through a first UPF.

With reference to the first aspect or any implementation manner of the first aspect, in another possible implementation manner, the sending, by the first SMF, a first message to the application server includes: and the first SMF sends the first message to the application server through a network open function (NEF).

In a second aspect, the present application provides a method for authentication, the method comprising: an application server receives a first message from a first session management function network element (SMF), wherein the first message is used for requesting authentication of a request of user equipment for joining a multicast group, the first message comprises first user identification information and second identification information of multicast data, the second identification information corresponds to the multicast group, and the first user identification information is identification information of the user equipment; the application server authenticates the request of the user equipment for joining the multicast group according to the first user identification information and the second identification information; and the application server sends a second message to the first SMF, wherein the second message comprises authentication result information.

For example, the first subscriber identity information may be a GPSI.

The second identification information of the multicast data corresponds to a multicast group to which the user equipment requests to join, and may include at least one of a TMGI of the multicast group to which the multicast data corresponds, an IP address of an application server providing the multicast data, a service identifier of the multicast data, packet filtering information of the multicast data, an SDF identification rule of the multicast data, an ID of a multicast PDU session for transmitting the multicast data, ID information of an application, target IP address information of the multicast data, and context identification information of the multicast session to which the multicast group corresponds.

With reference to the second aspect, in a possible implementation manner, the sending, by the application server, the second message to the first SMF includes: and the application server directly sends the second message to the first SMF, or sends the second message to the first SMF through a first UPF or a network open function Network Element (NEF).

In a third aspect, the present application provides a method for authentication, the method comprising: the user equipment determines a third message, wherein the third message is used for requesting to join a multicast group, the third message comprises third identification information of multicast data, and the third identification information corresponds to the multicast group; and the user equipment sends the third message to a second user plane network element UPF.

The third identification information of the multicast data corresponds to a multicast group to which the user equipment requests to join, and may include at least one of a TMGI of the multicast group to which the multicast data corresponds, an IP address of an application server providing the multicast data, a service identifier of the multicast data, packet filtering information of the multicast data, an SDF identification rule of the multicast data, an ID of a multicast PDU session for transmitting the multicast data, ID information of an application, target IP address information of the multicast data, and context identification information of the multicast session to which the multicast group corresponds.

In the above technical solution, the user equipment may initiate to join the multicast group through the user plane network element.

With reference to the third aspect, in a possible implementation manner, the third message further includes second user identification information of the user equipment and/or information for authenticating the user equipment.

With reference to the third aspect or any one of the foregoing implementation manners, in another possible implementation manner, the third message includes an Internet Group Management Protocol (IGMP) message and a Multicast Listener Report (MLR) message.

In a fourth aspect, the present application provides a method for authentication, the method comprising: the method comprises the steps that network equipment receives identification information of multicast data, wherein the identification information corresponds to a multicast group which user equipment requests to join; and the network equipment sends the identification information to a first session management function network element SMF.

In the above technical solution, the network device sends the identification information of the received multicast data to the first SMF, so that the first SMF further sends the identification information to the application server, and the application server performs an authentication operation when the user equipment joins the group. Therefore, the application server is not needed to provide clear member information of the multicast group to the first SMF in real time, and the authentication operation when the user equipment joins the group can be still realized under the condition that the first SMF does not have the member information of the multicast group, thereby being beneficial to avoiding the public safety problem.

With reference to the fourth aspect, in a possible implementation manner, the method further includes: and the network equipment sends first user identification information of the user equipment and/or second user identification information of the user equipment to the first SMF.

For example, the first subscriber identity information may be a GPSI.

For example, the second subscriber identification information may include at least one of SUPI, GUTI, and SUCI.

With reference to the fourth aspect or any one of the implementation manners of the fourth aspect, in another possible implementation manner, the network device includes a second SMF, an access and mobility management function network element AMF, a unified data management network element UDM, a unified data repository UDR, and a second user plane function network element UPF.

In a fifth aspect, the present application provides a method for authentication, the method comprising: the method comprises the steps that user equipment determines a fourth message, wherein the fourth message comprises identification information of multicast data and first safety information, the first safety information is used for authenticating a request of the user equipment for joining a multicast group, and the identification information corresponds to the multicast group; and the user equipment sends the fourth message to the first network equipment.

The identification information of the multicast data corresponds to a multicast group to which the user equipment requests to join, and may include at least one of a TMGI of the multicast group to which the multicast data corresponds, an IP address of an application server providing the multicast data, a service identifier of the multicast data, packet filtering information of the multicast data, an SDF identification rule of the multicast data, an ID of a multicast PDU session for transmitting the multicast data, ID information of an application, target IP address information of the multicast data, and context identification information of the multicast session to which the multicast group corresponds.

In this way, in the embodiment of the present application, the user equipment provides the first security information for authentication and the identification information of the gambling data to the first network equipment, the first network equipment can perform the authentication operation when the user equipment joins the group according to the security information, and the application server is not required to provide the first network equipment with the explicit member information of the multicast group in real time, so that the authentication operation when the user equipment joins the group can be still realized under the condition that the first network equipment does not have the member information of the multicast group, which is helpful for avoiding the generation of public security problems.

With reference to the fifth aspect, in one possible implementation manner, the first security information includes at least one of password information, input information of a security algorithm, and a security algorithm.

With reference to the fifth aspect or any one of the implementation manners of the fifth aspect, in another possible implementation manner, the method further includes: the user equipment acquires the first security information from an application server.

With reference to the fifth aspect or any implementation manner of the fifth aspect, in another possible implementation manner, the first network device is an access network device or a core network device.

With reference to the fifth aspect or any implementation manner of the fifth aspect, in another possible implementation manner, the core network device includes a first session management function network element SMF and a unified data management network element UDM.

In a sixth aspect, the present application provides a method for authentication, the method comprising: the method comprises the steps that a first network device receives a fourth message from a user device, wherein the fourth message comprises identification information of multicast data and first safety information, the first safety information is used for authenticating a request of the user device for joining a multicast group, and the identification information corresponds to the multicast group; the first network device authenticates the request of the user equipment for joining the multicast group according to the first security information and second security information, the second security information is used for authenticating the request of the user equipment for joining the multicast group, and the second security information corresponds to the multicast group.

Thus, in the embodiment of the application, the application server can provide security information for authentication to the user equipment and the network equipment, the network equipment can execute authentication operation when the user equipment joins in the group according to the security information, and the application server is not required to provide explicit member information of the multicast group to the network equipment in real time, so that the authentication operation when the user equipment joins in the group can be still realized under the condition that the network equipment does not have the member information of the multicast group, and the public security problem is favorably avoided.

With reference to the sixth aspect, in a possible implementation manner, the first security information is password information, and the second security information is password information; or, the first safety information is input information of a safety algorithm; the second security information is the security algorithm; or, the first security information is a security algorithm; the second security information is input information of the security algorithm.

With reference to the sixth aspect or any implementation manner of the sixth aspect, in another possible implementation manner, the method further includes: and the first network equipment acquires the second safety information from an application server.

With reference to the sixth aspect or any implementation manner of the sixth aspect, in another possible implementation manner, when the first network device is a first session management function network element SMF, the acquiring, by the first network device, the second security information from an application server includes: and the first network equipment acquires the second security information from an application server through NEF and UDM.

With reference to the sixth aspect or any implementation manner of the sixth aspect, in another possible implementation manner, when the first network device is a unified data management network element UDM or a unified data repository UDR, the acquiring, by the first network device, the second security information from an application server includes: the first network equipment acquires the second security information from an application server through NEF and first SMF; or, the first network device acquires the second security information from the application server through NEF.

With reference to the sixth aspect or any implementation manner of the sixth aspect, in another possible implementation manner, when the first network device is an access network device, the acquiring, by the first network device, the second security information from an application server includes: and the first network equipment acquires the second security information from the application server through the first AMF, the first SMF, the UDM and the NEF.

With reference to the sixth aspect or any implementation manner of the sixth aspect, in another possible implementation manner, when the first network device is a first session management function network element SMF, the receiving, by the first network device, a fourth message from a user equipment includes: and the first network equipment receives the fourth message through a second SMF, an access and mobility management function network element AMF or a second user plane function network element UPF.

With reference to the sixth aspect or any implementation manner of the sixth aspect, in another possible implementation manner, when the first network device is a unified data management network element UDM or a unified data repository UDR, the receiving, by the first network device, a fourth message from a user equipment includes: the first network device receives the fourth message through the first SMF or the second SMF.

With reference to the sixth aspect or any implementation manner of the sixth aspect, in another possible implementation manner, when the first network device is an access network device, the fourth message is a radio resource control RRC message.

In a seventh aspect, the present application provides a method for authentication, the method comprising: the second network equipment receives second safety information, and the second safety information is used for authenticating the request of the user equipment for joining the multicast group; and the second network equipment sends the second safety information.

In the above technical solution, the second network device receives and sends the second security information, and the first network device that performs the authentication and authorization operation can conveniently acquire the second security information, thereby implementing the authentication operation when the user equipment joins the group according to the security information, and without providing explicit member information of the multicast group to the first network device in real time by the application server, in this way, the authentication operation when the user equipment joins the group can still be implemented when the first network device does not have the member information of the multicast group, which is helpful for avoiding the public security problem.

With reference to the seventh aspect, in a possible implementation manner, the second security information includes at least one of password information, input information of a security algorithm, and a security algorithm.

With reference to the seventh aspect or any one of the implementation manners of the seventh aspect, in another possible implementation manner, the method further includes: the second network device receives identification information of multicast data, the identification information corresponding to the multicast group.

With reference to the seventh aspect or any implementation manner of the seventh aspect, in another possible implementation manner, the second network device includes a UDM, a UDR, a NEF, a first SMF, and an access and mobility management function network element AMF.

In an eighth aspect, the present application provides a method for authentication, the method comprising: the method comprises the steps that an application server generates first safety information and second safety information, and the first safety information and the second safety information are used for authenticating a request of user equipment for joining a multicast group; the application server sends the first safety information to the user equipment; and the application server sends the second safety information to the first network equipment.

In the above technical solution, the application server generates the first security information and the second security information, sends the first security information to the user equipment, and sends the second security information to the first network equipment, so that the first network equipment can perform the authentication operation when the user equipment joins the group according to the security information, and the application server does not need to provide the first network equipment with explicit member information of the multicast group in real time.

With reference to the eighth aspect, in a possible implementation manner, the first security information is password information, and the second security information is password information; or, the first safety information is input information of a safety algorithm; the second security information is the security algorithm; or, the first security information is a security algorithm; the second security information is input information of the security algorithm.

With reference to the eighth aspect or any implementation manner of the eighth aspect, in another possible implementation manner, when the first network device is a first session management function network element SMF, the sending, by the application server, the second security information to the first network device includes: and the application server sends the second security information to the first network equipment through NEF and UDM.

With reference to the eighth aspect or any implementation manner of the eighth aspect, in another possible implementation manner, when the first network device is a unified data management network element UDM or a unified data repository UDR, the sending, by the application server, the second security information to the first network device includes: the application server sends the second security information to the first network equipment through NEF and first SMF; or, the application server sends the second security information to the first network device through the NEF.

With reference to the eighth aspect or any implementation manner of the eighth aspect, in another possible implementation manner, when the first network device is an access network device, the sending, by the application server, the second security information to the first network device includes: and the application server sends the second security information to the first network equipment through the first AMF, the first SMF, the UDM and the NEF.

In a ninth aspect, the present application provides a communication apparatus, comprising:

a transceiving unit, configured to acquire first information and first identification information of multicast data, where the first information is used to determine first subscriber identity information of the user equipment;

the receiving and sending unit is further configured to send a first message to an application server, where the first message is used to request authentication for a request of joining a multicast group by the user equipment, and the first message includes the first user identification information and second identification information of multicast data, where the first identification information and the second identification information correspond to the multicast group;

the receiving and sending unit is further configured to receive a second message sent by the application server, where the second message includes authentication result information.

Alternatively, the communication device may be an SMF or a module or unit in an SMF.

For example, the first subscriber identity information may be a GPSI.

The first identification information and the second identification information of the multicast data correspond to a multicast group to which the user equipment requests to join, and may include at least one of a TMGI of the multicast group to which the multicast data corresponds, an IP address of an application server providing the multicast data, a service identifier of the multicast data, packet filtering information of the multicast data, an SDF identification rule of the multicast data, an ID of a multicast PDU session for transmitting the multicast data, ID information of an application, target IP address information of the multicast data, and context identification information of the multicast session to which the multicast group corresponds.

Alternatively, the first identification information and the second identification information may be different. Specifically, after acquiring the first identification information, the communication device may determine the second identification information according to the first identification information, and then send the second identification information to the application server. For example, the first identification information acquired by the communication device is a TMGI of the multicast group, and the communication device determines an ID of a PDU session corresponding to the TMGI according to the TMGI and transmits the ID of the PDU session to the application server through a first message.

In the embodiment of the application, the communication device sends the first user identification information and the second identification information to the application server, the application server executes the authentication operation when the user equipment joins the group, and the application server is not required to provide clear member information of the multicast group to the communication device in real time, so that the authentication operation when the user equipment joins the group can be still realized under the condition that the communication device does not have the member information of the multicast group, and the public safety problem is avoided.

With reference to the ninth aspect, in a possible implementation manner, the apparatus further includes:

and the processing unit is used for determining that the application server is required to authenticate the request of the user equipment for joining the multicast group according to the first identification information.

For example, the communication device may determine whether an authentication authorization by the application server is required based on locally stored policies. The policy may be pre-configured in the communication device or may be provided by other network elements, e.g. PCF, UDM or UDR. The policy is used to indicate whether the communication device needs an authentication and authorization procedure to the originating application server for the join request carrying the identification information.

For another example, the communication device may determine whether member list information of the multicast group corresponding to the first identification information is stored, and when the member list information includes the first subscriber identity, the communication device determines that the application server is required to perform authentication and authorization; otherwise, the communication device determines that the join request of the user equipment is illegal, and returns an indication of group join failure to the user equipment.

