CN114268943A

CN114268943A - Authorization method and device

Info

Publication number: CN114268943A
Application number: CN202010973308.XA
Authority: CN
Inventors: 李飞
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2020-09-16
Filing date: 2020-09-16
Publication date: 2022-04-01
Also published as: WO2022057736A1

Abstract

The application discloses an authorization method and an authorization device, wherein the method comprises the following steps: the method comprises the steps that a terminal sends a first configuration request to an edge configuration server, and the first configuration request is used for requesting to acquire authorization information of communication between the terminal and the edge enabling server; the edge configuration server generates first authorization information according to the first configuration request and sends the first authorization information to the terminal; the terminal sends a first request to an edge enabling server, wherein the first request carries first authorization information; the edge enabling server receives the first request, verifies the first authorization information and generates a first response after verification, wherein the first response comprises indication information of whether the terminal is authorized to access the EES or not; the edge-enabled server sends a first response to the terminal; the terminal determines whether the terminal is authorized to access the edge-enabled server according to the first response. According to the method and the device, the edge configuration server authorizes the terminal to access the edge enabling server, the possibility of terminal authority embezzlement is reduced, and communication safety in the edge service process is guaranteed.

Description

Authorization method and device

Technical Field

The present application relates to the field of communications technologies, and in particular, to an authorization method and an authorization apparatus.

Background

In the early days, Mobile Edge Computing (MEC) refers to providing an IT service environment and cloud computing capability in a Radio Access Network (RAN) closest to a mobile terminal of a user, aiming at further reducing delay/time delay, improving network operation efficiency, improving service distribution/transmission capability, and optimizing/improving terminal user experience. Therefore, the term "edge" refers to the mobile communication base station itself and various servers in the wireless network. The mobile edge computing server deployed at the edge of the radio access network opens real-time radio and network information (such as the real-time specific location of the user in a mobile state, the real-time loading condition of a base station, and the like) to various upper layer applications and services, so that the mobile edge computing server can provide various context-related services.

Later, the European Telecommunications Standards Institute (ETSI) redefined MEC as a multiple-access edge computing (multi-access heterogeneous network) including LTE, 5G, fixed broadband and Wi-Fi technologies, and extended such that mobile edge computing still existed, while the extended heterogeneous network could cooperatively run edge applications, for example, in a stadium or at home, when signal coverage of one base station is not good, access devices could provide services by using all peripheral devices capable of transmitting signals through multiple-access edge computing, where access methods include more base stations, nearby Wi-Fi and bluetooth, and even another nearby mobile phone.

An important problem in the MEC is how to find the optimal edge application by the terminal, that is, the optimal edge application capable of providing service for the terminal is obtained according to the information such as the terminal position, so that the terminal uses the optimal service. Specifically, an Edge Data Network (EDN) includes an Edge Enable Server (EES) and an Edge Configuration Server (ECS), and an Edge Enable Client (EEC) in a terminal needs to obtain information from the ECS and the EES respectively, so as to complete discovery of an edge application. If not, the ECS or the EES cannot confirm whether the corresponding EEC has the right to access the corresponding service, so that the problem of right theft exists.

Disclosure of Invention

The embodiment of the application provides an authorization method and an authorization device, which are used for solving the authorization problem when a terminal requests an edge service.

In a first aspect, an authorization method is provided, and the method includes: the method comprises the steps that a terminal sends a first configuration request to an edge configuration server, wherein the first configuration request is used for requesting to acquire authorization information of communication between the terminal and an edge enabling server; the terminal receives first authorization information generated by the edge configuration server according to the first configuration request, wherein the first authorization information comprises an edge configuration server identifier and a terminal identifier; the terminal generates and sends a first request to an edge enabling server, wherein the first request carries first authorization information; the terminal receives a first response including information indicating whether the terminal is authorized to access the edge-enabled server.

In the embodiment of the application, the terminal is authorized through the edge configuration server, the first authorization information of the terminal is generated, then the terminal requests the edge enabling server for access verification according to the acquired first authorization information, so that the edge enabling server determines whether the terminal has the authority to access the corresponding service according to the first authorization information, the edge enabling server is authorized by the edge configuration server to access the edge enabling server in the process, the resource expense of the edge enabling server for authorizing each terminal is reduced, the possibility of stealing the authority of the terminal is reduced, and the communication safety in the edge service process is guaranteed.

In one possible example, the first authorization information further includes one or more of: an edge-enabled server identification, an edge-enabled server provider identification, and an edge application server identification.

In one possible example, the first authorization information further includes an edge-enabled service key Kees.

In one possible example, the first authorization information is encrypted by a first key, the first key being a shared key of the edge configuration server and the edge-enabled server; or the first key is the public key of the edge-enabled server.

In the embodiment of the application, the Kees is sent through the first authorization information, so that the number of signaling interaction times between the terminal and the edge enabling server can be reduced. In addition, the Kees is a secret key for the secure communication between the edge enabling server and the terminal, and the security of the communication between the edge enabling server and the terminal cannot be guaranteed before the edge enabling server is determined to authorize the terminal to access.

In one possible example, the terminal is further configured to receive the Kees from the edge configuration server, or receive parameters used for deriving the Kees from the edge configuration server, and derive the Kees according to the parameters used for deriving the Kees; the terminal sends the Kees to the edge-enabled server.

In one possible example, the method further comprises: in the case where the terminal is authorized to access the edge-enabled server, the terminal and the edge-enabled server communicate using Kees or communicate using derived keys of Kees.

In the embodiment of the application, the edge configuration server may also send the Kees to the terminal through other messages, and the terminal performs secure communication with the edge enabling server through the Kees after being authorized to access the edge enabling server, so that the process of encrypting the first authorization information by the terminal and decrypting the encrypted first authorization information by the edge enabling server can be omitted, and the communication complexity is reduced.

In one possible example, the first authorization information is signed by an edge configuration server private key.

The process can prevent the first authorization information from being tampered by other illegal users.

In a second aspect, there is provided an authorization method, the method comprising: the method comprises the steps that an edge configuration server receives a first configuration request sent by a terminal, wherein the first configuration request is used for requesting to acquire authorization information of communication between the terminal and an edge enabling server; the edge configuration server generates first authorization information according to the first configuration request, wherein the first authorization information comprises an edge configuration server identifier and a terminal identifier;

and sending the first authorization information to the terminal.

In one possible example, the method further comprises: the edge configuration server encrypts the first authorization information through a first key, wherein the first key is a shared key of the edge configuration server and the edge enabling server; or the first key is the public key of the edge-enabled server.

In one possible example, the method further comprises: the edge configuration server sends Kees to the terminal or sends parameters used for deriving Kees to the terminal.

In one possible example, the method further comprises: the edge configuration server pushes the Kees to the edge enabling server, or the edge configuration server sends the Kees to the edge enabling server according to the key request information of the edge enabling server.

In one possible example, the method further comprises: the edge configuration server signs the first authorization information by adopting an edge configuration server private key.

In the embodiment of the application, the edge-enabled server may acquire the Kees from the edge configurator, and then perform matching verification with the Kees acquired from the terminal, thereby ensuring security of communication with the terminal. The edge configuration server actively pushes the Kees to the edge enabling server, so that the timeliness of the edge enabling server for acquiring the Kees can be guaranteed; the edge configuration server requests the edge enabling server to acquire the Kees, the pertinence of the edge enabling server for acquiring the Kees can be guaranteed, and the redundancy of the edge enabling server for storing unnecessary Kees is reduced.

In a third aspect, there is provided an authorization method, including: the method comprises the steps that an edge enabling server receives a first request sent by a terminal, wherein the first request comprises first authorization information, and the first authorization information comprises an edge configuration server identifier and a terminal identifier; the edge-enabled server verifies the first authorization information; the edge enabling server generates a first response after verification, wherein the first response comprises indication information of whether the terminal is authorized to access the edge enabling server; the edge-enabled server sends a first response to the terminal.

In one possible example, the first authorization information further includes an edge-enabled service key Kees; the method further comprises the following steps: and acquiring the Kees in the first authorization information.

In one possible example, the first authorization information is encrypted by a first key, the first key being a shared key of the edge configuration server and the edge-enabled server; or the first secret key is a public key of the edge-enabled server;

acquiring the Kees in the first authorization information includes: the edge enabling server decrypts the encrypted first authorization information by using a private key corresponding to the shared secret key or the public key to obtain the first authorization information, and obtains the Kees in the first authorization information.

In one possible example, the method further comprises: the edge enabling server receives Kees from the edge configuration server;

or, the edge enabling server sends the key request information to the edge configuration server and receives the Kees from the edge configuration server.

In one possible example, the first authorization information is signed with an edge configuration server private key; the edge-enabled server verifies the first authorization information, including:

the edge-enabling server verifies the first authorization information using the edge configuration server public key.