With reference to the ninth aspect or any implementation manner of the ninth aspect, in another possible implementation manner, the first information includes the first user identification information and/or second user identification information of the user equipment.

With reference to the ninth aspect or any implementation manner of the ninth aspect, in another possible implementation manner, the processing unit is further configured to obtain the first user identification information according to the second user identification information.

With reference to the ninth aspect or any implementation manner of the ninth aspect, in another possible implementation manner, the transceiver unit is specifically configured to obtain the first subscriber identity information from a first network element according to the second subscriber identity information, where the first network element includes an access and mobility management function network element AMF, a unified data management network element UDM, and a unified data repository UDR.

With reference to the ninth aspect or any implementation manner of the ninth aspect, in another possible implementation manner, the transceiver unit is specifically configured to acquire the first information and the first identification information from a second SMF, an access and mobility management function network element AMF, or a second user plane function network element UPF.

With reference to the ninth aspect or any implementation manner of the ninth aspect, in another possible implementation manner, the transceiver unit is specifically configured to determine, according to the first identification information, identification information of the application server; and directly sending the first message to the application server, or sending the first message to the application server through a first UPF.

With reference to the ninth aspect or any implementation manner of the ninth aspect, in another possible implementation manner, the transceiver unit is specifically configured to send the first message to the application server through a network open function network element NEF.

In a tenth aspect, the present application provides a communication apparatus, comprising:

a receiving and sending unit, configured to receive a first message from a first session management function network element SMF, where the first message is used to request authentication for a request of a user equipment to join a multicast group, and the first message includes first user identification information and second identification information of multicast data, where the second identification information corresponds to the multicast group, and the first user identification information is identification information of the user equipment;

a processing unit, configured to authenticate a request for the ue to join the multicast group according to the first user identification information and the second identification information;

the transceiver unit is further configured to send a second message to the first SMF, where the second message includes authentication result information.

Alternatively, the communication device may be an application server or a module or unit in the application server.

For example, the first subscriber identity information may be a GPSI.

In the embodiment of the application, the first SMF sends the first user identification information and the second identification information to the communication device, and the communication device executes the authentication operation when the user equipment joins the group, without the need that the communication device provides the first SMF with explicit member information of the multicast group in real time, so that the authentication operation when the user equipment joins the group can still be realized under the condition that the first SMF does not have the member information of the multicast group, which is beneficial to avoiding public security problems.

With reference to the tenth aspect, in a possible implementation manner, the transceiver unit is specifically configured to send the second message to the first SMF directly, or send the second message to the first SMF through a first UPF or a network open function network element NEF.

In an eleventh aspect, the present application provides a communication apparatus, comprising:

a processing unit, configured to determine a third message, where the third message is used to request to join a multicast group, and the third message includes third identification information of multicast data, and the third identification information corresponds to the multicast group;

and the receiving and sending unit is used for sending the third message to a second user plane network element UPF.

Alternatively, the communication device may be a user equipment or a module or unit in the user equipment.

The third identification information of the multicast data corresponds to a multicast group to which the communication device requests to join, and may include at least one of a TMGI of the multicast group to which the multicast data corresponds, an IP address of an application server providing the multicast data, a service identification of the multicast data, packet filtering information of the multicast data, an SDF identification rule of the multicast data, an ID of a multicast PDU session for transmitting the multicast data, ID information of an application, target IP address information of the multicast data, and context identification information of the multicast session to which the multicast group corresponds.

In the above technical solution, the communication device may initiate to join the multicast group through the user plane network element.

With reference to the eleventh aspect, in a possible implementation manner, the third message further includes second user identification information of the user equipment and/or information for authenticating the user equipment.

With reference to the eleventh aspect or any implementation manner of the eleventh aspect, in another possible implementation manner, the third message includes an IGMP message and an MLR message.

In a twelfth aspect, the present application provides a communications apparatus, comprising:

a receiving and sending unit, configured to receive identification information of multicast data, where the identification information corresponds to a multicast group to which a user equipment requests to join;

the transceiver unit is further configured to send the identification information to the first session management function network element SMF.

In the above technical solution, the communication device sends the identification information of the received multicast data to the first SMF, so that the first SMF further sends the identification information to the application server, and the application server performs an authentication operation when the user equipment joins the group. Therefore, the application server is not needed to provide clear member information of the multicast group to the first SMF in real time, and the authentication operation when the user equipment joins the group can be still realized under the condition that the first SMF does not have the member information of the multicast group, thereby being beneficial to avoiding the public safety problem.

With reference to the twelfth aspect, in a possible implementation manner, the transceiver unit is further configured to send first subscriber identification information of the ue and/or second subscriber identification information of the ue to the first SMF.

For example, the first subscriber identity information may be a GPSI.

With reference to the twelfth aspect or any implementation manner of the twelfth aspect, in another possible implementation manner, the communication device includes a second SMF, an access and mobility management function network element AMF, a unified data management network element UDM, a unified data repository UDR, and a second user plane function network element UPF.

In a thirteenth aspect, the present application provides a communication apparatus, comprising:

a processing unit, configured to determine a fourth message, where the fourth message includes identification information of multicast data and first security information, the first security information is used to authenticate a request for the ue to join a multicast group, and the identification information corresponds to the multicast group;

and the transceiving unit is used for sending the fourth message to the first network equipment.

The identification information of the multicast data corresponds to a multicast group to which the communication device requests to join, and may include at least one of a TMGI of the multicast group to which the multicast data corresponds, an IP address of an application server providing the multicast data, a service identification of the multicast data, packet filtering information of the multicast data, an SDF identification rule of the multicast data, an ID of a multicast PDU session for transmitting the multicast data, ID information of an application, target IP address information of the multicast data, and context identification information of the multicast session to which the multicast group corresponds.

In this way, in the embodiment of the present application, the communication device provides the first network device with the first security information for authentication and the identification information of the gambling data, the first network device can perform the authentication operation when the user equipment joins the group according to the security information, and the application server is not required to provide the first network device with the explicit member information of the multicast group in real time, so that the authentication operation when the user equipment joins the group can be still realized under the condition that the first network device does not have the member information of the multicast group, which is helpful for avoiding the generation of public security problems.

With reference to the thirteenth aspect, in a possible implementation manner, the first security information includes at least one of password information, input information of a security algorithm, and a security algorithm.

With reference to the thirteenth aspect or any implementation manner of the thirteenth aspect, in another possible implementation manner, the transceiver unit is further configured to obtain the first security information from an application server.

With reference to the thirteenth aspect or any implementation manner of the thirteenth aspect, in another possible implementation manner, the first network device is an access network device or a core network device.

With reference to the thirteenth aspect or any implementation manner of the thirteenth aspect, in another possible implementation manner, the core network device includes a first session management function network element SMF and a unified data management network element UDM.

In a fourteenth aspect, the present application provides a communications apparatus, comprising:

a transceiving unit, configured to receive a fourth message from a user equipment, where the fourth message includes identification information of multicast data and first security information, the first security information is used to authenticate a request for the user equipment to join a multicast group, and the identification information corresponds to the multicast group;

and the processing unit is used for authenticating the request of the user equipment for joining the multicast group according to the first security information and the second security information, the second security information is used for authenticating the request of the user equipment for joining the multicast group, and the second security information corresponds to the multicast group.

Thus, in the embodiment of the application, the application server can provide the security information for authentication to the user equipment and the communication device, the communication device can perform the authentication operation when the user equipment joins the group according to the security information, and the application server does not need to provide the communication device with the explicit member information of the multicast group in real time, so that the authentication operation when the user equipment joins the group can be still realized under the condition that the communication device does not have the member information of the multicast group, and the public security problem is avoided.

With reference to the fourteenth aspect, in a possible implementation manner, the first security information is password information, and the second security information is password information; or, the first safety information is input information of a safety algorithm; the second security information is the security algorithm; or, the first security information is a security algorithm; the second security information is input information of the security algorithm.

With reference to the fourteenth aspect or any one of the implementation manners of the fourteenth aspect, in another possible implementation manner, the method further includes: and the first network equipment acquires the second safety information from an application server.

With reference to the fourteenth aspect or any implementation manner of the fourteenth aspect, in another possible implementation manner, when the communication device is a first session management function network element SMF, the transceiver unit is specifically configured to acquire the second security information from an application server through the NEF and the UDM.

With reference to the fourteenth aspect or any implementation manner of the fourteenth aspect, in another possible implementation manner, when the communication device is a unified data management network element UDM or a unified data repository UDR, the transceiver unit is specifically configured to acquire the second security information from an application server through a NEF and a first SMF; or, obtaining the second security information from the application server through the NEF.

With reference to the fourteenth aspect or any implementation manner of the fourth aspect, in another possible implementation manner, when the communication device is an access network device, the transceiver unit is specifically configured to acquire the second security information from the application server through the first AMF, the first SMF, the UDM, and the NEF.

With reference to the fourteenth aspect or any implementation manner of the fourteenth aspect, in another possible implementation manner, when the communication device is a first session management function network element SMF, the transceiver unit is specifically configured to receive the fourth message through a second SMF, an access and mobility management function network element AMF, or a second user plane function network element UPF.

With reference to the fourteenth aspect or any implementation manner of the fourteenth aspect, in another possible implementation manner, when the communication device is a unified data management network element UDM or a unified data repository UDR, the transceiver unit is specifically configured to receive the fourth message through a first SMF or a second SMF.

With reference to the fourteenth aspect or any implementation manner of the fourteenth aspect, in another possible implementation manner, when the communication device is an access network device, the fourth message is a radio resource control RRC message.

In a fifteenth aspect, the present application provides a communications apparatus, comprising:

a receiving and sending unit, configured to receive second security information, where the second security information is used to authenticate a request for a user equipment to join a multicast group;

the transceiver unit is further configured to send the second security information.

In the above technical solution, the communication device receives and sends the second security information, and the first network device that performs the authentication and authorization operation can conveniently acquire the second security information, thereby implementing the authentication operation when the user equipment joins the group according to the security information, and there is no need for the application server to provide the first network device with explicit member information of the multicast group in real time.

With reference to the fifteenth aspect, in one possible implementation manner, the second security information includes at least one of password information, input information of a security algorithm, and a security algorithm.

With reference to the fifteenth aspect or any implementation manner of the fifteenth aspect, in another possible implementation manner, the transceiver unit is further configured to receive identification information of multicast data, where the identification information corresponds to the multicast group.

With reference to the fifteenth aspect or any implementation manner of the fifteenth aspect, in another possible implementation manner, the communication device includes a UDM, a UDR, a NEF, a first SMF, and an access and mobility management function network element AMF.

In a sixteenth aspect, the present application provides a communications apparatus, comprising:

a processing unit, configured to generate first security information and second security information, where the first security information and the second security information are used to authenticate a request for a user equipment to join a multicast group;

a transceiving unit, configured to send the first security information to the user equipment;

the transceiver unit is further configured to send the second security information to the first network device.

In the above technical solution, the communication device generates the first security information and the second security information, sends the first security information to the user equipment, and sends the second security information to the first network device, so that the first network device can perform the authentication operation when the user equipment joins the group according to the security information, and does not need to provide the first network device with explicit member information of the multicast group in real time.

With reference to the sixteenth aspect, in a possible implementation manner, the first security information is password information, and the second security information is password information; or, the first safety information is input information of a safety algorithm; the second security information is the security algorithm; or, the first security information is a security algorithm; the second security information is input information of the security algorithm.

With reference to the sixteenth aspect or any implementation manner of the sixteenth aspect, in another possible implementation manner, when the first network device is a first session management function network element SMF, the transceiver unit is specifically configured to send the second security information to the first network device through a NEF and a UDM.

With reference to the sixteenth aspect or any implementation manner of the sixteenth aspect, in another possible implementation manner, when the first network device is a unified data management network element UDM or a unified data repository UDR, the transceiver unit is specifically configured to send the second security information to the first network device through a NEF and a first SMF; or, the application server sends the second security information to the first network device through the NEF.

With reference to the sixteenth aspect or any implementation manner of the sixteenth aspect, in another possible implementation manner, when the first network device is an access network device, the transceiver unit is specifically configured to send the second security information to the first network device through the first AMF, the first SMF, the UDM, and the NEF.

In a seventeenth aspect, the present application provides a communication device comprising a processor, a memory, and a transceiver. Wherein the memory is configured to store a computer program, and the processor is configured to call and run the computer program stored in the memory, and control the transceiver to transmit and receive signals, so as to enable the communication apparatus to perform the method according to any one of the above aspects or any possible implementation manner thereof.

In an eighteenth aspect, the present application provides a communication device comprising a processor and a communication interface, the communication interface being configured to receive a signal and transmit the received signal to the processor, and the processor processing the signal such that the method according to any one of the above aspects or any possible implementation thereof is performed.

Alternatively, the communication interface may be an interface circuit, and the processor may be a processing circuit.

In a nineteenth aspect, the present application provides a chip, including a logic circuit and a communication interface, where the communication interface is configured to perform a sending, receiving, or obtaining operation in any one of the above aspects or any possible implementation thereof, and the logic circuit is configured to perform the determining processing in any one of the above aspects or any possible implementation thereof.

Optionally, the communication interface may comprise an input interface and an output interface. The input interface is used for executing acquisition or receiving operation, and the output interface is used for executing sending operation.

In a twentieth aspect, the present application provides a computer-readable storage medium having stored thereon computer instructions which, when executed on a computer, cause a method as in any one of the above aspects or any possible implementation thereof to be performed.

In a twenty-first aspect, the present application provides a computer program product comprising computer program code to, when run on a computer, cause the method of any one of the above aspects or any possible implementation thereof to be performed.

In a twenty-second aspect, the present application provides a wireless communication system comprising any one or more of the communication devices according to any one of the above aspects or any possible implementation manner thereof.

Drawings

Fig. 1 is a schematic diagram of a network architecture to which embodiments of the present application may be applied.

Fig. 2 is a schematic diagram of unicast-based multicast.