In a fourth aspect, a communication apparatus is provided, which is applied to a terminal, and includes:

a sending module, configured to send a first configuration request to an edge configuration server ECS, where the first configuration request is used to request to acquire authorization information of communication between a terminal and an edge enable server EES;

the receiving module is used for receiving first authorization information generated by the ECS according to the first configuration request, wherein the first authorization information comprises an edge configuration server identifier and a terminal identifier;

the processing module is used for generating a first request, and the first request carries first authorization information;

a sending module, configured to send a first request to the EES;

and the receiving module is used for receiving a first response, wherein the first response comprises indication information of whether the terminal is authorized to access the EES.

In one possible example, the receiving module is further configured to receive the Kees from the edge configuration server, or receive parameters used to derive the Kees from the edge configuration server, and the processing module is further configured to derive the Kees from the parameters used to derive the Kees; the sending module is further configured to send the Kees to an edge-enabled server.

In one possible example, where the terminal is authorized to access the edge-enabled server, the processing module communicates with the edge-enabled server using Kees, or communicates using a derivative key of Kees.

In a fifth aspect, a communication apparatus is provided, which is applied to an edge configuration server, where the server includes:

the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving a first configuration request sent by a terminal, and the first configuration request is used for requesting to acquire authorization information of communication between the terminal and an edge enabling server;

the processing module is used for generating first authorization information according to the first configuration request, wherein the first authorization information comprises an edge configuration server identifier and a terminal identifier;

and the sending module is used for sending the first authorization information to the terminal.

In one possible example, the processing module is further to: encrypting the first authorization information through a first key, wherein the first key is a shared key of the edge configuration server and the edge enabling server; or the first key is the public key of the edge-enabled server.

In one possible example, the sending module is further configured to: and sending the Kees to the terminal or sending parameters used for deducing the Kees to the terminal.

In one possible example, the sending module is further configured to: and pushing the Kees to the edge enabling server, or sending the Kees to the edge enabling server according to the key request information of the edge enabling server.

In one possible example, the processing module is further to: the first authorization information is signed by an edge configuration server private key.

In a sixth aspect, a communication apparatus is provided, which is applied to an edge-enabled server, and the server includes:

the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving a first request sent by a terminal, the first request comprises first authorization information, and the first authorization information comprises an edge configuration server identifier and a terminal identifier;

the processing module is used for verifying the first authorization information;

the processing module is further used for generating a first response after the verification, wherein the first response comprises indication information of whether the terminal is authorized to access the edge-enabled server;

and the sending module is used for sending the first response to the terminal.

In one possible example, the first authorization information further includes an edge-enabled service key Kees; the processing module is further configured to: and acquiring the Kees in the first authorization information.

In one possible example, the edge-enabled server receives Kees from a terminal.

In one possible example, the receiving module is further configured to: receiving Kees from an edge configuration server; or, the sending module sends the key request information to the edge configuration server, and the receiving module receives the Kees from the edge configuration server.

In one possible example, the processing module is further configured to perform security authentication according to the Kees acquired from the terminal and the Kees acquired from the edge configuration server, and perform security communication with the terminal after the authentication is passed.

In one possible example, the first authorization information is signed with an edge configuration server private key; the processing module is further configured to: and verifying the first authorization information by using the public key of the edge configuration server.

In a seventh aspect, an embodiment of the present application provides a communication apparatus, where the apparatus has a function of implementing a terminal in any possible implementation manner of the first aspect or the first aspect, or a function of implementing an edge configuration server in any possible implementation manner of the second aspect or the second aspect, or a function of implementing an edge-enabled server in any possible implementation manner of the third aspect or the third aspect.

The device may be a terminal or a chip included in the terminal. The functions of the communication equipment can be realized by hardware, and can also be realized by executing corresponding software by hardware, wherein the hardware or the software comprises one or more modules corresponding to the functions.

The device may be a server or a chip included in the server. The functions of the communication equipment can be realized by hardware, and can also be realized by executing corresponding software by hardware, wherein the hardware or the software comprises one or more modules corresponding to the functions.

In one possible design, the apparatus includes a processing module, a receiving module, and a transmitting module in a structure, where the processing module is configured to support the apparatus to perform the method in the first aspect or any one of the possible implementations of the first aspect, or to perform the method in the second aspect or any one of the possible implementations of the second aspect, or to perform the method in any one of the possible implementations of the third aspect or the third aspect.

In another possible design, the apparatus may be configured to include a processor and may also include a memory. The processor is coupled with the memory and is operable to execute computer program instructions stored in the memory to cause the apparatus to perform the method of the first aspect or any of the possible implementations of the first aspect, or to perform the method of the second aspect or any of the possible implementations of the second aspect, or to perform the method of the third aspect or any of the possible implementations of the third aspect. Optionally, the apparatus further comprises a communication interface, the processor being coupled to the communication interface. When the device is a terminal or a server, the communication interface may be a transceiver or an input/output interface; when the device is a chip included in a terminal or a server, the communication interface may be an input/output interface of the chip. Alternatively, the transceiver may be a transmit-receive circuit and the input/output interface may be an input/output circuit.

In an eighth aspect, an embodiment of the present application provides a chip system, including: a processor coupled to a memory, the memory being configured to store a program or instructions that, when executed by the processor, cause the system-on-chip to implement the method of the first aspect or any of the possible implementations of the first aspect, or to perform the method of the second aspect or any of the possible implementations of the second aspect, or to perform the method of any of the possible implementations of the third aspect.

Optionally, the system-on-chip further comprises an interface circuit for interacting code instructions to the processor.

Optionally, the number of processors in the chip system may be one or more, and the processors may be implemented by hardware or software. When implemented in hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented in software, the processor may be a general-purpose processor implemented by reading software code stored in a memory.

Optionally, the memory in the system-on-chip may also be one or more. The memory may be integrated with the processor or may be separate from the processor, which is not limited in this application. For example, the memory may be a non-transitory processor, such as a read only memory ROM, which may be integrated with the processor on the same chip or separately disposed on different chips, and the type of the memory and the arrangement of the memory and the processor are not particularly limited in this application.

In a ninth aspect, embodiments of the present application provide a computer-readable storage medium, on which a computer program or instructions are stored, which, when executed, cause a computer to perform the method of the first aspect or any one of the possible implementations of the first aspect, or the second aspect or any one of the possible implementations of the second aspect, or the method of any one of the possible implementations of the second aspect.

In a tenth aspect, embodiments of the present application provide a computer program product, which, when read and executed by a computer, causes the computer to perform the method in the first aspect or any one of the possible implementations of the first aspect, or perform the method in the second aspect or any one of the possible implementations of the second aspect, or perform the method in any one of the possible implementations of the second aspect.

In an eleventh aspect, an embodiment of the present application provides a communication system, where the communication system includes the terminal according to the fourth aspect, the edge configuration server according to the fifth aspect, and/or the edge enabling server according to the sixth aspect.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings required for the embodiments will be briefly described below.

Fig. 1A is a schematic diagram of a network architecture of an AKMA according to an embodiment of the present application;

fig. 1B is a flowchart of a secondary authentication provided in the present embodiment;

fig. 1C is an AKMA key architecture diagram according to an embodiment of the present application;

fig. 1D is a schematic diagram of key agreement when a UE accesses an AF according to an embodiment of the present application;

fig. 1E is a flowchart of an interaction between a UE and a NAF according to an embodiment of the present application;

fig. 1F is a schematic diagram of an MEC architecture according to an embodiment of the present disclosure;

fig. 2 is a flowchart of an application authorization method according to an embodiment of the present application;

fig. 3A is a flowchart of another application authorization method provided in an embodiment of the present application;

fig. 3B is a schematic view of another EEC subscription information query flow provided in the embodiment of the present application;

fig. 3C is a flowchart of another EEC authorization information verification process provided in this embodiment of the present application;

fig. 4 is a flowchart of another application authorization method provided in an embodiment of the present application;

fig. 5 is a block diagram of a communication device according to an embodiment of the present disclosure;

fig. 6 is a block diagram of another communication device according to an embodiment of the present disclosure;

fig. 7 is a block diagram of another communication device according to an embodiment of the present disclosure;

fig. 8 is a schematic hardware structure diagram of a communication device in an embodiment of the present application.

Detailed Description

The terms "first," "second," "third," and "fourth," etc. in the description and claims of this application and in the accompanying drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.

Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.

"plurality" means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.

The network elements involved in the embodiments of the present application are described below with reference to the accompanying drawings.

Fig. 1A is a schematic diagram of a network architecture of an AKMA according to an embodiment of the present application, which is compared with a conventional fifth generation mobile communication technology (5G) architecture, and in which an AKMA anchor function (AAnF) 100, which is a new Network Function (NF), is added. The AAnF may be a stand-alone NF or may be co-located with other NFs. AAnF for supporting AKMA Anchor Key (K)_AKMA) And generating an application key (K)_AF). In addition, the other various parts referred to in fig. 1A and the network functions to which the embodiments of the present application will refer are as follows:

a User Equipment (UE) may also be referred to as a terminal, a terminal device, etc. A terminal is a device with a wireless transceiving function, and can communicate with one or more Core Networks (CN) through AN Access Network device in a (Radio) Access Network (R) AN 120. Can be deployed on land, including indoors or outdoors, hand-held, worn, or vehicle-mounted; can also be deployed on the water surface, such as a ship and the like; it may also be deployed in the air, such as on an airplane, balloon, or satellite, etc. The terminal may be a Mobile Phone (Mobile Phone), a tablet computer (Pad), a computer with a wireless transceiving function, a Virtual Reality (VR) terminal, an Augmented Reality (AR) terminal, a wireless terminal in industrial control (industrial control), a wireless terminal in self driving (self driving), a wireless terminal in remote medical (remote medical), a wireless terminal in smart grid (smart grid), a wireless terminal in transportation safety (transportation safety), a wireless terminal in smart city (smart city), a wireless terminal in smart home (smart home), and so on.

A (radio) access network (R) AN 120, configured to provide a network access function for authorized user equipment in a specific area, and enable different quality transmission tunnels to be used according to the level of the user equipment, the service requirement, and the like. For example, the (R) AN may manage radio resources, provide access services for the user equipment, and then complete forwarding of control information and/or data information between the user equipment and a Core Network (CN). The access network device in the embodiment of the present application is a device that provides a wireless communication function for a terminal device, and may also be referred to as a network device. The access network device may include: next generation Base station Node (eNB) in 5G system, evolved Node B (eNB) in Long Term Evolution (LTE), Radio Network Controller (RNC), Node B (NB), Base Station Controller (BSC), Base Transceiver Station (BTS), Home Base station (e.g., Home evolved Node B, or Home Node B, HNB), Base Band Unit (BBU), transmission point (TRP), transmission point (transmittingtp), small Base station equipment (pico), mobile switching center, or network equipment in future network, etc. It is understood that the embodiment of the present application does not limit the specific type of the access network device. In systems with different radio access technologies, the names of devices that function as access network devices may differ.

An access and mobility management function (AMF) network function 130 is mainly used for mobility management, access management, and the like, and may be used for implementing functions other than session management in a Mobility Management Entity (MME) function, such as functions of lawful interception, access authorization/authentication, and the like. It is understood that hereinafter referred to as AMF network function is AMF.

An authentication server function (AUSF) 140, which is used for authenticating a service, generating a key, implementing bidirectional authentication of a user equipment, and supporting a unified authentication framework. The method and the device are mainly used for mutual authentication between the UE and the network and generating the security key for use in the subsequent process.

An Application Function (AF) 150, configured to perform application-influenced data routing, access a network open function, perform policy control with a policy framework in an interactive manner, and the like.

A Network Exposure Function (NEF) 160, configured to collect, analyze, and recombine network capabilities and open the network capabilities, where the AF may access the 5G core network through the NEF.

A Unified Data Management (UDM) 170 network function, which may be used to handle user equipment identification, access authentication, registration, mobility management, etc. It is understood that the UDM network function is hereinafter referred to as UDM.

Secure Anchor function (SEAF) network function, sharing secret key K with UE_SEAFThis key is used to derive any other keys, such as keys for control plane protection and keys for radio interface protection. Then assume the SEAF resides in a secure location and K_SEAFWill never leave the SEAF. Thus, access can be made via the shared key each time the UE goes idle and then activates again, thereby avoiding re-authentication. The SEAF may be deployed alone or in conjunction with the AMF network function 130.

For convenience of explanation, the access and mobility management function AMF network function 130 is taken as an example in the embodiment of the present application. Further, the AMF network function 130 is abbreviated as AMF, and the terminal device 110 is referred to as UE, that is, the AMF described later in this embodiment of the present application may be replaced by access and mobility management network functions, and the UE may be replaced by the terminal device.

In addition, the UE performs a primary authentication when accessing the 3GPP network, that is, the UE and the core network complete a mutual authentication. When the UE needs to access a specific DN data network, the SMF network element at the core network side triggers the authentication of the UE according to the information such as subscription, and the authentication is different from the primary authentication and is named as secondary authentication. The authentication aims to complete the authentication of the DN-AAA to the UE, and the UE is allowed to access the corresponding service only if the authentication passes the DN. Referring to fig. 1B, fig. 1B is a flowchart of a secondary authentication provided in an embodiment of the present application, and as shown in fig. 1B, a specific process of the primary authentication and the secondary authentication includes the following steps:

1-2, registering the UE to a core network, wherein the network triggers main authentication with the UE in the registration process;

3. after the registration is completed, the UE and the network side can establish non-access stratum (NAS, namely between the UE and the AMF) safety;

4-7, UE starts to visit DN, and initiates a session establishment request of corresponding DN to the core network;

8. SMF triggers to carry out secondary authentication on the UE;

9-10, the SMF requests the UE for an EAP Identity (ID) for secondary authentication (extensible authentication protocol authentication, EAP), where the EAP ID is used for DN-AAA to identify the UE (the dotted line in the figure indicates that the UE may carry the ID in step 4, and then an independent ID acquisition procedure is not needed);

11-12, SMF triggers DN-AAA to initiate EAP authentication to UE;

13. the DN-AAA performs standard EAP authentication with the UE. Wherein via N4 and NAS means DN-AAA passes UPF-SMF, then SMF-AMF-UE. The interface between the former is an N4 interface, and the SMF is NAS to the UE via AMF.

After the above-mentioned secondary authentication, the DN-AAA may further authenticate the UE during the session that the UE attempts to establish to the DN, so that the non-subscriber may be prevented from accessing the corresponding DN resource.

When accessing a third-party Application (AF), the UE needs to authenticate with the AF and establish a shared key for communication protection between the UE and the AF. In view of this, 3GPP proposes a method of generating a shared key between UE and AF using a main authentication result: authentication and Key Management of Applications (AKMA). The main process comprises two steps:

1. obtaining AKMA key K between UE and AAnF_AKMA；

2. Obtaining AF key K between UE and AF_AF。

Referring to fig. 1C, fig. 1C is an AKMA key architecture diagram according to an embodiment of the present application, as shown in fig. 1C, a UE and a network side complete a master authentication and generate a security key for a subsequent processThe application is as follows. The primary authentication also involves AMF/SEAF (in this application, AMF/SEAF is used to mean AMF, SEAF or SEAF combined with AMF), AUSF, and UDM on the network side. The security key generated in the main authentication process includes K_AUSFAnd is a shared key of AUSF and UE. Further, the UE and AUSF can be according to K_AUSFDeriving to generate AKMA secret key K_AKMASo that the UE and AF are in accordance with the K_AKMAGenerated K_AFAnd performing traffic protection before the UE and the AF. In addition, A-KID is K_AKMAThe corresponding unique key identification.

Obtaining K at UE and AUSF respectively_AKMAAfter a-KID, please refer to fig. 1D, where fig. 1D is a schematic diagram of key negotiation when the UE accesses the AF according to an embodiment of the present disclosure, as shown in fig. 1D, the UE initiates a service session request message to the AF, where the service session request message includes a-KID; after receiving the service session request message, the AF sends an application key request message to the AAnF for acquiring the K_AFThe received A-KID is also included in the application key request message; after receiving the application key request, AAnF checks whether the local has the K corresponding to the A-KID_AKMAGenerated K_AFIf there is K_AFAAnF sends the K to AF_AFIf there is no such K_AFAAnF checks if there is a K corresponding to A-KID locally_AKMA. If there is K_AKMAThen AAnF is in accordance with K_AKMAGeneration of K_AFAnd is combined with K_AFSent to AF if there is no K_AKMAThen AAnF sends an AKAM key request message to the AUSF, carrying the received a-KID in the AKAM key request message. After AUSF receives AKMA key request message carrying A-KID, AUSF returns K corresponding to A-KID to AAnF_AKMA. AAnF then according to the received K_AKMACalculate K_AFAnd is combined with K_AFSent to the AF. AF and UE can be based on K_AFThe communication is protected.