Fig. 3 is a schematic diagram of a unicast/multicast system architecture to which an embodiment of the present application may be applied.

Fig. 4 is a schematic flowchart of an authentication method provided in an embodiment of the present application.

Fig. 5 is a schematic flow chart of another authentication method according to an embodiment of the present application.

Fig. 6 is a schematic flow chart of another authentication method according to an embodiment of the present application.

Fig. 7 is a schematic flow chart of another authentication method according to an embodiment of the present application.

Fig. 8 is a schematic flow chart of another authentication method according to an embodiment of the present application.

Fig. 9 is a schematic flow chart of an authentication method according to another embodiment of the present application.

Fig. 10 is a schematic flow chart of another authentication method according to an embodiment of the present application.

Fig. 11 is a schematic flow chart of another authentication method according to an embodiment of the present application.

Fig. 12 is a schematic flow chart of another authentication method according to an embodiment of the present application.

Fig. 13 is a schematic flow chart of another authentication method according to an embodiment of the present application.

Fig. 14 is a schematic structural diagram of a possible apparatus provided by an embodiment of the present application.

Fig. 15 is another schematic diagram of a possible apparatus provided by an embodiment of the present application.

Detailed Description

The technical solution in the present application will be described below with reference to the accompanying drawings.

The technical scheme of the embodiment of the application can be applied to various communication systems, for example: a Long Term Evolution (LTE) system, an LTE Frequency Division Duplex (FDD) system, an LTE Time Division Duplex (TDD) system, a Universal Mobile Telecommunications System (UMTS), a Worldwide Interoperability for Microwave Access (WiMAX) communication system, a fifth generation (5th generation, 5G) system or a New Radio (NR) communication system, a satellite communication system, a future mobile communication system, and the like.

Fig. 1 is a schematic diagram of a network architecture to which embodiments of the present application may be applied. Taking 5G network architecture as an example, the network architecture includes: a User Equipment (UE) 101, a Radio Access Network (RAN) 102, a User Plane Function (UPF) network element 103, a Data Network (DN) 104, an access and mobility management function (AMF) element 105, a Session Management Function (SMF) network element 106, a policy control function (policy control function, PCF) network element 107, a Unified Data Management (UDM) network element 108, an Application Function (AF) network element 109, a Unified Data Repository (UDR) network element 110, and a Network Exposure Function (NEF) network 111. User equipment 101, radio access network equipment 102, UPF network element 103, DN network element 104, AMF network element 105, SMF network element 106, PCF network element 107, UDM network element 108, AF network element 109, UDR network element 110, NEF network element 111 will be referred to below simply as UE101, RAN102, UPF103, DN104, AMF105, SMF106, PCF107, UDM108, AF109, UDR110, NEF111, respectively.

The UE101 mainly accesses the 5G network through a wireless air interface and obtains services, and the UE101 interacts with the RAN102 through the air interface and interacts with the AMF105 of the core network through non-access stratum signaling (NAS).

The RAN102 is responsible for air interface resource scheduling and air interface connection management for the UE101 accessing the network.

The UPF103 is responsible for user data processing in the user equipment, such as forwarding and charging. For example, UPF103 may receive user data from DN104 and transmit to UE101 through RAN102, and may also receive user data from UE101 through RAN102 and forward to DN 104. The transmission resources and scheduling functions in the UPF103 that serve the UE101 are managed and controlled by the SMF 106.

The DN104 is an operator network providing a data transmission service for a user, for example, an Internet Protocol (IP) multimedia service (IMS), the Internet, and the like. The UE101 accesses the DN104 by establishing a Protocol Data Unit (PDU) session between the UE101 to the RAN102 to the UPF103 to the DN 104.

The AMF105 is mainly responsible for mobility management in mobile networks, such as subscriber location update, subscriber registration network, and subscriber handover.

SMF106 is primarily responsible for session management in the mobile network, e.g., session establishment, modification and release, etc. The specific functions include allocating an IP address to a user, selecting a UPF that provides a message forwarding function, and the like.

The PCF107 is responsible for providing policies, e.g., quality of service (QoS) policies, slice selection policies, etc., to the

AMFs

105, 106.

UDM108 is used to store user data such as subscription information, authentication/authorization information, etc.

The AF109 is responsible for providing services to the 3rd generation partnership project (3 GPP) network, e.g., affecting traffic routing, interacting with the PCF107 for policy control, etc.

UDR110 is responsible for storing and retrieving subscription data, policy data, public infrastructure data, and the like.

The NEF111 is used for the operator network to open data in the network to the third party application server or receive data provided by the third party application server for the network.

In the network architecture, N1 is an interface between UE101 and AMF105, N2 is an interface between RAN102 and AMF105, and is used for sending NAS messages and the like; n3 is an interface between RAN102 and UPF103, for transmitting user plane data and the like; n4 is an interface between SMF106 and UPF103, and is used to transmit information such as tunnel identification information, data cache indication information, and downlink data notification message of N3 connection; the N6 interface is an interface between the UPF103 and the DN104 for transmitting user plane data and the like. Nudr is a service-based interface displayed by UDR110, Namf is a service-based interface displayed by AMF105, Nsmf is a service-based interface displayed by SMF106, Nnef is a service-based interface displayed by NEF111, Npcf is a service-based interface displayed by PCF107, Nudm is a service-based interface displayed by UDM108, and Naf is a service-based interface displayed by AF 109.

It should be noted that the interfaces between the network elements shown in fig. 1 may also be point-to-point interfaces, rather than service interfaces.

User equipment in the embodiments of the present application may also be referred to as terminal equipment, a user, an access terminal, a subscriber unit, a subscriber station, a mobile station, a remote terminal, a mobile device, a user terminal, a wireless communication device, a user agent, or a user device, among others. The user equipment may be a cellular phone, a smart watch, a wireless data card, a mobile phone, a tablet computer, a Personal Digital Assistant (PDA) computer, a wireless modem, a handheld device, a laptop computer, a Machine Type Communication (MTC) terminal, a computer with wireless transceiving function, an internet of things terminal, a virtual reality terminal, an augmented reality terminal, a wireless terminal in industrial control, a wireless terminal in unmanned driving, a wireless terminal in tele-operation, a wireless terminal in a smart grid, a wireless terminal in transportation security, a wireless terminal in a smart city, a wireless terminal in a smart home, a wireless terminal in satellite communication (e.g., a satellite phone or a satellite terminal, etc.), and so on. The embodiment of the present application does not limit the specific technology and the specific device form adopted by the user equipment.

The access network device in the embodiment of the present application may be a device for communicating with a user equipment, and is mainly responsible for functions of radio resource management, quality of service management, data compression, encryption, and the like on an air interface side. The access network device may be a base station (BTS) in a global system for mobile communications (GSM) system or a Code Division Multiple Access (CDMA) system, a base station (nodeB) in a Wideband Code Division Multiple Access (WCDMA) system, an evolved base station (eNB or eNodeB) in an LTE system, a base station in a Worldwide Interoperability for Microwave Access (WiMAX) communication system, a base station in a Cloud Radio Access Network (CRAN) scenario, a wireless controller in a wireless fidelity (wireless fidelity) system, a relay station, a vehicle-mounted device, or a wearable device. Or the access network equipment can be a terminal which bears the functions of a base station in D2D communication or machine communication. Or the access network device may be a network device in a 5G network or a network device in a PLMN network for future evolution, etc. In addition, the access network device may also be a module or a unit that performs part of the functions of the base station, for example, a Centralized Unit (CU) or a Distributed Unit (DU). The embodiment of the present application does not limit the specific technology and the specific device form adopted by the access network device.

It should be understood that the name of each network element shown in fig. 1 is only one name, and the name does not limit the function of the network element itself. In different networks, the network elements may also be given other names, and this embodiment of the present application is not limited to this specific name. For example, in a 6G network, some or all of the above network elements may use the terminology in 5G, or may use other nomenclature, and so on, which are described herein in a unified manner and will not be described again below. Similarly, the interface between the network elements shown in fig. 1 is only an example, and in a 5G network and other networks in the future, the interface between the network elements may not be the interface shown in the figure, and the application is not limited thereto. It should also be understood that the embodiments of the present application are not limited to the system architecture shown in fig. 1. For example, a communication system to which the present application may be applied may comprise more or fewer network elements or devices. The devices or network elements in fig. 1 may be hardware, or may be functionally divided software, or a combination of the two. The devices or network elements in fig. 1 may communicate with each other through other devices or network elements.

At present, if a 5GC network needs to send the same service to multiple user equipments, a multicast user plane connection may be established to send data, so that only one part of the data with the same content sent to different user equipments is selected to be sent, which is beneficial to improving the utilization efficiency of air interface side resources and core network resources. One way of doing this is by unicast-based multicast technology.

Fig. 2 is a schematic diagram of unicast-based multicast.

The unicast-based multicast technique is not particularly limited to data transmission between an Application Server (AS) and a UPF. For example, AS shown in fig. 2 (a) and (c), the AS may send only one multicast packet to the network. For another example, AS shown in fig. 2 (b) and (d), the AS may send one multicast packet to each UE in the multicast group.

For the same multicast group, data packets transmitted from the UPF to the Access Network (AN) to the UE or from the AN to the UE are all multicast data packets with the same content.

As shown in (a) and (b) of fig. 2, the UPF transmits a selected copy of data of the same content, which is transmitted to different UEs (e.g., UE1-UE4 in fig. 2), to AN Access Network (AN), and the AN transmits the received selected copy of data to the UEs 1-4. For example, for the same multicast group, the UPF may send the multicast data packet received from the application server to the access network through a dedicated transport channel or through AN N3 channel of a certain UE in the multicast group, and the AN sends the received data to the UEs 1-4.

As shown in (c) and (d) of fig. 2, the UPF transmits a data single broadcast of the same content to different UEs (e.g., UE1-UE4 in fig. 2) to the AN, and the AN selects one copy of the received data to transmit to the UEs 1-4. For example, for the same multicast group, the UPF may send multicast data received from the application server to the access network via unicast through the N3 channel of the UEs in the multicast group, and the AN sends the received data to the UEs 1-4.

Fig. 3 is a schematic diagram of a unicast/multicast system architecture to which an embodiment of the present application may be applied. For a detailed description of each network element, reference may be made to the related description in fig. 1, which is not described herein again. It should be noted that, in fig. 3, an SMF is an SMF network element for managing a unicast PDU session, a multicast SMF (M-SMF) is an SMF network element for managing a multicast PDU session, a UPF is an UPF network element for processing unicast user data, and a multicast UPF (M-UPF) is an UPF network element for processing multicast user data. Wherein the first UPF is managed by the first SMF.

The M-SMF may be implemented by a unicast SMF through an enhanced function, or may be a dedicated network element for managing a multicast service. The M-UPF may be implemented by a unicast UPF through an enhanced function, or may be a dedicated network element for managing multicast services.

For convenience of description, the SMF network element for managing multicast PDU sessions is hereinafter collectively referred to as a first SMF, the SMF network element for managing unicast PDU sessions is hereinafter collectively referred to as a second SMF, the UPF network element for processing multicast user data is hereinafter collectively referred to as a first UPF, and the UPF network element for processing unicast user data is hereinafter collectively referred to as a second UPF. It should be noted that in the embodiment of the present application, multicast and multicast are not distinguished, and hereinafter, collectively described as multicast.

It should be noted that, in some implementation scenarios, the functions of the M-SMF or the first SMF in this application may be included by other network elements. For example, a Multicast and Broadcast Service Function (MBSF) is implemented, and the MBSF includes related functions for managing multicast services, such as a multicast session management function, an authentication function of a multicast user, a control function of multicast data (for example, control of functions such as encryption and encoding of multicast data), generation of a multicast policy, and the like. At this time, the M-SMF or the first SMF may be equivalently replaced with these other network elements (e.g., MBSF).

In the above multicast scenario, when a UE joins a multicast group, an authentication operation needs to be performed on the joining of the UE. In the current authentication mode, the AF needs to provide member information of the multicast group to the core network, and then the core network performs authentication operation on the joining of the UE. Confidentiality is an important requirement of public security, but in the current authentication mode, a core network needs to master complete member list information of a multicast group, which may cause a security problem and cannot meet the requirement of public security on confidentiality.

In view of the above problems, the present application provides an authentication method and a communication apparatus, which can implement an authentication operation when a UE joins a multicast group on the premise that a core network has no member information of the multicast group.

Fig. 4 is a schematic flowchart of an authentication method provided in an embodiment of the present application. The method shown in fig. 4 may be applied to the system architecture shown in fig. 1, and may also be applied to the system architecture shown in fig. 3, and the embodiment of the present application is not limited thereto.

The method in fig. 4 may be executed by the first SMF and the application server, or may be executed by a module or unit (e.g., a circuit, a chip, or a System On Chip (SOC), etc.) in the first SMF and the application server, where the execution subject is the first SMF and the application server in fig. 4 as an example. The method of fig. 4 may include at least some of the following.

In step 410, the first SMF obtains first subscriber identification information of the user equipment and first identification information of the multicast data.

For example, the first subscriber identity information may be a GPSI.

The first identification information of the multicast data corresponds to a multicast group to which the user equipment requests to join, and may include at least one of a TMGI of the multicast group to which the multicast data corresponds, an IP address of an application server providing the multicast data, a service identifier of the multicast data, packet filtering information of the multicast data, an SDF identification rule of the multicast data, an ID of a multicast PDU session for transmitting the multicast data, ID information of an application, target IP address information of the multicast data, and context identification information of the multicast session to which the multicast group corresponds. For convenience of description, the identification information of the multicast data is hereinafter simply referred to as first identification information.

In the present application, there are many ways in which the first SMF may obtain the first subscriber identity information and the first identification information, which will be described in detail below with reference to fig. 5 to 8.

In step 420, the first SMF sends a first message to the application server requesting the application server to authenticate the join request of the user equipment. Accordingly, the application server receives a first message from the first SMF. Wherein the first message includes first subscriber identification information and second identification information of the multicast data.

Alternatively, the first message may be an authentication authorization request message.

The second identification information of the multicast data corresponds to a multicast group to which the user equipment requests to join, and may include at least one of a TMGI of the multicast group to which the multicast data corresponds, an IP address of an application server providing the multicast data, a service identifier of the multicast data, packet filtering information of the multicast data, an SDF identification rule of the multicast data, an ID of a multicast PDU session for transmitting the multicast data, ID information of an application, target IP address information of the multicast data, and context identification information of the multicast session to which the multicast group corresponds. For convenience of description, the identification information of the multicast data is hereinafter simply referred to as second identification information.

In some implementations, the first identification information and the second identification information can be the same.

In other implementations, the first identification information and the second identification information may be different. Specifically, after acquiring the first identification information, the first SMF may determine the second identification information according to the first identification information, and then send the second identification information to the application server. For example, the first identification information acquired by the first SMF is a TMGI of the multicast group, and the first SMF determines an ID of a PDU session corresponding to the TMGI according to the TMGI and sends the ID of the PDU session to the application server through a first message.

In the present application, there are many ways in which the first SMF sends the first message to the application server, and the details will be described below with reference to fig. 5 to 8.

In step 430, the application server performs authentication according to the first user identification information and the second identification information.

In some implementations, the application server can query the database based on the first user identification information and the second identification information. If the subscription information of the first user identification information exists in the database aiming at the second identification information, the application server determines that the authentication is successful; otherwise, the application server determines that the authentication fails.

In step 440, the application server sends the result information to the first SMF. Accordingly, the first SMF receives result information from the application server.

Wherein the result information is used for indicating the result of the authentication. For example, the result information indicates that the authentication is successful. As another example, the result information indicates that authentication failed.

Optionally, the application server may also send parameter information for the multicast transmission to the first SMF when the application server determines that the authentication is successful. The parameter information may include QoS parameters for multicast transmissions, identification information for multicast sessions, and the like.

In the present application, there are many ways in which the application server sends the result information to the first SMF, and the details will be described below with reference to fig. 5 to 8.

Optionally, in some implementations, before the first SMF sends the first message to the application server, the first SMF may further determine whether authentication authorization by the application server is required. When judging that the application server needs to carry out authentication authorization, the first SMF sends a first message to the application server; and when judging that the authentication authorization of the application server is not needed, the first SMF does not send the first message to the application server.

The following describes embodiments of the present application in detail with reference to fig. 5 to 8.

Fig. 5 is a schematic flow chart of another authentication method according to an embodiment of the present application. The method shown in fig. 5 may be applied to the system architecture shown in fig. 1, and may also be applied to the system architecture shown in fig. 3, and the embodiment of the present application is not limited thereto.

In this embodiment of the present application, the first SMF may acquire the first user identification information and the first identification information through control plane signaling, in other words, the user equipment may request to join the multicast group through control plane signaling.

Specifically, first subscriber identification information and identification information are transmitted to the first SMF through steps 501-503.

In step 501, the user equipment sends a third message to the AMF. Accordingly, the AMF receives a third message transmitted by the user equipment.

In some implementations, the user equipment may send the third message through a non-access stratum (NAS) message, where the third message may include third identification information of the multicast data. For example, the NAS message may include an N1 SM container (N1 SM container), the N1 SM container may include a PDU session modification request message or a PDU session establishment request message, and further, the PDU session modification request message or the PDU session establishment request message may include the third identification information.

The third identification information of the multicast data corresponds to a multicast group to which the user equipment requests to join, and may include at least one of a TMGI of the multicast group to which the multicast data corresponds, an IP address of an application server providing the multicast data, a service identifier of the multicast data, packet filtering information of the multicast data, an SDF identification rule of the multicast data, an ID of a multicast PDU session for transmitting the multicast data, ID information of an application, target IP address information of the multicast data, and context identification information of the multicast session to which the multicast group corresponds. For convenience of description, the identification information of the multicast data is hereinafter simply referred to as third identification information.

Optionally, the PDU session modification request message or the PDU session establishment request message may further include identification information of the DN and/or information for authentication authorization, and the like. The identification information of the DN may be an ID of the DN or a name of the DN. The information for authentication and authorization may have different forms based on the implementation of the application layer, and this is not specifically limited in this embodiment of the application.

Optionally, the PDU session modification request message or the PDU session establishment request message may further include second identification information. The second user identification information may be information that is used to uniquely identify the user equipment and that can be identified by the core network device and the access network device. For example, the second subscriber identity information may include SUPI, GUTI, and the like.

In step 502, the AMF sends third identification information to the second SMF. Accordingly, the second SMF receives the third identification information from the AMF.

In some implementations, the AMF sends a third message received from the user equipment to the second SMF, the third message including the third identification information.

In other implementations, the AMF may also send the first subscriber identity information and/or the second subscriber identity information to the second SMF.

Optionally, if the AMF locally has a mapping relationship between the second user equipment and the first user equipment, after receiving the identification information sent by the user equipment, the AMF may determine the first user identification information of the user equipment according to the mapping relationship. At this time, the AMF may send the first subscriber identity information to the second SMF, or send the second subscriber identity information to the second SMF, or send the first subscriber identity information and the second subscriber identity information to the second SMF.

Alternatively, the AMF may not process the third identification information, and when the AMF locally has the first subscriber identification information of the available user equipment, the AMF may send the first subscriber identification information and the third identification information to the second SMF.

Optionally, the AMF does not determine the first subscriber identity information, and the AMF may send the second subscriber identity information to the second SMF.

It should be noted that the second subscriber identity information sent by the AMF to the second SMF may be provided by the AMF or provided by the user equipment (i.e. the user equipment also sends the second subscriber identity information to the AMF in step 501).

In step 503, the second SMF sends the first subscriber identity information and/or the second subscriber identity information, and the first identification information to the first SMF. Accordingly, the first SMF receives the first subscriber identification information and/or the second subscriber identification information from the second SMF, and the first identification information.

The first identification information of the multicast data corresponds to the multicast group that the user equipment requests to join, and the specific description of the first identification information may be referred to above, which is not described herein again.

In some implementations, the first identification information and the third identification information can be the same.

In other implementations, the first identification information and the third identification information may be different. Specifically, after acquiring the third identification information, the second SMF may determine the first identification information according to the third identification information, and then send the first identification information to the first SMF. For example, the third identification information acquired by the second SMF is the TMGI of the multicast group, and the second SMF determines the ID of the PDU session corresponding to the TMGI according to the TMGI and sends the ID of the PDU session to the first SMF through the first message.

Alternatively, the second SMF may transmit the first subscriber identification information and/or the second subscriber identification information, and the first identification information through an N16 message. The N16 message is used to request parameter information for multicast transmission and to request authentication for joining a multicast group.

Optionally, if the AMF does not send the first subscriber identity information to the second SMF, the second SMF needs to obtain the first subscriber identity information from the AMF, or determines the first subscriber identity information according to the locally stored information and the second subscriber identity information, or the second SMF needs to obtain the first subscriber identity information from the UDM. Wherein, the locally stored information can be obtained from the AMF.

Optionally, the locally stored information may be a mapping relationship between the second user identifier and the first user identifier information.

Optionally, the second SMF may determine the first SMF before performing step 503. One implementation is that the second SMF determines the first SMF by querying data stored in the network element for centralized storage, according to the third identification information. The network element for centralized storage may be UDM, UDR, PCF, or the like. Another implementation manner is that the second SMF preconfigures a corresponding relationship between the third identification information and the first SMF network element, and at this time, the second SMF network element may determine the first SMF directly through the corresponding relationship.

Optionally, if the second SMF sends the second subscriber identity information to the first SMF, but does not send the first subscriber identity information to the first SMF, the first SMF needs to obtain the first subscriber identity information from other mapping relationship network elements storing the first subscriber identity information and the second subscriber identity information according to the second subscriber identity information. These network elements may be network elements such as a second SMF, AMF, UDM, UDR or PCF.

Take the example where the first SMF obtains the first subscriber identity information from the AMF.

1) First, the first SMF sends a message, which may be an N11 message, to the AMF, where the message is used to request the AMF to send first subscriber identity information corresponding to second subscriber identity information to the first SMF, and the message includes the second subscriber identity information. Optionally, the message may further include third identification information. It should be noted that the second user identification information carried in the message may be permanent identification information of the user or temporary identification information of the user. It should be further noted that the second subscriber identification information sent by the first SMF to the AMF may be different from the second subscriber identification information sent by the second SMF or the AMF to the first SMF, where the second subscriber identification information sent by the second SMF or the AMF to the first SMF may be permanent identification information of the user, temporary identification information of the user, or SM Context information identification (SM Context ID), and the second subscriber identification information sent by the first SMF to the AMF may be permanent identification information of the user or temporary identification information of the user, and there is no dependency between them. For example, the second SMF or AMF provides temporary identification information of the subscriber, the first SMF determines the corresponding AMF according to the temporary identification information of the subscriber and acquires the permanent identification information of the subscriber from the AMF, and thereafter the first SMF acquires the first subscriber identification information from the AMF by sending the permanent identification information of the subscriber to the AMF.

2) The AMF then sends a message, which may be an N11 message, to the first SMF, where the message is used to return the first subscriber identity information corresponding to the second subscriber identity information to the first SMF. Optionally, the message may further include third identification information.

After the first SMF obtains the first user identification information and the first identification information, a first message may be sent to the application server, requesting the application server to execute an authentication and authorization operation. The first message includes first subscriber identification information and second identification information.

The second identification information of the multicast data corresponds to the multicast group that the user equipment requests to join, and the specific description of the second identification information may be referred to above, which is not described herein again.

In some implementation manners, the above-mentioned authentication and authorization operation may be implemented by using a user plane signaling through a user plane network element.

As one example, this may be achieved by way of mode 1 in fig. 5.

Specifically, in step 504, the first SMF determines an application server corresponding to the identification information according to the first identification information or the second identification information.

For example, when the first SMF establishes a multicast session, it is obtained from the PCF and stored.

As another example, the first SMF queries an associated network element. The related network element may be UDM, UDR or PCF, etc.

In step 505, the first SMF sends a first message to the application server. Accordingly, the application server receives a first message from the first SMF. Wherein the first message may include the first subscriber identification information and the second identification information.

Optionally, when the first SMF has a direct interface with the application server, the first SMF may send the first message directly to the application server.

Optionally, the first SMF may send the first message to the application server via the first UPF.

In step 506, the application server performs an authentication and authorization operation according to the received first user identification information and the second identification information.

In some implementations, the application server can query the database based on the first user identification information and the identification information. If the subscription information of the first user identification information exists in the database aiming at the second identification information, the application server determines that the authentication is successful; otherwise, the application server determines that the authentication fails.

In step 507, the application server sends a second message to the first SMF. Accordingly, the first SMF receives a second message from the application server.

Wherein the second message may include result information indicating a result of the authentication.

For example, the result information indicates that the authentication is successful.

As another example, the result information indicates that authentication failed.

Alternatively, the second message may be an authentication authorization response message.

Optionally, when the application server determines that the authentication is successful, the second message may further include parameter information for multicast transmission. The parameter information may include QoS parameters for multicast transmissions, identification information for multicast sessions, and the like.

Optionally, the second message may further include second identification information.

In other implementation manners, the above authentication and authorization operation may also be implemented by using a control plane signaling through a control plane network element.

As one example, this may be achieved by way of mode 2 in fig. 5.

Specifically, in step 508, the first SMF sends a first message to the NEF. Accordingly, the NEF receives a first message from the first SMF.

In step 509, the NEF determines the application server corresponding to the second identification information.

For example, the first SMF carries the address of the application server in the first message, and the NEF acquires the address of the application server from the first message. The manner in which the first SMF obtains the address of the application server may be seen at step 504.

For another example, the first NEF queries the relevant network element according to the second identification information. The related network element may be UDM, UDR or PCF, etc.

In step 510, the NEF sends a first message to the application server. Accordingly, the application server receives the first message from the NEF.

In step 511, the application server performs an authentication and authorization operation according to the received first user identification information and the second identification information. Step 511 is similar to step 506 and reference may be made to the description relating to step 506.

In step 512, the application server sends a second message to the NEF. Accordingly, the NEF receives the second message.

Optionally, when the application server determines that the authentication is successful, the response message may further include parameter information for multicast transmission. The parameter information may include QoS parameters for multicast transmissions, identification information for multicast sessions, and the like.

Optionally, the response message may further include second identification information.

In step 513, the NEF sends a second message to the first SMF. Accordingly, the first SMF receives the second message from the NEF.

Thereafter, in step 514, the first SMF sends a fifth message to the second SMF. Accordingly, the second SMF receives the fifth message. Wherein the fifth message may include the first and/or second subscriber identification information, the identification information, and the result information. The identification information may be any of the first identification information, the second identification information, or the third identification information described above.

Optionally, if the authentication is successful, the fifth message may further include parameter information for multicast transmission. The parameter information may include QoS parameters for multicast transmissions, identification information for multicast sessions, and the like.

In step 515, the second SMF processes the PDU session according to the fifth message.

For example, if the authentication is successful, the second SMF generates corresponding N2 information according to the parameter information of the multicast transmission, for later sending to the access network device, so that the access network device further sends the multicast data to the user equipment according to the information.

For another example, if authentication fails, the second SMF may return a NAS message to the user equipment for notifying the user equipment of the failure to join the group. Alternatively, the second SMF may establish a unicast transmission resource for the user equipment, where the unicast transmission resource is used for transmitting the multicast downlink data.

Optionally, in this embodiment of the present application, before performing step 504 or step 508, step 516 may also be performed, that is, the first SMF may also determine whether the application server is required to perform authentication authorization. Step 516 is the same as or similar to step 450 in fig. 4, and reference may be made to the related description of step 450, which is not repeated herein.

Fig. 6 is a schematic flow chart of another authentication method according to an embodiment of the present application. The method shown in fig. 6 may be applied to the system architecture shown in fig. 1, and may also be applied to the system architecture shown in fig. 3, and the embodiment of the present application is not limited thereto.