Similar to the AKMA, the Generic Bootstrapping Architecture (GBA) also uses a key generated by the UE and core network authentication to perform authentication and key sharing between the UE and the AF. In GBA, the AF name is a Network Application Function (NAF). Please refer to FIG. 1EFig. 1E is a flowchart of interaction between the UE and the NAF according to an embodiment of the present application, in which there is a shared bootstrap session identifier (B-TID) between the UE and the Bootstrap Server Function (BSF) (this identifier is used for the BSF to index Ks, since Ks is generated by the bootstrap process before the UE and BSF, so the naming is not the key identifier of Ks but the bootstrap session identifier) and Ks (similar to the AKMA in which UE and Aanf have K in AKMA)_AMKAAfterwards), the interaction between the UE and the NAF specifically includes the following steps:

1. the UE sends an application request to NAF, carrying the B-TID (similar to the AKMA application session establishment request);

2. NAF sends an authentication request to BSF, wherein the request carries the B-TID obtained from UE and the ID of the NAF;

3. the BSF indexes information such as a key Ks of the UE according to the B-TID, then deduces the Ks _ NAF, returns the Ks _ NAF to the NAF, and can also carry parameters such as guide time, key validity period and the like;

4. the NAF returns an application response to the UE.

The derived parameters related to Ks _ NAF include key Ks, random number RAND, intelligent platform management interface (IMPI), NAF _ Id, and other parameters.

The specific scenario related to the embodiment of the present application is an MEC scenario, and fig. 1F is an MEC architecture schematic diagram provided in the embodiment of the present application, as shown in fig. 1F, the architecture includes User Equipment (UE), an EDN and an ECS, where the UE includes an Application Client (AC) and an EEC, the EDN includes an Edge Application Server (EAS) and an EES, and the UE and the EDN are connected through a 3GPP core network (3GPP core, 3GPP CN).

The process of AC discovery of the corresponding EAS includes the steps of:

the EEC acquires ECS address information through configuration and other modes;

the EEC acquires EES information (such as address information) from the ECS through an EDGE-4 interface; at this step, the EEC will carry information such as the application client type (e.g. V2X type), the EEC location, etc. for the ECS to select a suitable EES for the EEC;

the EEC obtains EAS information (e.g., address information) from the EES via the EDGE-1 interface; the EEC can carry information such as an application client and the like for the EES to select a proper EAS;

the EEC provides the obtained EAS information to the AC through EDGE-5;

the AC may then access the corresponding EAS.

In the above process, for defining the authentication and authorization between the EEC and the ECS, the authentication and authorization between the EEC and the EES is not defined, which may cause that the ECS or the EES cannot confirm the identity of the EEC, and there is an attack that a malicious third party forges the identity of the EEC to access the ECS or the EES; or the ECS or the EES cannot confirm whether the corresponding EEC has the right to access the corresponding service, so that the problem of right theft exists.

Based on the above problem, please refer to fig. 2, fig. 2 is a flowchart of an application authorization method according to an embodiment of the present application, and as shown in fig. 2, the method includes the following steps:

201. a terminal sends a first configuration request to an edge configuration server, wherein the first configuration request is used for requesting to acquire authorization information of communication between the terminal and the edge enabling server;

202. the method comprises the steps that an edge configuration server receives a first configuration request and generates first authorization information according to the first configuration request;

203. the edge configuration server sends the first authorization information to the terminal;

204. the terminal receives the first authorization information and sends a first request to the edge-enabled server, wherein the first request carries the first authorization information;

205. the edge enabling server receives the first request, verifies the first authorization information and generates a first response after verification, wherein the first response comprises indication information of whether the terminal is authorized to access the EES;

206. the edge-enabled server sends the first response to the terminal;

207. and the terminal receives the first response and determines whether the terminal is authorized to access the edge-enabled server according to the first response.

In the embodiment of the present application, the operation performed by the terminal may be specifically performed by the edge-enabled client, and therefore, the operation performed by the terminal is described as being performed by the EEC. In addition, the edge-enabled server is abbreviated as EES, the edge configuration server is abbreviated as ECS, and in other MEC architectures, the edge-enabled client, the edge-enabled server, and the edge configuration server may also correspond to other names or abbreviations, which is also applicable to the method of the embodiment of the present application, and the abbreviation of the embodiment of the present application does not limit the execution object of the method.

In the above-described AC discovery corresponding EAS process, the step of the EEC acquiring EAS information from the EES for the AC to access the corresponding EAS is included, and therefore, the EEC needs to acquire authorization of the EES in order to acquire EAS information. Normally, an authorization request party sends an authorization request to an authorization party, then the authorization party verifies the authorization request party to determine whether to authorize the authorization request party, if so, a notification passing authorization or authorization information is sent to the authorization request party, and the authorization request party communicates with the authorization party according to the identity identification or the authorization information of the authorization request party. This process is the interaction between the authorization requester and the authorization requester, and this authorization method requires each EES to authorize the EEC, and the EDN includes a large number of EES, which may cause a large amount of data processing overhead and reduce authorization efficiency. Therefore, in the embodiment of the present application, the ECS authorizes the EEC, the EEC initiates a registration request to the EES according to the authorization information issued by the ECS, and the EES determines whether to allow the EEC to access or not according to the verification result of the authorization information.

Specifically, before the EEC communicates with the ECS, the ECS may authenticate the identity of the EEC, and in this embodiment, the identity of the EEC may be authenticated through secondary authentication or other application layer authentication, for example, certificate authentication. A shared key, Kecs, between the EEC and the ECS is then generated based on the authentication process. In one possible implementation, the Kecs may be generated according to an Extended Master Session Key (EMSK) generated by EAP authentication in the secondary authentication. The parameters for generating the Kecs may include an ECS ID or an EEC ID, etc. After the EEC is authenticated, communication with the ECS is possible.

The EEC obtains authorization information for the EES by sending a first configuration request to the ECS. The first configuration request may include terminal information, such as EEC ID or information of the application client AC, for indicating the client identity requesting the authorization information, and the information of the AC may be the application client AC ID, so as to uniquely identify the client identity.

The ECS has completed the EEC authentication, and the ECS can confirm the legal identity of the EEC according to the EEC ID or AC ID, and then determine whether to authorize the EEC. After the ECS determines that the EEC can be authorized, first authorization information is generated. The first authorization message may include an edge configuration server identifier (ECS ID) and a terminal identifier, where the ECS ID is used to determine an identity of the ECS, and the terminal identifier is used to determine an identity of the terminal, so that after receiving the first authorization message, the EES determines the authorizer and the authorization requester, and determines whether to allow the authorization requester to register the EES. The terminal identifier may be an EEC ID or a GPSI. Optionally, the first authorization information may further include one or more of the following information: edge-enabled server identification (EES ID), edge-enabled server provider identification (EES provider ID), Edge Computing Service Provider (ECSP) ID, edge application server identification (EAS ID). The EES ID may be used to determine an authorization scope of the first authorization information, that is, an EES object to which the EEC is authorized to access; the EES provider ID indicates an identity (e.g., an EES group identity) including one or more EES objects, and the ECSP ID and EAS ID are associated with the EES and can be used to indirectly determine the EES ID. The above IDs may each be an ID list.

The ECS may also sign the first authorization information with a private key to prevent the first authorization information from being tampered with. The EEC sends the first authorization information signed by the private key to the EES, and the EES adopts the public key of the ECS to carry out signature verification, so that the reliability of the authorization information is ensured.

After acquiring the first authorization information, the EES verifies the information therein, including verifying whether the EES ID in the first authorization information matches with its own ID, or verifying whether the EES provider ID in the first authorization information is its own provider, or verifying whether the EEC ID matches with the EEC ID in the first request, etc. If the first authorization information is all verified, the EES may generate a first response indicating whether the terminal is authorized to access the EES. The terminal may determine whether to access the EES according to the received first response.

Optionally, the first authorization message may further include an edge-enabled service key, which may be identified as Kees, for secure communication between the EEC and the EES. The ECS needs to notify the EECs to the EECs and the EES respectively in case that the EECs are authorized to access the EES, so that the EECs and the EES can perform secure communication according to the Kees. Kees may be derived by the Kecs deduction or generated from parameters such as EEC ID and EES ID.

Or, the ECS may send the Kees to the EEC, or the ECS may send a parameter for deriving the Kees, and the EEC may obtain the Kees according to the parameter for deriving the Kees and the same derivation manner as the ECS.

In the case that the Kees is included in the first authorization information, since the communication channel between the EEC and the EES is not authenticated yet and the security cannot be guaranteed, the first authorization information may be encrypted to ensure the security of the Kees during the transmission. The first authorization information may be encrypted by a shared key of the ECS and the EES, or the first authorization information may be encrypted by a public key of the EES. And after acquiring the encrypted first authorization information from the ECS, the EEC sends the encrypted first authorization information to the EES for registering request. The EES decrypts the encrypted first authorization information through a symmetric key of the ECS or decrypts the encrypted first authorization information through a private key stored by the EES, so that the Kees and other authorization information are obtained.

In the case that the first authorization information does not include the Kees, after the EES authenticates the first authorization information sent by the EEC, the EEC sends the Kees to the EES, and the EES acquires the Kees.

After the EES acquires the Kees sent by the EEC, the EES may also acquire the Kees from the ECS. The process that the EES acquires the Kees from the ECS comprises the step that the ECS actively pushes the key to the EES, or the EES sends key request information to the ECS to request to acquire the Kees.