Unlike fig. 5, in the embodiment of the present application, the first SMF may acquire the first subscriber identity information and the first identification information through user plane signaling, in other words, the user equipment may request to join the multicast group through control plane signaling.

In some implementations, the user equipment can send the user plane data through a transmission channel of the unicast PDU session, and add the identification information of the multicast data in the user plane data. Optionally, the DN and/or the slice information corresponding to the unicast PDU session are the same as the DN and/or the network slice information corresponding to the multicast PDU session requested to join by the user equipment.

Specifically, the first subscriber identification information and the identification information of the multicast data are transmitted to the first SMF through step 601-603.

In step 601, the user equipment sends a three message to the second UPF. Accordingly, the second UPF receives the third message sent by the user equipment. The third message may be a message for transmitting user plane data, and the third message includes third identification information.

Alternatively, the third message may be an IGMP join request message or an MLR message.

Optionally, the third message may further include identification information of the DN and/or information for authentication authorization, and the like. The identification information of the DN may be an ID of the DN or a name of the DN. The information for authentication and authorization may have different forms based on the implementation of the application layer, and this is not specifically limited in this embodiment of the application.

Optionally, the third message may further include second subscriber identity information. The second user identification information may be information that is used to uniquely identify the user equipment and that can be identified by the core network device and the access network device. For example, the second target user identification information may include at least one of SUPI, GUTI, and SUCI.

In some implementations, the user equipment may send the third message to the second UPF through the access network device.

In other implementations, the user equipment may send the third message to the second UPF through the AMF. Optionally, after receiving the third message sent by the ue, the AMF may also determine the first subscriber identity information of the ue and send the first subscriber identity information to the second UPF. For example, the AMF may determine the first subscriber identity information according to a mapping relationship between a second subscriber identity of the user equipment and the first subscriber identity information.

In step 602, the second UPF sends third identification information to the second SMF. Accordingly, the second SMF receives the third identification information from the second UPF transmission.

Optionally, the second UPF may send the first subscriber identity information and/or the second subscriber identity information to the second SMF. Wherein the first subscriber identity information and the second subscriber identity information may be provided by a user equipment or an access network equipment.

Alternatively, the second UPF may send the above-mentioned respective information through a notification (notify) message.

Optionally, if the second UPF does not send the first subscriber identity information to the second SMF, the second SMF needs to acquire the first subscriber identity information from the AMF, or determines the first subscriber identity information according to the locally stored information and the second subscriber identity information. Wherein, the locally stored information can be obtained from the AMF.

In step 603, the second SMF sends the first subscriber identity information and/or the second subscriber identity information, and the first identification information to the first SMF. Accordingly, the first SMF receives information transmitted by the second SMF.

Optionally, the second SMF may determine the first SMF before performing step 603. One implementation is that the second SMF determines the first SMF by querying data stored in the network element for centralized storage, according to the third identification information or the first identification information. The network element for centralized storage may be UDM, UDR, PCF, or the like.

1) First, the first SMF sends a message, which may be an N11 message, to the AMF, where the message is used to request the AMF to send first subscriber identity information corresponding to second subscriber identity information to the first SMF, and the message includes the second subscriber identity information. Optionally, the message may further include the first identification information or the second identification information. It should be noted that the second user identification information carried in the message may be permanent identification information of the user or temporary identification information of the user. It should be further noted that the second subscriber identification information sent by the first SMF to the AMF may be different from the second subscriber identification information sent by the second SMF or the AMF to the first SMF, where the second subscriber identification information sent by the second SMF or the AMF to the first SMF may be permanent identification information of the user or temporary identification information of the user, and the second subscriber identification information sent by the first SMF to the AMF may be permanent identification information of the user or temporary identification information of the user, where the two information are independent of each other. For example, the second SMF or AMF provides temporary identification information of the subscriber, the first SMF determines the corresponding AMF according to the temporary identification information of the subscriber and acquires the permanent identification information of the subscriber from the AMF, and thereafter the first SMF acquires the first subscriber identification information from the AMF by sending the permanent identification information of the subscriber to the AMF.

2) The AMF then sends a message, which may be an N11 message, to the first SMF, where the message is used to return the first subscriber identity information corresponding to the second subscriber identity information to the first SMF. Optionally, the message may further include the first identification information or the second identification information.

The steps 604-616 are the same as or similar to the steps 504-516 in fig. 5, and reference may be made to the related description of the steps 504-516, which is not repeated herein.

It should be noted that, for the detailed description of the first identification information, the second identification information, and the third identification information in fig. 6, reference may be made to the related description in fig. 5, and details are not repeated here.

Fig. 7 is a schematic flow chart of another authentication method according to an embodiment of the present application. The method shown in fig. 7 may be applied to the system architecture shown in fig. 1, and may also be applied to the system architecture shown in fig. 3, and the embodiment of the present application is not limited thereto.

Unlike fig. 5, in the embodiment of the present application, the user equipment directly sends the first subscriber identity information and/or the second subscriber identity information, and the first identification information to the first SMF without passing through the second SMF.

Specifically, in step 701, the user equipment sends a third message to the AMF. Accordingly, the AMF receives a third message transmitted by the user equipment. In some implementations, the third message may include third identifying information. Step 701 is similar to or the same as step 501, and reference may be made to the description of step 501, which is not repeated herein.

In step 702, the AMF may determine the first SMF according to the received third identification information, and transmit the first identification information to the first SMF. Accordingly, the first SMF receives the first identification information from the second SMF.

In some implementations, the AMF sends a third message received from the user equipment to the first SMF, the third message including the first identification information. The third identification information is the same as the first identification information because the AMF does not process the third identification information.

In other implementations, the AMF may also send the first subscriber identity information and/or the second subscriber identity information to the first SMF.

Optionally, if the AMF locally has a mapping relationship between the second user equipment and the first user equipment, after receiving the third identification information sent by the user equipment, the AMF may determine the first user identification information of the user equipment according to the mapping relationship. At this time, the AMF may send the first subscriber identity information to the first SMF, or send the second subscriber identity information to the first SMF, or send the first subscriber identity information and the second subscriber identity information to the first SMF.

Alternatively, the AMF may not process the third identification information, and when the AMF locally has the first subscriber identification information of the available user equipment, the AMF may send the first subscriber identification information and the third identification information to the first SMF.

Optionally, the AMF does not determine the first subscriber identity information, and the AMF may send the second subscriber identity information to the first SMF.

It should be noted that the second subscriber identity information sent by the AMF to the first SMF may be provided by the AMF or provided by the ue (i.e. the ue also sends the second subscriber identity information to the AMF in step 701).

Optionally, if the AMF does not send the first subscriber identity information to the first SMF, the first SMF needs to obtain the first subscriber identity information from other mapping relationship network elements storing the first subscriber identity information and the second subscriber identity information according to the second subscriber identity information. These network elements may be network elements such as a second SMF, AMF, UDM, UDR or PCF.

1) First, the first SMF sends a message, which may be an N11 message, to the AMF, where the message is used to request the AMF to send first subscriber identity information corresponding to second subscriber identity information to the first SMF, and the message includes the second subscriber identity information. Optionally, the message may further include the first identification information or the second identification information. It should be noted that the second user identification information carried in the message may be permanent identification information of the user or temporary identification information of the user. It should be further noted that the second subscriber identification information sent by the first SMF to the AMF may be different from the second subscriber identification information sent by the AMF to the first SMF, where the second subscriber identification information sent by the AMF to the first SMF may be permanent identification information of the subscriber, temporary identification information of the subscriber, or an SM context information identifier, and the second subscriber identification information sent by the first SMF to the AMF may be permanent identification information of the subscriber or temporary identification information of the subscriber, and there is no dependency between them. For example, the AMF provides temporary identification information of the user, the first SMF determines a corresponding AMF according to the temporary identification information of the user and acquires the permanent identification information of the user from the AMF, and thereafter the first SMF acquires the first user identification information from the AMF by sending the permanent identification information of the user to the AMF.

The steps 704-716 are the same as or similar to the steps 504-516 in fig. 5, and reference may be made to the related description of the steps 504-516, which is not repeated herein.

It should be noted that, for the detailed description of the first identification information, the second identification information, and the third identification information in fig. 7, reference may be made to the related description in fig. 5, and details are not repeated here.

Fig. 8 is a schematic flow chart of another authentication method according to an embodiment of the present application. The method shown in fig. 8 may be applied to the system architecture shown in fig. 1, and may also be applied to the system architecture shown in fig. 3, and the embodiment of the present application is not limited thereto.

Unlike fig. 5, in the embodiment of the present application, when the user equipment sends the first subscriber identity information and/or the second subscriber identity information and the first identification information to the first SMF, the user equipment may not pass through the second SMF.

Specifically, the first subscriber identification information and the identification information of the multicast data are transmitted to the first SMF through steps 801 and 802.

In step 801, the user equipment sends a third message to the second UPF. Accordingly, the second UPF receives the third message sent by the user equipment. The third message is used for transmitting user plane data, and the third message comprises third identification information.

In step 802, the second UPF sends first identification information to the first SMF. Accordingly, the first SMF receives the first identification information from the second UPF.

In some implementations, the second UPF sends a third message received from the user equipment to the first SMF, the third message including the identification information. Since the second UPF does not process the third identification information, the third identification information is identical to the first identification information.

In other implementations, the second UPF may also send the first subscriber identity information and/or the second subscriber identity information to the first SMF.

It should be noted that the second subscriber identity information sent by the second UPF to the first SMF may be provided by the AMF or provided by the user equipment (i.e. the user equipment also sends the second subscriber identity information to the AMF in step 801).

Optionally, the second UPF may determine the first SMF before performing step 802.

One implementation is as follows: and the second UPF determines the first SMF by inquiring the data stored in the network element for centralized storage according to the third identification information. The network element for centralized storage may be UDM, UDR, PCF, or the like.

The other realization mode is as follows: the second UPF locally stores the mapping relation between the third identification information and the first SMF, and determines the first SMF according to the received third identification information and the mapping relation.

Optionally, if the second UPF does not send the first subscriber identity information to the first SMF, the first SMF needs to obtain the first subscriber identity information from other mapping relationship network elements storing the first subscriber identity information and the second subscriber identity information according to the second subscriber identity information. These network elements may be network elements such as a second SMF, AMF, UDM, UDR or PCF.

1) First, the first SMF sends a message, which may be an N11 message, to the AMF, where the message is used to request the AMF to send first subscriber identity information corresponding to second subscriber identity information to the first SMF, and the message includes the second subscriber identity information. Optionally, the message may further include the first identification information or the second identification information. It should be noted that the second user identification information carried in the message may be permanent identification information of the user or temporary identification information of the user. It should be further noted that the second subscriber identification information sent by the first SMF to the AMF may be different from the second subscriber identification information sent by the second UPF to the first SMF, where the second subscriber identification information sent by the second UPF to the first SMF may be permanent identification information of the user or temporary identification information of the user, and the second subscriber identification information sent by the first SMF to the AMF may be permanent identification information of the user or temporary identification information of the user, and there is no dependency relationship between the two. For example, the second UPF provides temporary identification information of the user, the first SMF determines a corresponding AMF according to the temporary identification information of the user and acquires permanent identification information of the user from the AMF, and thereafter the first SMF acquires the first user identification information from the AMF by sending the permanent identification information of the user to the AMF.

After the first SMF obtains the first user identification information and the first identification information, a first message may be sent to the application server, requesting the application server to execute an authentication and authorization operation. The first message includes first subscriber identification information and device information.

The steps 804-816 are the same as or similar to the steps 504-516 in fig. 5, and reference may be made to the related description of the steps 504-516, which is not repeated herein.

In each of the above technical solutions, the first SMF sends the first user identification information and the identification information of the multicast data to the application server, and the application server performs the authentication operation when the user equipment joins the group, and the application server does not need to provide the first SMF with explicit member information of the multicast group in real time.

Fig. 9 is a schematic flow chart of an authentication method according to another embodiment of the present application. The method shown in fig. 9 may be applied to the system architecture shown in fig. 1, and may also be applied to the system architecture shown in fig. 3, and the embodiment of the present application is not limited thereto.

The method in fig. 9 may be executed by a user equipment, a network device, and an application server, and may also be executed by modules or units (e.g., a circuit, a chip, or an SOC, etc.) in the user equipment, the network device, and the application server, where the execution subjects in fig. 9 are the user equipment, the network device, and the application server as examples. The method of fig. 9 may include at least some of the following.

In step 901, the user equipment sends a fourth message to the network device, where the fourth message is used to request to join the multicast group. The fourth message includes identification information of the multicast data and the first security information. Accordingly, the network device receives a fourth message from the user device.

The identification information of the multicast data corresponds to a multicast group to which the user equipment requests to join, and may include at least one of a TMGI of the multicast group to which the multicast data corresponds, an IP address of an application server providing the multicast data, a service identifier of the multicast data, packet filtering information of the multicast data, an SDF identification rule of the multicast data, an ID of a multicast PDU session for transmitting the multicast data, ID information of an application, target IP address information of the multicast data, and context identification information of the multicast session to which the multicast group corresponds. For convenience of description, the identification information of the multicast data is hereinafter simply referred to as identification information.

The first security information is used for carrying out authentication and authorization operation on the joining request of the user equipment.

Alternatively, the first security information may be password information. For example, the first security information may be a specific secret number.

Alternatively, the first security information may be input information of a security algorithm.

Alternatively, the first security information may be a security algorithm.

Optionally, the network device is a core network device. For example, a first SMF, a second SMF, a UDR, an AMF, a NEF, a UDM, or the like.

Optionally, the network device is an access network device.

In step 902, the network device performs an authentication and authorization operation according to the first security information and the second security information.

And the second safety information is used for carrying out authentication and authorization operation on the joining request of the user equipment.

Optionally, the second security information may also be password information or a security algorithm.

Optionally, the second security information may be stored locally to the first SMF.