Optionally, the content of the authorization authentication or the identity authentication using the EEC ID can be replaced by a General Public Subscription Identifier (GPSI). GPSI may also be used to uniquely identify a terminal.

Therefore, in the embodiment of the application, the terminal is authorized through the ECS, the first authorization information of the terminal is generated, then the terminal requests the EES for access verification according to the acquired first authorization information, so that the EES determines whether the terminal has the authority to access the corresponding service according to the first authorization information, the terminal is authorized to access the edge enabling server through the edge configuration server in the process, the resource expense of the edge enabling server for authorizing each terminal is reduced, the possibility of stealing the authority of the terminal is reduced, and the communication safety in the edge service process is guaranteed.

Or the combination of the UDM and the AUSF can perform subscription authentication on the EEC, and then the ECS authorizes the EEC. Referring to fig. 3A specifically, fig. 3A is a flowchart of another application authorization method according to an embodiment of the present application, and as shown in fig. 3A, the method includes the following steps:

301. the terminal sends a second configuration request to the edge configuration server, the second configuration request is used for requesting to acquire second authorization information, the second configuration information comprises a safety identification, and the safety identification is used for AUSF verification;

302. the edge configuration server receives the second configuration request and inquires the subscription information of the terminal according to the second configuration request;

303. after inquiring the terminal subscription information, generating second authorization information;

304. the edge configuration server sends the second authorization information to the terminal;

305. the terminal receives the second authorization information, generates and sends a second request to the edge enabling server, wherein the second request carries the second authorization information;

306. the edge enabling server receives the second request, verifies the second request and generates a second response after verification, wherein the second response comprises indication information of whether the terminal is authorized to access the EES;

307. the edge enabling server sends a second response to the terminal;

308. the terminal receives the second response and determines whether the terminal is authorized to access the edge-enabled server according to the second response.

Similarly, in the embodiment of the present application, the terminal is referred to as an EEC, the edge configuration server is abbreviated as an ECS, and the edge enabling server is abbreviated as an EES.

The UDM may preset subscription information including a user permanent identifier (SUPI), such as an EEC ID, or including a generic public user identifier (GPSI), and an ECS ID or an EES provider ID, etc., for identifying the terminal and ECS (or EES) that completed the subscription. Then, the terminal requests the ECS to perform AKMA authentication, and generates K_AKMAAnd A-KID used for identifying the key, the ECS and the terminal respectively acquire the A-KID, and the terminal can also initiate a service session establishment request to the ECS according to the A-KID. Alternatively, the terminal requests the ECS for GBA authentication. The A-KID generated by the terminal and the ECS after the AKMA authentication and the corresponding SUPI are stored in the AUSF. Similarly, the terminal and ECS save the B-TID generated by GBA authentication and the corresponding SUPI in the BSF.

After the aforementioned authentication, the EEC may communicate with the ECS. The EEC sends a second configuration request to the ECS for requesting to acquire second authorization information, so that the EEC is authorized to access the EES. The second configuration request may include the EEC ID or AC information, etc. so that the ECS identifies the identity of the EEC. In particular, the second configuration request may include a security identifier secure ID, which may be generated by the EEC using Kausf calculation generated by performing main authentication with the AUSF, and the derived parameter may include K in addition to K_ausfThe EEC ID may also be included. Then, after receiving the second configuration request, the ECS may send a subscription information query request to the UDM to determine that the EEC is subscribed to the relevant edge computing service. If so, the ECS authorizes the EEC. The subscription information inquiry request sent by the ECS comprises the security identifier, and the AUSF stores the K_ausfTherefore, the UDM sends the security identifier to the AUSF for verification. And after the security identifier passes the verification of the AUSF, the UDM inquires the edge calculation subscription corresponding to the EEC again, and sends the inquired EEC subscription data to the ECS through an edge calculation service subscription inquiry response. In addition, the subscription information inquiry request also includes EEC ID and/or ECS ID information, etc. to markThe identification request signing information inquiry object and the identity of the signing information inquiry object.

After receiving the EEC subscription information, the ECS may determine to authorize the EEC, and generate second authorization information of the EEC; or in case it is determined that the EEC is not authorized (notification that the EEC subscription data is not acquired is received), other authorization response information may be generated to indicate that the authorization fails. And under the condition that the EEC receives the second authorization information, a second request carrying the second authorization information may be generated, so as to request to access the EES. As in the embodiment corresponding to fig. 2, the second authorization information may include an ECS ID and an EEC ID, and optionally, the second authorization information may further include one or more of an EES ID, an EES provider ID, an ECSP ID, or an EAS ID, which is used to determine an authorization range of the ECS for the EEC and authorize the accessible EES object. The second authorization message may also include a validity time for the EES to determine whether the ECS' authorization for the EEC is within the available time limit.

Likewise, the ECS may sign the second authorization information with a private key to prevent tampering with the first authorization information. The EEC sends the second authorization information signed by the private key to the EES, and the EES adopts the public key to carry out signature verification, so that the reliability of the authorization information is ensured.

After acquiring the second authorization information, the EES checks the information therein, including: verifying whether the ECS ID is a credible ECS, and then verifying whether the signature of the second authorization information is legal by using a public key corresponding to the ECS; checking whether the second authorization information is still in the valid period; checking whether the EES information is matched with the EES information; check if the EEC ID in the second request is consistent with the EEC ID in the second authorization message, and so on. If the second authorization information is all verified, the EES may generate a second response indicating whether the terminal is authorized to access the EES. The terminal may determine whether to access the EES according to the received second response.

Similarly, secure communication between the EEC and the EES is ensured by the Kees sent by the ECS. The Kees may be generated according to the terminal subscription information queried by the ECS from the UDM, and specifically may be generated according to K_AFGenerated or generated according to Ks _ NAF.

Optionally, a second teachingThe rights information may include the Kees, the EES may obtain the Kees according to the received second authorization information (encrypted by a symmetric key or a private key), or the ECS may send the Kees or derive parameters (e.g., K) for the Kees to the EEC_AFOr Ks _ NAF), the ECS may send the Kees directly to the EES for secure communication if it receives the Kees, and the ECS may obtain the Kees in the same derivation manner as the ECS and send the Kees to the EES for secure communication if it receives the parameters for deriving the Kees.

Therefore, in the embodiment of the application, when the EEC requests the ECS for authorization, the ECS queries the subscription information generated by the terminal during the AKMA authentication or GBA authentication to complete the authentication of the terminal, so that the authentication process is simplified, the non-signed user is prevented from accessing the EDN, and the attack of forging the EEC identity to access the ECS or the EES by a malicious third party is avoided. In addition, the ECS is used for authorizing the terminal and generating second authorization information of the terminal, so that the resource overhead of the edge enabling server for authorizing each terminal is reduced; the terminal requests access verification to the EES according to the acquired second authorization information, so that the EES determines whether the terminal has the authority to access the corresponding service according to the second authorization information, and the terminal is authorized to access the edge enabling server through the edge configuration server (third party server) in the process, so that the authorization safety and reliability are improved, the possibility of terminal authority embezzlement is reduced, and the communication safety in the edge service process is ensured.

Optionally, referring to fig. 3B, fig. 3B is a schematic view of another EEC subscription information query flow provided in this embodiment of the present application, and as shown in fig. 3B, the UDM may preset subscription information, which includes an ECS ID, an EES provider ID, a User ID, and the like. The ECS is preset with EEC ID and EES provider ID for indicating EES signed with EEC. Then, the terminal requests the ECS to perform AKMA authentication, and generates K_AKMAAnd a-KID for identifying the key, ECS, AAnF and the terminal respectively acquire the a-KID, and the AAnF also acquires a terminal identity, e.g., SUPI, corresponding to the a-KID. The terminal may also initiate a service session establishment request to the ECS according to the a-KID.

The EEC then initiates a second configuration request to the ECS because K is used in the EEC to ECS communication_AFAnd after the ECS communicates with the EEC, the protection is carried out, the A-KID corresponding to the EEC can be obtained, whether the User ID corresponding to the A-KID is stored in the ECS or not is inquired, if yes, the ECS can directly initiate a subscription information inquiry request to the UDM through the User ID, if not, the ECS needs to inquire the SUPI of the terminal to the AAnF through the A-KID, and then the AAnF inquires the subscription information to the UDM through the SUPI. After the UDM inquires the subscription information, the subscription information is fed back to the ECS, the ECS stores the mapping relation between the A-KID and the User ID so as to directly acquire the subscription information through the User ID next time (if the ECS stores the mapping relation, the step is omitted), and finally the ECS selects a proper EES from a group corresponding to the EES provider ID to carry out EEC authorization so that the EEC is authorized to access the EES.

By the method, the subscription information can be directly acquired from the UDM according to the User ID, and the acquisition accuracy of the subscription information is improved.