In some implementation manners, after receiving the first security information and the identification information sent by the user equipment, the network device may determine the second security information according to the identification information, and further perform an authentication and authorization operation according to the first security information and the second security information.

Specifically, the network device determines whether the first security information and the second security information match. If the two are matched, the network equipment determines that the authentication is successful; otherwise, the network device determines that the authentication fails.

In the embodiment of the application, according to different forms of the first security information and the second security information, a manner of determining whether the first security information and the second security information are matched by the network device is also different.

As an example, if the first security information and the second security information are password information, when the first security information is the same as the second security information, the network device determines that the first security information and the second security information match, otherwise, the first security information and the second security information do not match.

As another example, if the first security information and the second security information are security algorithms, the network device determines that the first security information and the second security information match when the first security information and the second security information generate correct results, otherwise the first security information and the second security information do not match.

The embodiment of the present application does not specifically limit the manner in which the user equipment acquires the first security information and the manner in which the network equipment acquires the second security information.

In some implementations, the user equipment and the network equipment may obtain the corresponding security information through step 903 — 905.

Specifically, in step 903, the application server generates first security information and second security information.

In step 904, the application server sends first security information to the user equipment. Accordingly, the user equipment receives the first safety information sent by the application server.

Alternatively, the application server may send the first security information to the user equipment via an application layer message.

In step 905, the application server sends the second security information to the network device. Accordingly, the network device receives the second security information sent by the application server.

Optionally, the application server may further send first information to the network device, where the first information is used to determine the identification information corresponding to the second security information.

For example, the first information may be the identification information described above.

For another example, the first information is information for acquiring identification information, for example, the information may be a numerical value, and the first SMF may further acquire the identification information according to the information. Alternatively, the value may be a transaction id (transaction id), or the like.

For another example, the application server may provide the first information to the NEF network element, and the NEF network element may obtain the identification information according to the first information, where possible forms of the identification information are described above and are not described herein again. The NEF network element may further send the identification information to the network device.

Optionally, the network device may store the second security information after receiving the second security information. Optionally, the network device storage may also correspondingly store identification information corresponding to the second security information.

It should be noted that, if the application server generates the first security information and the second security information for each of the multiple multicast groups, the application server may send, to the user equipment, the first security information corresponding to at least some of the multiple multicast groups, and similarly, may send, to the network device, the second security information corresponding to at least some of the multiple multicast groups. When needing to join a certain multicast group, the user equipment adopts the first safety information corresponding to the multicast group.

Embodiments of the present application are described in detail below with reference to fig. 10-13.

1) The network equipment is core network equipment

Fig. 10 is a schematic flow chart of another authentication method according to an embodiment of the present application. The method shown in fig. 10 may be applied to the system architecture shown in fig. 1, and may also be applied to the system architecture shown in fig. 3, and the embodiment of the present application is not limited thereto.

In the embodiment of the application, the first SMF performs authentication and authorization operation.

In step 1001, the user equipment sends a fourth message to the first SMF, the fourth message requesting to join the multicast group. The fourth message includes identification information and first security information, the identification information corresponding to a multicast group to which the user equipment requests to join. Accordingly, the first SMF receives a fourth message from the user equipment.

The first safety information is used for carrying out authentication and authorization operation on the joining request of the user equipment.

Alternatively, the first security information may be a security algorithm.

In some embodiments, the user equipment may send the first request message to the first SMF through control plane signaling and through a control plane network element. Specifically, reference may be made to a manner in which the user equipment sends information to the first SMF in fig. 5 and 7, which is not described herein again.

In other embodiments, the user equipment may send the first request message to the first SMF via user plane signaling and via a user plane network element. Specifically, reference may be made to a manner in which the user equipment sends information to the first SMF in fig. 6 and 8, and details are also omitted here.

In step 1002, the first SMF processes the join request of the user equipment according to the matching result of the first security information and the second security information.

Specifically, when the first security information and the second security information match, the first SMF continues to process the join request of the ue, and performs step 1003, that is, completes the subsequent process of joining the ue to the multicast group. And when the first security information and the second security information do not match, the first SMF stops processing the joining request of the user equipment and returns an indication of authentication failure to the user equipment.

Another possible implementation manner is that when the first security information and the second security information match, the first SMF continues to process the join request of the ue, and performs step 1003, that is, completes the subsequent process of joining the ue to the multicast group. And when the first safety information is not matched with the second safety information, the first SMF informs the second SMF to establish unicast transmission resources for the user equipment, and the unicast transmission resources are used for transmitting the multicast downlink data.

Optionally, the second security information is stored in the UDM or the UDR, and when the first SMF receives a join request of the user equipment, the second security information is obtained from the UDM or the UDR according to the join request.

In the embodiment of the application, the first SMF determines whether the first security information and the second security information match in different ways according to different forms of the first security information and the second security information.

As an example, if the first security information and the second security information are password information, the first SMF determines that the first security information and the second security information match when the first security information and the second security information are the same, otherwise the first security information and the second security information do not match.

As another example, if the first security information and the second security information are security algorithms, the first SMF determines that the first security information and the second security information match when the first security information and the second security information generate correct results, otherwise the first security information and the second security information do not match.

The embodiment of the present application does not specifically limit the manner in which the user equipment obtains the first security information and the manner in which the first SMF obtains the second security information.

In some implementations, the user device and the first SMF may obtain the corresponding security information through steps 1004 and 1008.

Specifically, in step 1004, after establishing the application layer connection with the user equipment, the application server generates the first security information and the second security information.

In step 1005, the application server sends the first security information to the user equipment. Accordingly, the user equipment receives the first safety information sent by the application server.

Another possible implementation manner is that the application server may send the first security information to the NEF, and accordingly, the NEF receives the first security information sent by the application server. Further, the NEF sends the first security information to the UDR, and accordingly, the UDR receives the first security information from the NEF. And after receiving the first security information, the UDR sends the first security information to the PCF, and correspondingly, the PCF receives the first security information. Thereafter, the PCF transmits the received first security information to the UE through the AMF via a Non Access Stratum (NAS) message.

In step 1006, the application server sends the second security information to the NEF. Accordingly, the NEF receives the second security information sent by the application server.

Optionally, the application server may call the Nnef _ ParameterProvisionCreate Request to send the second security information to the NEF.

Optionally, the application server may further send first information to the NEF, the first information being used to determine identification information corresponding to the second security information.

For another example, the first information is information for acquiring identification information, for example, the information may be a numerical value, and the first SMF may further acquire the identification information according to the information. Alternatively, the value may be a transaction ID or the like.

In step 1007, the NEF sends the second security information to the UDM or UDR. Accordingly, the UDM or UDR receives the second security information sent by the NEF.

Optionally, the NEF may also send identification information to the UDM or UDR.

When the first information is information for acquiring identification information, the NEF may acquire the identification information based on the first information after receiving the first information. In one implementation, the NEF acquires the identification information according to a mapping relationship between the information for acquiring the identification information and the identification information. Alternatively, the NEF may store the mapping locally. For example, the mapping relationship is configured for NEF in a preconfigured manner. As another example, the NEF may obtain the mapping relationship from a network element (e.g., UDR or UDM) having a data storage function.

And the UDM or the UDR stores the second safety information after receiving the second safety information sent by the NEF. Optionally, the UDM storage may also correspondingly store identification information corresponding to the second security information.

Optionally, before storing the above information, the UDM or UDR may further perform authentication on the identification information to determine whether the above information can be stored. For example, the UDM or UDR performs authentication according to whether authorization information corresponding to the identification information is locally stored. For another example, if the UDM network element receives the second security information from the NEF, the UDM may further obtain information for performing authentication from the UDR, and further determine whether the obtained information for performing authentication includes authorization information corresponding to the identification information. For another example, if the UDR network element receives the second security information from the NEF, the UDM may send the identification information to the UDR, and perform authentication by the UDR, and the UDM obtains the authentication result information from the UDR.

In step 1008, the UDM sends the second security information to the first SMF. Accordingly, the first SMF receives the second security information sent by the UDM.

Optionally, the UDM or UDR may also send identification information corresponding to the second security information to the first SMF.

Alternatively, the UDM or UDR may transmit the above-described respective information through a Nudm _ SDM _ Notification message or a Nudr _ DM _ Notification message.

And after receiving the second security information, the first SMF stores the second security information so as to carry out authentication and authorization operation on the join request of the user equipment subsequently.

Fig. 11 is a schematic flow chart of another authentication method according to an embodiment of the present application. The method shown in fig. 11 may be applied to the system architecture shown in fig. 1, and may also be applied to the system architecture shown in fig. 3, and the embodiment of the present application is not limited thereto.

In the embodiment of the application, the UDM or the UDR performs authentication and authorization operation.

In step 1101, the user equipment sends a fourth message to the second SMF, the fourth message requesting to join the multicast group. The fourth message includes identification information and first security information, the identification information corresponding to a multicast group to which the user equipment requests to join. Accordingly, the second SMF receives a fourth message from the user equipment.

Alternatively, the first security information may be a security algorithm.

In some embodiments, the user equipment may send the fourth message to the second SMF through the control plane signaling and through the control plane network element. Specifically, reference may be made to a manner in which the user equipment sends information to the second SMF in fig. 5, which is not described herein again.

In still other embodiments, the user equipment may send the fourth message to the second SMF via user plane signaling and via a user plane network element. Specifically, reference may be made to a manner in which the user equipment sends information to the second SMF in fig. 6, and details are also omitted here.

In step 1102, the second SMF sends a fourth message to the UDM or UDR, which receives the fourth message accordingly. The fourth message includes the first security information and the identification information.

Optionally, the second SMF may carry the first security information and the identification information in a message for querying the relevant information of the first SMF.

In step 1103, the UDM or UDR performs authentication authorization according to the first security information and the second security information.

Alternatively, the second security information may be stored locally to the UDM or UDR.

Optionally, the UDM or UDR determines whether the first security information matches the second security information. If the two are matched, the UDM or the UDR determines that the authentication is successful; the negative UDM or UDR determines that the authentication failed.

In the embodiment of the present application, the UDM or the UDR determines whether the first security information and the second security information match in different ways according to different forms of the two security information.

As an example, if the first security information and the second security information are password information, when the first security information is the same as the second security information, the UDM or the UDR determines that the first security information and the second security information match, otherwise they do not match.

As another example, if the first security information is input information of a security algorithm and the second security information is a security algorithm, the UDM or the UDR determines that the first security information and the second security information match when the first security information and the second security information generate correct results, and otherwise, that the first security information and the second security information do not match.

In step 1104, the UDM or UDR returns result information of the authentication operation to the second SMF. Accordingly, the second SMF receives the result information transmitted by the UDM.

In one implementation, if the result information indicates that the authentication is successful, step 1003 may be executed to complete the subsequent procedure of joining the multicast group by the ue. And if the result information indicates that the authentication fails, stopping processing the joining request of the user equipment and returning an indication of the authentication failure to the user equipment.

In another implementation, if the result information indicates that the authentication is successful, step 1003 may be executed to complete the subsequent procedure of joining the multicast group by the ue. If the result information indicates that the authentication fails, a unicast transmission resource can be established for the user equipment, and the unicast transmission resource is used for transmitting the multicast downlink data.

The embodiment of the present application does not specifically limit the manner in which the user equipment obtains the first security information and the manner in which the UDM or UDR obtains the second security information.

In some implementations, the user device and the UDM or UDR may obtain the corresponding security information through steps 1106 and 1111.

Specifically, in step 1106, the application server generates first security information and second security information.

In step 1107, the application server sends the first security information to the user equipment. Accordingly, the user equipment receives the first safety information sent by the application server.

In step 1108, the application server sends the second security information to the PCF. Accordingly, the PCF receives the second safety information sent by the application server.

Alternatively, the application server may send the second security information to the PCF via an N5 message or an Rx message.

Alternatively, the application server may send the second security information to the PCF via the NEF.

Optionally, the application server may further send, to the PCF, first information for determining identification information corresponding to the second security information.

For example, the first information is the above-described identification information.

Optionally, the application server may further send Data Network Access Identifier (DNAI) information of the application server to the PCF. The DNAI information is used to indicate location information of data generation.

In step 1109, the PCF sends the second security information to the UDM or UDR so that the UDM or UDR stores the second security information.

Optionally, the PCF may also send identification information to the UDM or UDR.

Optionally, step 1109 may also be replaced with step 1110-1112, i.e. the PCF stores the second security information to the UDM or UDR via the first SMF.

Specifically, in step 1110, the NEF or PCF determines the first SMF.

As an example, the NEF or PCF selects the first SMF that supports the multicast function according to the capability information of the SMFs.

As another example, the NEF or PCF selects the first SMF that supports multicast functionality based on the SMF's current loading conditions.

As yet another example, the NEF or PCF selects the first SMF that supports multicast functionality based on the coverage of the UPF that the SMF can manage, in conjunction with the DNAI information.

It should be noted that the above example may be combined, for example, with the NEF or PCF selecting the first SMF supporting the multicast function according to the coverage of the UPF that the SMF can manage, the current load condition of the SMF, and whether the SMF supports multicast session management.

In step 1111, the NEF or PCF sends the second security information to the first SMF. Accordingly, the first SMF receives the second security information sent by the NEF or the PCF.

Alternatively, the NEF or PCF may send the second security information via a message requesting establishment of the multicast context.

It is understood that the manner in which the NEF or PCF sends the identification information and the identification information of the application server to the first SMF is the same as or similar to the manner in which the second security information is sent, and is not described in detail again.

When the first information is information for acquiring identification information, the NEF or the PCF may acquire the identification information based on the first information after receiving the first information. One implementation is that the NEF or PCF acquires the identification information according to a mapping relationship between information for acquiring the identification information and the identification information. Alternatively, the NEF or PCF may store the mapping locally. For example, the mapping relationship is configured for the NEF or PCF in a pre-configured manner. As another example, the NEF or PCF may obtain the mapping relationship from a data storage enabled network element (e.g., UDR or UDM).

And the UDM or the UDR stores the second safety information after receiving the second safety information sent by the PCF.