Optionally, after obtaining the second authorization information of the ECS, the EEC sends a second request to the EES for performing access registration, where a verification process of the second authorization information may be completed by the ECS, specifically refer to fig. 3C, where fig. 3C is a flowchart of another EEC authorization information verification process provided in this embodiment of the present application, as shown in fig. 3C, after the EEC obtains the second authorization information from the ECS, the EEC sends the second request to the EES, where the second request carries the second authorization information, the EES receives the second request, and sends the second authorization information therein to the ECS for verification, where the verification includes verifying an identity of the ECS that is an authorizer, an identity of the EEC that is an authorizer, or the second request may further include K_AFFor verifying the validity of the EEC identity, the second request may further include a validity time for determining whether the second authorization information is within the validity period. The second request may further include an EES ID for determining the authorization object, or further include other authentication information such as a random number RAND. And after the ECS completes verification on the information in the second request, sending a response to the EES to indicate whether the EEC passes the verification, if so, generating and sending a second response to the EEC by the EES, receiving the second response by the terminal, and determining whether the access to the edge enabling server is authorized according to the second response.

By the method of the embodiment, the ECS can verify the EEC authorization information, and then the EES completes the EEC authorization according to the verification result of the ECS on the authorization information, thereby reducing the data processing amount of the EES.

Fig. 4 is a flowchart of another application authorization method provided in an embodiment of the present application, and as shown in fig. 4, the method includes the following steps:

401. the terminal sends a third request to the authentication and authorization function network element, and the third request is used for requesting to acquire third authorization information;

402. the authentication and authorization function network element receives the third request and confirms the identity of the terminal according to the third configuration request;

403. after the confirmation is completed, the authentication and authorization functional network element generates third authorization information;

404. and the authentication and authorization function network element sends the third authorization information to the terminal.

In the embodiment of the present application, the terminal is referred to as an EEC, the edge configuration server is abbreviated as an ECS, and the edge enabling server is abbreviated as an EES. In addition, in the embodiment of the present application, a network element is introduced, which is specifically configured to perform authentication and authorization of a terminal, and may be named as an Authentication and Authorization Function (AAF) network element. As an alternative implementation, the AAF function is integrated in the ECS, and at this time, the flow between the EEC and the AAF, which is described below, is the flow between the EEC and the ECS.

In the process of adopting AAF to authenticate and authorize the terminal, firstly, EEC and AAF perform AKMA authentication to generate K_AKMAAnd A-KID, AAF and EEC for identifying the key, respectively, obtain the A-KID. Or GBA authentication is carried out by the EEC and the AAF to generate the B-TID, and the AAF and the EEC respectively acquire the B-TID.

After the authentication, the EEC can perform secure communication with the AAF. The EEC sends a third request to the AAF for requesting to acquire third authorization information, so that the EEC is authorized to access the ECS or the EES. The third request may carry an EEC ID and/or a GPSI for identifying the terminal identity applying for the authorization information, may also carry an ECS ID or an EES information for identifying the object to which the terminal requests authorization for access, or may also carry a request from K_ausf(or K)_ausfIs derived fromKey) and EEC ID or GPSI calculation, may be named MAC-I.

After receiving the third configuration request, the AAF may perform identity confirmation of the EEC, that is, determine that the EEC is the terminal that has completed AKMA or GBA authentication. Firstly, the corresponding relation between the A-KID (or B-TID) and the EEC ID (or GPSI) can be checked, so that the A-KID (or B-TID) sent by the terminal is prevented from being mismatched with the EEC ID (or GPSI), and the A-KID (or B-TID) is a key identification which is acquired by the AAF and is correspondingly generated by the terminal which completes authentication. Specifically, the verification process has the following modes:

in the first mode, the AAF can check according to the local configuration.

And secondly, the AAF can send EEC ID (or GPSI) and A-KID (or B-TID) to the NEF, the NEF sends SUPI and A-KID (or B-TID) to AAnF (or BSF) after acquiring the SUPI, the AAnF (or BSF) returns a check result to the NEF after checking the corresponding relation between the SUPI and the A-KID (or B-TID), and the NEF returns the check result to the AAF.

Third, AAF can send EEC ID (or GPSI) and A-KID (or B-TID) to NEF, NEF sends A-KID (or B-TID) to AAnF (or BSF) to request to obtain SUPI, AAnF (or BSF) returns SUPI to NEF, NEF compares whether the received SUPI is consistent with the SUPI obtained according to EEC ID (or GPSI), and returns the check result to AAF.

And fourthly, AAF sends EEC ID (or GPSI) and A-KID (or B-TID) to AAnF for verification, AAnF sends SUPI and EEC ID (or GPSI) to NEF or UDM for verification after acquiring SUPI, NEF or UDM returns a verification result to AAnF after verifying the corresponding relation of SUPI and EEC ID (or GPSI), and AAnF returns the verification result to AAF.

And fifthly, the AAF sends EEC ID (or GPSI) and A-KID (or B-TID) to AAnF for checking, sends EEC ID (or GPSI) to NEF or UDM to request to acquire SUPI, NEF or UDM returns SUPI to AAnF, AAnF compares whether the received SUPI is consistent with the SUPI acquired according to A-KID (or B-TID), and returns the checking result to AAF.

And in the sixth mode, the AAF can send EEC ID (or GPSI) and A-KID (or B-TID) to the UDM to request for verification, the UDM sends SUPI and A-KID (or B-TID) to AUSF verification after obtaining SUPI, the AUSF verifies the corresponding relation between SUPI and A-KID (or B-TID), a verification result is returned to the UDM, and the UDM returns a verification result to the AAF.

And in the seventh mode, the AAF can send an EEC ID (or GPSI) and an A-KID (or B-TID) to the UDM to request checking, the UDM sends an A-KID (or B-TID) request to the AUSF or AAnF to acquire SUPI, the UDM compares whether the received SUPI is consistent with the SUPI acquired according to the EEC ID (or GPSI), and returns a checking result to the AAF.

And in the eighth mode, the AAF can send the EEC ID (or GPSI) and the A-KID (or B-TID) to AUSF for verification, and after the AUSF acquires the SUPI from the UDM or the NEF, the corresponding relation between the SUPI and the A-KID (or B-TID) is verified, and a verification result is returned to the AAF. If the AAF also receives the MAC-I, the MAC-I may be sent to the AUSF check.

Optionally, the AAF may further send an authorization confirmation request to the UDM, where the request may carry an EEC ID (or GPSI) for determining whether the terminal is allowed to access the ECS or the EEC (or EAS), and the UDM may carry the ECS ID and/or the EES information in an authorization confirmation response.

Thereafter, a third authorization message is generated by the AAF and sent to the EEC. Similarly, the third authorization message may include an ECS ID and an EEC ID, and optionally, the third authorization message may further include one or more of an EES ID, an EES provider ID, an ECSP ID, and an EAS ID, which are used to determine an authorization range of the ECS for the EEC and authorize the accessible EES object. The third authorization message may further include a validity time for the EES to determine whether the ECS' authorization for the EEC is within the available time limit, and the like. The EEC may send a third request carrying the third authorization information to the EES according to the received third authorization information, and determine whether to allow the EEC to access the EES according to a verification process of the EES on the third authorization information, where a specific process is described in fig. 2 or corresponding processes of fig. 3A to fig. 3C, and details are not described here.

Therefore, in the embodiment of the application, the EEC is authorized through the special AAF network element, so that the resource overhead of the edge enabling server for authorizing each terminal is reduced; the terminal requests the EES for access verification according to the acquired third authorization information, so that the EES determines whether the terminal has the authority to access the corresponding service according to the third authorization information, the possibility of terminal authority embezzlement is reduced, and the communication safety in the edge service process is ensured.

The above-mentioned scheme provided by the present application is mainly introduced from the perspective of interaction between network elements. It is to be understood that the above-described implementation of each network element includes, in order to implement the above-described functions, a corresponding hardware structure and/or software module for performing each function. Those of skill in the art would readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

In the embodiment of the present application, according to the above method example, functional modules may be divided for a terminal, a control plane network element, a service function network element, a management function network element, or other network devices, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module, where the integrated module may be implemented in a form of hardware or a form of software functional module. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation.

Fig. 5 is a communication apparatus 500 according to an embodiment of the present application, which may be used to execute the authorization method applied to a terminal and the embodiments of fig. 2 or fig. 3A to fig. 3C, where the apparatus may be a terminal or a chip that may be configured in the terminal. In one possible implementation, as shown in fig. 5, the communication apparatus 500 includes a sending module 501, a receiving module 502 and a processing module 503.