Optionally, the UDM or UDR storage may also correspondingly store identification information corresponding to the second security information.

Optionally, the UDM or UDR store may also store identification information of the first SMF.

Fig. 12 is a schematic flow chart of another authentication method according to an embodiment of the present application. The method shown in fig. 12 may be applied to the system architecture shown in fig. 1, and may also be applied to the system architecture shown in fig. 3, and the embodiment of the present application is not limited thereto.

In the embodiment of the application, the first SMF or UDM carries out authentication and authorization operation.

In step 1201, the user equipment sends a fourth message to the second SMF, the fourth message requesting to join the multicast group. The fourth message includes identification information and first security information, the identification information corresponding to a multicast group to which the user equipment requests to join. Accordingly, the second SMF receives a fourth message from the user equipment.

Alternatively, the first security information may be a security algorithm.

In step 1202, the second SMF sends a fourth message to the first SMF, and accordingly, the first SMF receives the fourth message. The fourth message includes the first security information and the identification information.

Optionally, the second SMF may determine the first SMF before performing step 1102. One implementation is that the second SMF determines the first SMF by querying data stored in the network element for centralized storage, based on the identification information. The network element for centralized storage may be UDM, UDR, PCF, or the like. For example, as shown in step 1203 in fig. 12, the second SMF obtains the relevant information of the first SMF to the UDM or UDR.

In step 1204, the first SMF performs an authentication and authorization operation according to the first security information and the second security information.

In some implementations, if the authentication is successful, step 1214 may be executed, i.e., the subsequent process of the ue joining the multicast group is completed. And if the authentication fails, stopping processing the joining request of the user equipment and returning an indication of the authentication failure to the user equipment.

In other implementations, if the authentication is successful, step 1214 may be executed to complete the subsequent process of the ue joining the multicast group. If the authentication fails, a unicast transmission resource can be established for the user equipment, and the unicast transmission resource is used for transmitting the multicast downlink data.

Alternatively, if there is no second security information in the first SMF or the stored second security information has failed, the first SMF may obtain the latest second security information from the UDM or UDR.

For example, as shown in steps 1205 and 1213, the first SMF sends identification information to the UDR or UDM, and the UDR or UDM determines the second security information from the identification information and feeds back the second security information to the first SMF.

Optionally, the first SMF determines whether the first security information matches the second security information. If the two are matched, the first SMF determines that the authentication is successful; otherwise, the first SMF determines that the authentication fails.

As another example, if the first security information is input information of a security algorithm and the second security information is the security algorithm, when the first security information and the second security information generate correct results, the first SMF determines that the first security information and the second security information match, otherwise, the first SMF determines that the first security information and the second security information do not match.

It is to be understood that if the authentication and authorization operation performed by the first SMF is replaced by the authentication and authorization operation performed by the UDM or the UDR based on the authentication method shown in fig. 12, a possible way is that the first SMF sends the first security information and the identification information to the UDM or the UDR in step 1205, the UDM or the UDR performs the authentication and authorization operation according to the first security information and the second security information, and returns the result information to the first SMF in step 1213.

In the embodiment of the present application, the manner in which the user equipment obtains the first security information and the manner in which the UDM or the UDR obtains the second security information are the same as or similar to those in fig. 11, so the detailed description about the step 1206 and 1212 can refer to the related description about the step 1106 and 1112, and will not be further described herein.

2) The network equipment is access network equipment

Fig. 13 is a schematic flow chart of another authentication method according to an embodiment of the present application. The method shown in fig. 13 may be applied to the system architecture shown in fig. 1, and may also be applied to the system architecture shown in fig. 3, and the embodiment of the present application is not limited thereto.

In the embodiment of the application, the access network equipment performs authentication and authorization operation.

In step 1301, the user equipment sends a fourth message to the access network equipment, where the fourth message is used to request to join the multicast group. The fourth message includes identification information and first security information, the identification information corresponding to a multicast group to which the user equipment requests to join. Accordingly, the second SMF receives a fourth message from the user equipment.

Optionally, the fourth message is an RRC message.

In step 1302, the access network device performs an authentication and authorization operation according to the first security information and the second security information.

Optionally, the access network device determines whether the first security information matches the second security information. If the two are matched, the access network device determines that the authentication is successful, and may continue to execute step 1303, i.e., complete the subsequent process of the user device joining the multicast group; and the access network equipment determines that the authentication fails.

In the embodiment of the present application, according to different forms of the first security information and the second security information, a manner of determining, by the access network device, whether the first security information and the second security information match is also different.

As an example, if the first security information and the second security information are password information, the access network device determines that the first security information and the second security information match when the first security information is the same as the second security information, otherwise, the first security information and the second security information do not match.

As another example, if the first security information is input information of a security algorithm and the second security information is the security algorithm, the access network device determines that the first security information and the second security information match when the first security information and the second security information generate correct results, otherwise, the first security information and the second security information do not match.

Optionally, after the authentication and authorization operation, the access network device may feed back authentication result information to the user equipment. For example, the result information may be fed back through an RRC message.

Optionally, before step 1302, the access network device may perform step 1304, that is, the access network device checks whether the second security information exists locally according to the identification information. If the second security information exists locally in the access network device, step 1302 may be executed; if the access network device does not locally store the second security information or the second security information is invalid, the access network device may obtain the second security information from the core network device.

When the access network device does not store the second security information locally or the second security information is invalid, the access network device performs step 1305, that is, the access network device sends a sixth message to the first AMF to notify the first AMF that the user equipment requests to join the multicast group. The sixth message may include identification information. The first AMF is a network element for performing mobility management and access control on the user equipment in the multicast group.

In step 1306, after receiving the sixth message sent by the access network device, the first AMF may check whether the second security information exists locally according to the identification information. If the first AMF locally has the second safety information, the AMF can return the second safety information to the access network equipment; if the first AMF does not locally store the second security information or the second security information has failed, the first AMF may acquire the second security information from the first SMF, the UDM, or the UDR.

In step 1307, the first AMF sends a seventh message to the first SMF, UDM or UDR, the seventh message including information that the user equipment requests to join the multicast group. One possible implementation is that the information that the user equipment requests to join the multicast group may be identification information (e.g., SUPI) and identification information of the user equipment.

In step 1308, the first SMF, UDM or UDR determines second security information corresponding to the identification information from the identification information and returns to the first AMF.

In step 1309, the first AMF returns the acquired second security information to the access network device, so that the access network device performs an authentication and authorization operation.

Optionally, before feeding back the second security information to the first AMF, the first SMF, the UDM, or the UDR may further determine whether the second security information needs to be sent to the access network device according to the first security information. At this time, the first security information needs to be carried in the sixth message and the seventh message.

In the embodiment of the present application, a manner of acquiring the first security information by the user equipment and a manner of acquiring the second security information by the first SMF are the same as or similar to those in fig. 10 to 12, and therefore, the detailed description of the steps 1311 and 1313 may refer to the related description of the steps 10 to 12, and will not be repeated herein.

The above embodiments may be implemented individually or in combination as appropriate.

It is to be understood that, in order to implement the functions of the above-described embodiments, the communication apparatus includes a corresponding hardware structure and/or software module that performs each function. Those of skill in the art will readily appreciate that the various illustrative elements and method steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software driven hardware depends on the particular application scenario and design constraints imposed on the solution.

Fig. 14 to 15 are schematic structural diagrams of possible apparatuses provided in the embodiments of the present application.

The apparatuses may be configured to implement the functions of the user equipment, the access network equipment, the AMF, the UPF, the SMF, the NEF, the UDM, the UDR, or the application server in the foregoing method embodiments, and therefore, the advantageous effects of the foregoing method embodiments can also be achieved. In the embodiment of the present application, the communication device may be a user equipment, an access network device, an AMF, a UPF, an SMF, a NEF, a UDM, a UDR, or an application server, and may also be a module (e.g., a chip) applied to the user equipment, the access network device, the AMF, the UPF, the SMF, the NEF, the UDM, the UDR, or the application server.

As shown in fig. 14, the apparatus 1400 includes a processing unit 1410 and a transceiving unit 1420. The apparatus 1400 is configured to implement the functions of the user equipment, the access network equipment, the AMF, the application server, or the SMF in any of the method embodiments shown in fig. 4 to 13.

When the apparatus 1400 is used to implement the functionality of the first SMF in the method embodiment shown in fig. 4: the processing unit 1410 may perform steps 410 and 450 shown in the method-side embodiment, and the transceiving unit 1420 may perform steps 420 and 440 shown in the method-side embodiment. When the apparatus 1400 is used to implement the functions of the application server in the method embodiment shown in fig. 4: the processing unit may perform step 430 shown in the method-side embodiment, and the transceiving unit 1420 may perform steps 420 and 440 shown in the method-side embodiment.

When the apparatus 1400 is used to implement the function of the user equipment in the method embodiment shown in fig. 5: the transceiving unit 1420 may perform step 501 shown in the method side embodiment. When the apparatus 1400 is used to implement the functionality of the AMF in the method embodiment shown in fig. 5: the transceiving unit 1420 may perform step 502 shown in the method side embodiment. When the apparatus 1400 is used to implement the functionality of the second SMF in the method embodiment shown in fig. 5: the transceiving unit 1420 may perform step 503 shown in the method side embodiment. When the apparatus 1400 is used to implement the functionality of the first SMF in the method embodiment shown in fig. 5: the processing unit may perform steps 516 and 504 shown in the method side embodiment, and the transceiving unit 1420 may perform steps 503, 505, 507, 508, 513 and 514 shown in the method side embodiment. When the apparatus 1400 is used to implement the functions of the application server in the method embodiment shown in fig. 5: the processing unit may perform steps 506 and 511 shown in the method side embodiment, and the transceiving unit 1420 may perform steps 505, 507, 510 and 512 shown in the method side embodiment. When the apparatus 1400 is used to implement the functions of NEF in the method embodiment shown in fig. 5: the processing unit may perform step 509 in the method-side embodiment, and the transceiving unit 1420 may perform steps 508, 510, 512, and 513 in the method-side embodiment.

When the apparatus 1400 is used to implement the function of the user equipment in the method embodiment shown in fig. 6: the transceiving unit 1420 may perform step 601 shown in the method side embodiment. When the apparatus 1400 is used to implement the functionality of the second UPF in the method embodiment shown in fig. 6: the transceiving unit 1420 may perform step 602 shown in the method side embodiment. When the apparatus 1400 is used to implement the functionality of the second SMF in the method embodiment shown in fig. 6: the transceiving unit 1420 may perform steps 602 and 603 shown in the method side embodiment. When the apparatus 1400 is used to implement the functionality of the first SMF in the method embodiment shown in fig. 6: the processing unit may perform steps 616 and 604 shown in the method side embodiment, and the transceiving unit 1420 may perform steps 603, 605, 607, 608, 613 and 614 shown in the method side embodiment. When the apparatus 1400 is used to implement the functions of the application server in the method embodiment shown in fig. 6: the processing unit may perform steps 606 and 611 shown in the method-side embodiment, and the transceiving unit 1420 may perform steps 605, 607, 610 and 612 shown in the method-side embodiment. When the apparatus 1400 is used to implement the functions of NEF in the method embodiment shown in fig. 6: the processing unit may perform step 609 shown in the method-side embodiment, and the transceiving unit 1420 may perform steps 608, 610, 612, and 613 shown in the method-side embodiment.

When the apparatus 1400 is used to implement the function of the user equipment in the method embodiment shown in fig. 7: the transceiving unit 1420 may perform step 701 shown in the method-side embodiment. When the apparatus 1400 is used to implement the functionality of the AMF in the method embodiment shown in fig. 7: the transceiving unit 1420 may perform step 602 shown in the method side embodiment. When the apparatus 1400 is used to implement the functionality of the first SMF in the method embodiment shown in fig. 7: the processing unit may perform steps 716 and 704 shown in the method side embodiment, and the transceiving unit 1420 may perform steps 705, 707, 708, 713, and 714 shown in the method side embodiment. When the apparatus 1400 is used to implement the functions of the application server in the method embodiment shown in fig. 7: the processing unit may perform steps 706 and 711 shown in the method-side embodiment, and the transceiving unit 1420 may perform steps 705, 707, 710, and 712 shown in the method-side embodiment. When the apparatus 1400 is used to implement the functions of NEF in the method embodiment shown in fig. 7: the processing unit may perform step 709 shown in the method-side embodiment, and the transceiving unit 1420 may perform steps 708, 710, 712, and 713 shown in the method-side embodiment.

When the apparatus 1400 is used to implement the function of the user equipment in the method embodiment shown in fig. 8: the transceiving unit 1420 may perform step 801 as shown in the method side embodiment. When the apparatus 1400 is used to implement the functionality of the second UPF in the method embodiment shown in fig. 8: the transceiving unit 1420 may perform step 802 as shown in the method-side embodiment. When the apparatus 1400 is used to implement the functionality of the first SMF in the method embodiment shown in fig. 8: the processing unit may perform steps 816 and 804 shown in the method side embodiment, and the transceiving unit 1420 may perform steps 805, 807, 808, 813 and 814 shown in the method side embodiment. When the apparatus 1400 is used to implement the functions of the application server in the method embodiment shown in fig. 8: the processing unit may perform steps 806 and 811 as shown in the method side embodiment and the transceiving unit 1420 may perform steps 805, 807, 810 and 812 as shown in the method side embodiment. When the apparatus 1400 is used to implement the functions of NEF in the method embodiment shown in fig. 8: the processing unit may perform step 809 shown in the method side embodiment, and the transceiving unit 1420 may perform steps 808, 810, 812 and 813 shown in the method side embodiment.

When the apparatus 1400 is used to implement the function of the user equipment in the method embodiment shown in fig. 9: the transceiving unit 1420 may perform steps 901 and 904 as shown in the method side embodiment. When the apparatus 1400 is used to implement the functions of the network device in the method embodiment shown in fig. 9: the processing unit may perform step 902 shown in the method side embodiment, and the transceiving unit 1420 may perform steps 901 and 905 shown in the method side embodiment. When the apparatus 1400 is used to implement the functions of the application server in the method embodiment shown in fig. 9: the processing unit may perform step 903 shown in the method side embodiment, and the transceiving unit 1420 may perform steps 903 and 904 shown in the method side embodiment.