A sending module 501, configured to send a first configuration request to an edge configuration server ECS, where the first configuration request is used to request to obtain authorization information for communication between the terminal and an edge enable server EES;

a receiving module 502, configured to receive first authorization information generated by the ECS according to the first configuration request, where the first authorization information includes an edge configuration server identifier and a terminal identifier;

a processing module 503, configured to generate a first request, where the first request carries the first authorization information;

the sending module 501 is configured to send a first request to the EES;

the receiving module 502 is configured to receive a first response, where the first response includes indication information of whether the terminal is authorized to access the EES.

Optionally, the first authorization information further includes one or more of the following information: an edge-enabled server identification, an edge-enabled server provider identification, and an edge application server identification.

Optionally, the first authorization information further includes an edge-enabled service key Kees.

Optionally, the first authorization information is encrypted by a first key, where the first key is a shared key of the edge configuration server and the edge-enabled server; or the first key is a public key of the edge-enabled server.

Optionally, the receiving module 502 is further configured to receive the Kees from the edge configuration server, or receive a parameter used to derive the Kees from the edge configuration server, the processing module 503 is further configured to derive the Kees according to the parameter used to derive the Kees, and the sending module 501 is further configured to send the Kees to the edge-enabled server.

Optionally, the first authorization information is signed by an edge configuration server private key.

Optionally, in a case where the terminal is authorized to access the edge-enabled server, the processing module 503 communicates with the edge-enabled server using the Kees, or communicates using a derivative key of the Kees.

Alternatively, the processing module 503 may be a chip, an encoder, an encoding circuit or other integrated circuits that can implement the method of the present application.

The receiving module 502 and the transmitting module 501 may be interface circuits or transceivers. The receiving module 502 and the sending module 501 may be independent modules, or may be integrated into a transceiver module (not shown), and the transceiver module may implement the functions of the receiving module 502 and the sending module 501.

Since the specific method and embodiment have been described above, the apparatus 500 is used to execute the synchronization signal transmission method corresponding to the network device, and thus, the functions related to the method, in particular, the functions of the receiving module 502, the sending module 501, and the processing module 503, may refer to relevant parts of the corresponding embodiment, and are not described herein again.

Optionally, the apparatus 500 may further include a storage module (not shown in the figure), which may be used for storing data and/or signaling, and the storage module may be coupled to the processing module 503, and may also be coupled to the receiving module 502 or the sending module 501. For example, the processing module 503 may be configured to read data and/or signaling in the storage module, so that the authorization method in the foregoing method embodiment is executed.

Fig. 6 is another communication device 600 provided in an embodiment of the present application, which may be used to execute the authorization method applied to the edge configuration server and the specific embodiment of fig. 2 or fig. 3A to fig. 3C, where the device may be a server or may be configured in a chip of the server. In one possible implementation, as shown in fig. 6, the communication apparatus 600 includes a receiving module 601, a sending module 602, and a processing module 603.

A receiving module 601, configured to receive a first configuration request sent by a terminal, where the first configuration request is used to request to acquire authorization information of communication between the terminal and an edge-enabled server;

a processing module 603, configured to generate first authorization information according to the first configuration request, where the first authorization information includes an edge configuration server identifier and a terminal identifier;

a sending module 602, configured to send the first authorization information to the terminal.

Optionally, the processing module 603 is further configured to: encrypting the first authorization information by a first key, wherein the first key is a shared key of the edge configuration server and the edge enabling server; or the first key is a public key of the edge-enabled server.

Optionally, the sending module 602 is further configured to: and sending the Kees to the terminal, or sending parameters used for deducing the Kees to the terminal.

Optionally, the processing module 603 is further configured to: and signing the first authorization information by adopting an edge configuration server private key.

In one possible example, the sending module 602 is further configured to: and pushing the Kees to the edge enabling server, or sending the Kees to the edge enabling server according to the key request information of the edge enabling server.

Alternatively, the processing module 603 may be a chip, an encoder, a coding circuit or other integrated circuits that can implement the method of the present application.

The receiving module 601 and the transmitting module 602 may be interface circuits or transceivers. The receiving module 601 and the sending module 602 may be independent modules, or may be integrated into a transceiver module (not shown), and the transceiver module may implement the functions of the receiving module 601 and the sending module 602.

Since the specific method and embodiment have been described above, the apparatus 600 is used to execute the synchronization signal transmission method corresponding to the network device, and thus, the functions related to the method, in particular, the functions of the receiving module 601, the sending module 602, and the processing module 603, may refer to relevant parts of the corresponding embodiment, and are not described herein again.

Optionally, the apparatus 600 may further include a storage module (not shown in the figure), which may be used for storing data and/or signaling, and the storage module may be coupled to the processing module 603, and may also be coupled to the receiving module 601 or the sending module 602. For example, the processing module 603 may be configured to read data and/or signaling in the storage module, so that the authorization method in the foregoing method embodiment is executed.

Fig. 7 is another communication apparatus 700 provided in an embodiment of the present application, which may be used to execute the authorization method applied to the edge-enabled server and the embodiments of fig. 2 or fig. 3A to fig. 3C, where the apparatus may be a server or a chip configured at the server. In one possible implementation, as shown in fig. 7, the communication apparatus 700 includes a receiving module 701, a sending module 702, and a processing module 703.

A receiving module 701, configured to receive a first request sent by a terminal, where the first request includes first authorization information, and the first authorization information includes an edge configuration server identifier and a terminal identifier;

a processing module 703, configured to verify the first authorization information;

the processing module 703 is further configured to generate a first response after the authentication, where the first response includes indication information of whether the terminal is authorized to access the edge-enabled server;

a sending module 702, configured to send the first response to the terminal.

Optionally, the first authorization information further includes an edge-enabled service key Kees; the processing module is further configured to: and acquiring the Kees in the first authorization information.

Optionally, the first authorization information is encrypted by a first key, where the first key is a shared key of the edge configuration server and the edge-enabled server; or the first secret key is a public key of the edge-enabled server;

the acquiring the Kees in the first authorization information includes: and the edge enabling server decrypts the encrypted first authorization information by using the shared secret key or a private key corresponding to the public key to obtain the first authorization information, and acquires the Kees in the first authorization information.

Optionally, the edge-enabled server receives the Kees from the terminal.

Optionally, the receiving module 701 is further configured to: receiving the Kees from the edge configuration server;

or, the sending module 702 sends the key request information to the edge configuration server, and the receiving module receives the Kees from the edge configuration server.

Optionally, the processing module 703 is further configured to perform security authentication according to the Kees acquired from the terminal and the Kees acquired from the edge configuration server, and perform security communication with the terminal after the authentication is passed.

Optionally, the first authorization information is signed by a private key of an edge configuration server; the processing module 703 is further configured to: and verifying the first authorization information by using an edge configuration server public key.

Alternatively, the processing module 703 may be a chip, an encoder, an encoding circuit or other integrated circuits that can implement the method of the present application.

The receiving module 701 and the transmitting module 702 may be interface circuits or transceivers. The receiving module 701 and the sending module 702 may be independent modules, or may be integrated into a transceiver module (not shown), and the transceiver module may implement the functions of the receiving module 701 and the sending module 702.

Since the specific method and the embodiment have been described above, the apparatus 700 is used to execute the synchronization signal transmission method corresponding to the network device, and thus, the functions related to the method, in particular, the functions of the receiving module 701, the sending module 702, and the processing module 703 may refer to relevant parts of the corresponding embodiment, and are not described herein again.

Optionally, the apparatus 700 may further include a storage module (not shown in the figure), which may be used for storing data and/or signaling, and the storage module may be coupled to the processing module 703, and may also be coupled to the receiving module 701 or the sending module 702. For example, the processing module 703 may be configured to read data and/or signaling in the storage module, so that the authorization method in the foregoing method embodiment is executed.

As shown in fig. 8, fig. 8 is a schematic diagram illustrating a hardware structure of a communication apparatus in an embodiment of the present application. The structure of the terminal or the server may refer to the structure shown in fig. 8. The communication apparatus 900 includes: a processor 111 and a transceiver 112, the processor 111 and the transceiver 112 being electrically coupled;

the processor 111 is configured to execute some or all of the computer program instructions in the memory, and when the computer program instructions are executed, the apparatus is enabled to perform the method according to any of the embodiments.

The transceiver 112 is configured to communicate with other devices, for example, to send a first configuration request to the edge configuration server ECS, where the first configuration request is used to request to obtain authorization information for the terminal to communicate with the edge enable server EES; or receiving first authorization information generated by the ECS according to the first configuration request, where the first authorization information includes an edge configuration server identifier, a terminal identifier, and the like.

Optionally, a Memory 113 is further included for storing computer program instructions, and optionally, the Memory 113(Memory #1) is located inside the apparatus, the Memory 113(Memory #2) is integrated with the processor 111, or the Memory 113(Memory #3) is located outside the apparatus.