When the apparatus 1400 is used to implement the function of the user equipment in the method embodiment shown in fig. 10: the processing unit 1410 may perform step 1003 shown in the method-side embodiment, and the transceiving unit 1420 may perform steps 1001 and 1005 shown in the method-side embodiment. When the apparatus 1400 is used to implement the functionality of the first SMF in the method embodiment shown in fig. 10: the processing unit 1410 may perform steps 1002 and 1003 shown in the method-side embodiment, and the transceiving unit 1420 may perform steps 1001 and 1008 shown in the method-side embodiment. When the apparatus 1400 is used to implement the functions of the application server in the method embodiment shown in fig. 10: the processing unit may perform step 1004 shown in the method-side embodiment, and the transceiving unit 1420 may perform steps 1005 and 1006 shown in the method-side embodiment. When the apparatus 1400 is used to implement the functions of NEF in the method embodiment shown in fig. 10: the transceiving unit 1420 may perform steps 1006 and 1007 shown in the method side embodiment. When the apparatus 1400 is used to implement the function of UDM or UDR in the method embodiment shown in fig. 10: the processing unit may perform step 1003 shown in the method side embodiment, and the transceiving unit 1420 may perform steps 1008 and 1007 shown in the method side embodiment.

When the apparatus 1400 is used to implement the function of the user equipment in the method embodiment shown in fig. 11: the processing unit 1410 may perform step 1105 shown in the method-side embodiment, and the transceiving unit 1420 may perform steps 1101 and 1107 shown in the method-side embodiment. When the apparatus 1400 is used to implement the functionality of the second SMF in the method embodiment shown in fig. 11: the processing unit 1410 may perform step 1105 shown in the method-side embodiment, and the transceiving unit 1420 may perform steps 1001, 1102, 1104, and 1112 shown in the method-side embodiment. When the apparatus 1400 is used to implement the functionality of the first SMF in the method embodiment shown in fig. 11: processing unit 1410 may perform step 1105 shown in the method side embodiment, and transceiving unit 1420 may perform steps 1112 and 1111 shown in the method side embodiment. When the apparatus 1400 is used to implement the functions of the application server in the method embodiment shown in fig. 11: the processing unit may perform step 1106 shown in the method-side embodiment, and the transceiving unit 1420 may perform steps 1107 and 1108 shown in the method-side embodiment. When apparatus 1400 is used to implement the functionality of a NEF or PCF in the method embodiment shown in fig. 11: the processing unit may perform step 1110 shown in the method side embodiment, and the transceiving unit 1420 may perform steps 1108, 1111, and 1109 shown in the method side embodiment. When the apparatus 1400 is used to implement the function of UDM or UDR in the method embodiment shown in fig. 11: the processing unit may perform steps 1103 and 1105 shown in the method side embodiment, and the transceiver unit 1420 may perform steps 1112, 1109, 1102, and 1104 shown in the method side embodiment.

When the apparatus 1400 is used to implement the function of the user equipment in the method embodiment shown in fig. 12: the processing unit 1410 may perform step 1214 shown in the method-side embodiment, and the transceiving unit 1420 may perform steps 1201 and 1207 shown in the method-side embodiment. When the apparatus 1400 is used to implement the functionality of the second SMF in the method embodiment shown in fig. 12: the processing unit 1410 may execute step 1214 shown in the method-side embodiment, and the transceiving unit 1420 may execute steps 1201-1203 shown in the method-side embodiment. When the apparatus 1400 is used to implement the functionality of the first SMF in the method embodiment shown in fig. 12: the processing unit 1410 may perform steps 1204 and 1214 shown in the method side embodiment, and the transceiving unit 1420 may perform steps 1202, 1205, and 1213 shown in the method side embodiment. When the apparatus 1400 is used to implement the functions of the application server in the method embodiment shown in fig. 12: the processing unit may perform step 1206 shown in the method-side embodiment, and the transceiving unit 1420 may perform steps 1207 and 1208 shown in the method-side embodiment. When apparatus 1400 is used to implement the functionality of a NEF or PCF in the method embodiment shown in fig. 12: the processing unit may perform step 1210 shown in the method-side embodiment, and the transceiving unit 1420 may perform steps 1208, 1211, and 1209 shown in the method-side embodiment. When the apparatus 1400 is used to implement the function of UDM or UDR in the method embodiment shown in fig. 12: the processing unit may perform step 1214 shown in the method-side embodiment, and the transceiving unit 1420 may perform steps 1212, 1209, 1203, and 1205 shown in the method-side embodiment.

When the apparatus 1400 is used to implement the function of the user equipment in the method embodiment shown in fig. 13: the transceiving unit 1420 may perform steps 1301 and 1312 as shown in the method side embodiment. When the apparatus 1400 is used to implement the functions of the access network device in the method embodiment shown in fig. 13: processing unit 1410 may perform steps 1302 and 1304 shown in the method-side embodiment, and transceiving unit 1420 may perform steps 1301, 1305, and 1309 shown in the method-side embodiment. When the apparatus 1400 is used to implement the functionality of the AMF in the method embodiment shown in fig. 13: the processing unit 1410 may execute steps 1306 and 1303 shown in the method-side embodiment, and the transceiving unit 1420 may execute steps 1305, 1307, and 1309 shown in the method-side embodiment. When the apparatus 1400 is used to implement the functionality of the first SMF in the method embodiment shown in fig. 13: processing unit 1410 may perform steps 1310 and 1303 shown in the method side embodiment, and transceiving unit 1420 may perform steps 1307, 1308, and 1313 shown in the method side embodiment. When the apparatus 1400 is used to implement the functions of the application server in the method embodiment shown in fig. 13: the processing unit may perform step 1311 shown in the method-side embodiment, and the transceiving unit 1420 may perform steps 1312 and 1313 shown in the method-side embodiment. When the apparatus 1400 is used to implement the functions of NEF, UDM or UDR in the method embodiment shown in fig. 13: the transceiving unit 1420 may perform step 1313 shown in the method side embodiment.

The more detailed description of the processing unit 1410 and the transceiving unit 1420 can be directly obtained by referring to the related description in the method embodiments shown in fig. 4-fig. 13, which is not repeated herein.

As shown in fig. 15, the apparatus 1500 includes a processor 1510 and an interface circuit 1520. Processor 1510 and interface circuits 1520 are coupled to each other. It is understood that the interface circuit 1520 may be a transceiver or an input-output interface. Optionally, the apparatus 1500 may further comprise a memory 1530 for storing instructions to be executed by the processor 1510 or for storing input data required by the processor 1510 to execute the instructions or for storing data generated by the processor 1510 after executing the instructions.

When the apparatus 1500 is used to implement the methods shown in fig. 4-13, the processor 1510 is configured to perform the functions of the processing unit 1410, and the interface circuit 1520 is configured to perform the functions of the transceiving unit 1420.

When the above apparatus is a chip applied to a user equipment, an access network device, an AMF, an UPF, an SMF, a NEF, a UDM, a UDR, or an application server, the chip implements the functions of the user equipment, the access network device, the AMF, the UPF, the SMF, the NEF, the UDM, the UDR, or the application server in the above method embodiment. The chip receives information from a user equipment, an access network equipment, an AMF, a UPF, an SMF, a NEF, a UDM, a UDR or other modules (such as a radio frequency module or an antenna) in an application server, the information being sent by the other equipment to the user equipment, the access network equipment, the AMF, the UPF, the SMF, the NEF, the UDM, the UDR or the application server; alternatively, the chip sends information to the user equipment, the access network equipment, the AMF, the UPF, the SMF, the NEF, the UDM, the UDR, or other modules (such as radio frequency modules or antennas) in the application server, where the information is sent to the other devices by the user equipment, the access network equipment, the AMF, the UPF, the SMF, the NEF, the UDM, the UDR, or the application server.

It is understood that the Processor in the embodiments of the present Application may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a transistor logic device, a hardware component, or any combination thereof. The general purpose processor may be a microprocessor, but may be any conventional processor.

The method steps in the embodiments of the present application may be implemented by hardware, or may be implemented by software instructions executed by a processor. The software instructions may be comprised of corresponding software modules that may be stored in Random Access Memory (RAM), flash Memory, Read-Only Memory (ROM), Programmable ROM (PROM), Erasable PROM (EPROM), Electrically EPROM (EEPROM), registers, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an ASIC. Additionally, the ASIC may reside in a user equipment, AMF, UPF, SMF, NEF, UDM, UDR, or an application server. Of course, the processor and the storage medium may reside as discrete components in a user equipment, AMF, UPF, SMF, NEF, UDM, UDR, or application server.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer programs or instructions. When the computer program or instructions are loaded and executed on a computer, the processes or functions described in the embodiments of the present application are performed in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer program or instructions may be stored in or transmitted over a computer-readable storage medium. The computer readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server that integrates one or more available media. The usable medium may be a magnetic medium, such as a floppy disk, a hard disk, a magnetic tape; or an optical medium, such as a DVD; it may also be a semiconductor medium, such as a Solid State Disk (SSD).

In the embodiments of the present application, unless otherwise specified or conflicting with respect to logic, the terms and/or descriptions in different embodiments have consistency and may be mutually cited, and technical features in different embodiments may be combined to form a new embodiment according to their inherent logic relationship.

In the present application, "at least one" means one or more, "a plurality" means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural. In the description of the text of the present application, the character "/" generally indicates that the former and latter associated objects are in an "or" relationship; in the formula of the present application, the character "/" indicates that the preceding and following related objects are in a relationship of "division".

It is to be understood that the various numerical references referred to in the embodiments of the present application are merely for descriptive convenience and are not intended to limit the scope of the embodiments of the present application. The sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of the processes should be determined by their functions and inherent logic.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implementing, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A method for authentication, the method comprising:

a first session management function network element SMF acquires first information and first identification information of multicast data, wherein the first information is used for determining first user identification information of the user equipment;

the first SMF sends a first message to an application server, wherein the first message is used for requesting authentication of a request of joining a multicast group by the user equipment, the first message comprises the first user identification information and second identification information of multicast data, and the first identification information and the second identification information correspond to the multicast group;

and the first SMF receives a second message sent by the application server, wherein the second message comprises authentication result information.

2. The method of claim 1, further comprising:

and the first SMF determines that the application server is required to authenticate the request of the user equipment for joining the multicast group according to the first identification information.

3. The method according to claim 1 or 2, wherein the first information comprises the first subscriber identity information and/or second subscriber identity information of the user equipment.

4. The method of claim 3, wherein when the first information is the second subscriber identity information, the method further comprises:

and the first SMF acquires the first user identification information according to the second user identification information.

5. The method of claim 4, wherein the obtaining, by the first SMF, the first subscriber identity information according to the second subscriber identity information comprises:

and the first SMF acquires the first subscriber identification information from a first network element according to the second subscriber identification information, wherein the first network element comprises an access and mobility management function network element AMF, a unified data management network element UDM and a unified data repository UDR.

6. The method of any of claims 1-5, wherein the obtaining the first information and the first identification information of the multicast data by the first SMF comprises:

and the first SMF acquires the first information and the first identification information from a second SMF, an access and mobility management function network element AMF or a second user plane function network element UPF.

7. The method of any of claims 1-6, wherein the first SMF sends a first message to the application server, comprising:

the first SMF determines the identification information of the application server according to the first identification information;

and the first SMF directly sends the first message to the application server, or the first SMF sends the first message to the application server through a first UPF.

8. The method of any of claims 1-6, wherein the first SMF sends a first message to the application server, comprising:

and the first SMF sends the first message to the application server through a network open function (NEF).

9. The method according to any of the claims 1 to 8, wherein said first user identification information is a generic public user identifier, GPSI, and said second user identification information comprises at least one of a user permanent identifier, SUPI, a generic unique temporary identifier, GUTI, and a user hidden identifier, SUCI.

10. A method for authentication, the method comprising:

an application server receives a first message from a first session management function network element (SMF), wherein the first message is used for requesting authentication of a request of user equipment for joining a multicast group, the first message comprises first user identification information and second identification information of multicast data, the second identification information corresponds to the multicast group, and the first user identification information is identification information of the user equipment;

the application server authenticates the request of the user equipment for joining the multicast group according to the first user identification information and the second identification information;

and the application server sends a second message to the first SMF, wherein the second message comprises authentication result information.

11. The method of claim 10, wherein the application server sends a second message to the first SMF, comprising:

and the application server directly sends the second message to the first SMF, or sends the second message to the first SMF through a first UPF or a network open function Network Element (NEF).

12. The method according to claim 10 or 11, wherein the first user identity information is a generic public user identifier, GPSI.

13. A method for authentication, the method comprising:

the user equipment determines a third message, wherein the third message is used for requesting to join a multicast group, the third message comprises third identification information of multicast data, and the third identification information corresponds to the multicast group;

and the user equipment sends the third message to a second user plane network element UPF.

14. The method according to claim 13, wherein the third message further comprises second subscriber identity information of a user equipment and/or information for authenticating the user equipment.

15. The method according to claim 13 or 14, wherein the third message comprises an internet group management protocol, IGMP, message and a multicast listener reporting, MLR, message.

16. A communications apparatus, comprising at least one processor coupled with at least one memory, the at least one processor to execute a computer program or instructions stored in the at least one memory to cause the communications apparatus to perform the method of any of claims 1-15.

17. A chip comprising logic circuitry and a communication interface, the communication interface being arranged to receive data and/or information to be processed, the logic circuitry being arranged to perform the data and/or information processing according to any of claims 1-15, and the communication interface being further arranged to output the data and/or information processed by the logic circuitry.

18. A computer-readable storage medium having stored thereon computer instructions for implementing the method of any one of claims 1-15 when the computer instructions are run on a computer.