It should be understood that the communication device 900 shown in fig. 8 may be a chip or a circuit. Such as a chip or circuit that may be provided within a terminal device or a communication device. The transceiver 112 may also be a communication interface. The transceiver includes a receiver and a transmitter. Further, the communication device 900 may also include a bus system.

The processor 111, the memory 113, and the transceiver 112 are connected via a bus system, and the processor 111 is configured to execute instructions stored in the memory 113 to control the transceiver to receive and transmit signals, so as to complete steps of the first device or the second device in the implementation method related to the present application. The memory 113 may be integrated in the processor 111 or may be provided separately from the processor 111.

As an implementation manner, the function of the transceiver 112 may be considered to be implemented by a transceiver circuit or a transceiver dedicated chip. The processor 111 may be considered to be implemented by a dedicated processing chip, processing circuitry, a processor, or a general purpose chip. The processor may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP. The processor may further include a hardware chip or other general purpose processor. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The aforementioned PLDs may be Complex Programmable Logic Devices (CPLDs), field-programmable gate arrays (FPGAs), General Array Logic (GAL) and other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc., or any combination thereof. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

It will also be appreciated that the memory referred to in the embodiments of the application may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The non-volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example, but not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), double data rate SDRAM, enhanced SDRAM, SLDRAM, Synchronous Link DRAM (SLDRAM), and direct rambus RAM (DR RAM). It should be noted that the memory described herein is intended to comprise, without being limited to, these and any other suitable types of memory.

The embodiment of the application provides a computer storage medium, which stores a computer program, wherein the computer program comprises a program for executing the method applied to the terminal in the embodiment.

Embodiments of the present application provide a computer storage medium storing a computer program, where the computer program includes a program for executing the method applied to an edge configuration server or an edge-enabled service in the foregoing embodiments.

The present application provides a computer program product containing instructions, which when run on a computer, causes the computer to execute the method applied to the terminal in the above embodiments.

Embodiments of the present application provide a computer program product containing instructions, which when run on a computer, cause the computer to perform the method applied to an edge configuration server or an edge-enabled service in the above embodiments.

It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk. The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A method of authorization, the method comprising:

a terminal sends a first configuration request to an edge configuration server, wherein the first configuration request is used for requesting to acquire authorization information of communication between the terminal and the edge enabling server;

the terminal receives first authorization information generated by the edge configuration server according to the first configuration request, wherein the first authorization information comprises an edge configuration server identifier and a terminal identifier;

the terminal generates and sends a first request to the edge enabling server, wherein the first request carries the first authorization information;

the terminal receives a first response, wherein the first response comprises indication information of whether the terminal is authorized to access the edge-enabled server.

2. The method of claim 1, wherein the first authorization information further comprises one or more of the following: an edge-enabled server identification, an edge-enabled server provider identification, and an edge application server identification.

3. Method according to claim 1 or 2, wherein said first authorization information further comprises an edge-enabled service key Kees.

4. The method of claim 3, wherein the first authorization information is encrypted by a first key, and wherein the first key is a shared key of the edge configuration server and the edge-enabled server; or the first key is a public key of the edge-enabled server.

5. The method according to claim 1 or 2, characterized in that the method further comprises: the terminal receives Kees from the edge configuration server or receives parameters used for deducing the Kees from the edge configuration server, and deduces and obtains the Kees according to the parameters used for deducing the Kees;

and the terminal sends the Kees to the edge enabling server.

6. The method according to any one of claims 3-5, further comprising: and in the case that the terminal is authorized to access the edge enabling server, the terminal and the edge enabling server communicate by using the Kees or communicate by using a derivative key of the Kees.

7. The method of any of claims 1-6, wherein the first authorization information is signed by an edge configuration server private key.

8. A method of authorization, the method comprising:

an edge configuration server receives a first configuration request sent by a terminal, wherein the first configuration request is used for requesting to acquire authorization information of communication between the terminal and an edge enabling server;

the edge configuration server generates first authorization information according to the first configuration request, wherein the first authorization information comprises an edge configuration server identifier and a terminal identifier;

and sending the first authorization information to the terminal.

9. The method of claim 8, wherein the first authorization information further comprises one or more of: an edge-enabled server identification, an edge-enabled server provider identification, and an edge application server identification.

10. The method according to claim 8 or 9, wherein the first authorization information further comprises an edge-enabled service key Kees.

11. The method of claim 10, further comprising: the edge configuration server encrypts the first authorization information through a first key, wherein the first key is a shared key of the edge configuration server and the edge-enabled server; or the first key is a public key of the edge-enabled server.

12. The method according to claim 8 or 9, characterized in that the method further comprises: and the edge configuration server sends Kees to the terminal or sends parameters used for deducing the Kees to the terminal.

13. The method according to any one of claims 10-12, further comprising: the edge configuration server pushes the Kees to the edge enabling server, or the edge configuration server sends the Kees to the edge enabling server according to the key request information of the edge enabling server.

14. The method according to any one of claims 8-13, further comprising: and the edge configuration server signs the first authorization information by adopting an edge configuration server private key.

15. A method of authorization, the method comprising:

an edge enabling server receives a first request sent by a terminal, wherein the first request comprises first authorization information, and the first authorization information comprises an edge configuration server identifier and a terminal identifier;

the edge-enabled server verifies the first authorization information;

the edge-enabled server generates a first response after verification, wherein the first response comprises indication information of whether the terminal is authorized to access the edge-enabled server;

the edge-enabled server sends the first response to the terminal.

16. The method of claim 15, wherein the first authorization information further comprises one or more of: an edge-enabled server identification, an edge-enabled server provider identification, and an edge application server identification.

17. The method according to claim 15 or 16, wherein the first authorization information further comprises an edge-enabled service key Kees; the method further comprises the following steps:

and acquiring the Kees in the first authorization information.

18. The method of claim 17, wherein the first authorization information is encrypted by a first key, and wherein the first key is a shared key of the edge configuration server and the edge-enabled server; or the first secret key is a public key of the edge-enabled server;

19. The method according to claim 15 or 16, wherein the edge-enabled server receives Kees from the terminal.

20. The method according to any one of claims 17-19, further comprising:

the edge-enabled server receiving the Kees from the edge configuration server;

or, the edge enabling server sends key request information to the edge configuration server, and receives the Kees from the edge configuration server.

21. The method according to any one of claims 17-20, further comprising: and the edge enabling server performs security authentication according to the Kees acquired from the terminal and the Kees acquired from the edge configuration server, and performs security communication with the terminal after the authentication is passed.

22. The method of any one of claims 15-21, wherein the first authorization information is signed with an edge configuration server private key; the edge-enabled server verifies the first authorization information, including:

the edge-enabled server verifies the first authorization information using an edge configuration server public key.

23. A communication apparatus, applied to a terminal, the apparatus comprising:

a sending module, configured to send a first configuration request to an edge configuration server ECS, where the first configuration request is used to request to acquire authorization information of communication between the terminal and an edge enable server EES;

a receiving module, configured to receive first authorization information generated by the ECS according to the first configuration request, where the first authorization information includes an edge configuration server identifier and a terminal identifier;

the processing module is used for generating a first request, and the first request carries the first authorization information;

the sending module is used for sending a first request to the EES;

the receiving module is configured to receive a first response, where the first response includes indication information of whether the terminal is authorized to access the EES.

24. A communication apparatus, applied to an edge configuration server, the server comprising:

the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving a first configuration request sent by a terminal, and the first configuration request is used for requesting to acquire authorization information of communication between the terminal and an edge-enabled server;

25. A communications apparatus, applied to an edge-enabled server, the server comprising:

the processing module is further configured to generate a first response after the verification, where the first response includes indication information of whether the terminal is authorized to access the edge-enabled server;

and the sending module is used for sending the first response to the terminal.

26. An apparatus for communication, the apparatus comprising at least one processor coupled with at least one memory:

the at least one processor configured to execute computer programs or instructions stored in the at least one memory to cause the apparatus to perform the method of any one of claims 1-7, or to cause the apparatus to perform the method of any one of claims 8-14, or to cause the apparatus to perform the method of any one of claims 15-22.

27. A readable storage medium storing instructions that, when executed, cause a method of any one of claims 1-7 to be implemented, or cause a method of any one of claims 8-14 to be implemented, or cause a method of any one of claims 15-22 to be implemented.

28. A communication device comprising a processor and interface circuitry;

the interface circuit is used for interacting code instructions to the processor;

the processor is configured to execute the code instructions to perform the method according to any one of claims 1 to 7, or the processor is configured to execute the code instructions to perform the method according to any one of claims 8 to 14, or the processor is configured to execute the code instructions to perform the method according to any one of claims 15 to 22.

29. A computer program product which, when read and executed by a computer, causes the computer to perform the method of any one of claims 1-7, 8-14 or 15-22.

30. A communication system comprising a communication device as claimed in claim 23, or a communication device as claimed in claim 24, or a communication device as claimed in claim 25.