CN115835202A - Authentication method and system - Google Patents

Authentication method and system Download PDF

Info

Publication number
CN115835202A
CN115835202A CN202211235243.4A CN202211235243A CN115835202A CN 115835202 A CN115835202 A CN 115835202A CN 202211235243 A CN202211235243 A CN 202211235243A CN 115835202 A CN115835202 A CN 115835202A
Authority
CN
China
Prior art keywords
user terminal
authentication
network element
dnn
data service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211235243.4A
Other languages
Chinese (zh)
Inventor
黎穗卿
黄劲安
陈漩
张紫璇
胡稍华
郑锐生
陆俊超
梁广智
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongtong Service Zhongrui Technology Co ltd
Original Assignee
Zhongtong Service Zhongrui Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongtong Service Zhongrui Technology Co ltd filed Critical Zhongtong Service Zhongrui Technology Co ltd
Priority to CN202211235243.4A priority Critical patent/CN115835202A/en
Publication of CN115835202A publication Critical patent/CN115835202A/en
Pending legal-status Critical Current

Links

Images

Abstract

The invention discloses an authentication method and an authentication system, and relates to the technical field of mobile communication. The authentication method comprises the steps that a core network side receives a request of a user terminal for accessing a data service private network and establishes a user plane data channel between the user terminal side and the core network side after finishing authentication; and the core network side acquires the user terminal information, matches the user terminal information with the pre-planned access resource information, and confirms whether to avoid performing secondary authentication on the user terminal according to a matching result. In the authentication system, the core network side includes an AUSF network element, an SMF network element (including an ATLF module), a UPF network element and an AAA network element. Compared with the prior art, the authentication method provided by the invention has the advantages that secondary authentication is avoided for the credit granting user terminal, and the user terminal with insufficient credit granting conditions is forced to perform secondary authentication or directly refuse access, so that the reasonability of selection of the secondary authentication type of the user terminal is improved on the premise of ensuring the network communication safety of the data service, and the network resources are saved to a certain extent.

Description

Authentication method and system
Technical Field
The present invention relates to the field of mobile communications technologies, and in particular, to an authentication method and system.
Background
In order to prevent illegal network attacks, user Equipment (UE) accessing a 5G network needs to perform User identity authentication through an access network. Compared with common public users, the vertical industry has higher requirements on service confidentiality and safety, so that the terminal of the vertical industry needs to perform identity authentication again before accessing a data service private network through a 5G network, namely secondary authentication.
A User terminal firstly completes the main Authentication between a UDM (Unified Data Management entity) Network element and an AUSF (Authentication Server Function) Network element, then initiates a request for accessing a Data service Network, an SMF (Session Management Function) Network element firstly judges whether the terminal needs to be authenticated according to DNN (Data Network Name), after confirming that the terminal needs to be authenticated for the second time, sends Authentication request information to an UPF (User Plane Function), the UPF forwards the Authentication request to an AAA (Authentication, authorization, accounting, statistical Network element), after the AAA Network element completes the secondary Authentication, the SMF sends a notification for establishing a Session to the UPF, and the terminal which does not pass the secondary Authentication will be denied access to the Data service Network.
The secondary authentication mechanism effectively improves the safety of the service, but the mechanism also has the defects of excessive immobilization and low flexibility in some special application scenes. For example, the cluster common network is used as an important command and scheduling platform for handling emergent public events, emergency security and developing city management, is widely applied to the fields of governments, public safety, public utilities and the like, and when the cluster common network is in emergency command and scheduling scenes such as emergency rescue and disaster relief, a secondary authentication mechanism influences the response speed of the whole emergency network.
It has been seen that the prior art discloses a user terminal secondary authentication method and system, access and mobility management apparatus; the secondary authentication method is that under the condition that the user terminal is registered in the 5G network, after the 5G network finishes authentication of the user terminal, the third-party data network server is informed to carry out authentication and authentication on the user terminal. The method is characterized in that when the 5G terminal registers the network, a third party platform is informed to carry out authentication and authentication in advance, the technical means is still consistent with the mainstream authentication idea, and the problem of long response time of the whole network still exists.
Disclosure of Invention
The invention provides an authentication method and an authentication system for overcoming the defect of long network response time caused by the secondary authentication mechanism in the prior art.
In order to solve the technical problems, the technical scheme of the invention is as follows:
in a first aspect, an authentication method is applied to a data service network, where the data service network is a private network of a data network established, owned, managed and used by an enterprise, organization or department to meet its needs, and the method includes:
the core network side receives the request of the user terminal accessing the data service private network and establishes a user plane data channel between the user terminal side and the core network side after finishing one authentication; the core network comprises an AUSF network element, an SMF network element, a UPF network element and an AAA network element; the SMF network element comprises an ATLF (Authentication Type Label Function, a secondary Authentication Type of a terminal and registration) module;
the core network side acquires the user terminal information, matches the user terminal information with the pre-planned access resource information, and confirms whether to avoid performing secondary authentication on the user terminal according to the matching result:
if the user terminal information belongs to the pre-planned access resource information, the core network side does not execute secondary authentication on the user terminal and establishes the connection between the user terminal and the data service private network;
if the user terminal information does not belong to the pre-planned access resource information, the core network side does not execute secondary authentication on the user terminal; the user terminal information includes a TAC (Tracking Area Code) signed by the user terminal and a DNN carried by the user terminal.
In the technical scheme, after completing primary authentication, the core network side matches the user terminal information with pre-planned access resource information and confirms whether to avoid performing secondary authentication on the user terminal according to a matching result; when the user terminal is free from executing the secondary authentication, the user terminal can skip the secondary authentication and directly communicate with the private network of the data service, the overall response efficiency of the data service network is improved on the premise of ensuring the communication safety of the data service network, and network resources are saved to a certain extent.
As a preferred scheme, after the core network side does not exempt from performing secondary authentication on the user terminal, any one of the following steps is performed:
(1) The core network side directly refuses the user terminal to access the data service network;
(2) The core network side executes one of the secondary authentications to the user terminal.
As a preferred scheme, the pre-planned admission resource information includes:
DNN special for private network of data service signed by SIM card of crediting communication terminal and recorded as DNN SP
Temporary TACs used for temporarily configuring a data service private network base station, wherein the number of the temporary TACs is marked as w, and the temporary TACs are marked as tau j ’,j=[1,2,…,w]I.e. tau j ’∈T’={τ 1 ’,τ 2 ’,…,τ w ’}。
As a possible design of the preferred scheme, the core network side acquires user terminal information, and matches the user terminal information with pre-planned admission resource information, and the steps include:
the SMF network element indicates the UPF network element to send user terminal information to the ATLF module; wherein, the DNN signed by the user terminal in the user terminal information is recorded as DNN UE TAC carried by the user terminal is denoted as tau UE
ATLF module judgment DNN UE And DNN SP Whether they are consistent and τ UE Whether it belongs to T':
if DNN UE ≠DNN SP Outputting the secondary authentication type S k To deny authentication;
if DNN UE =DNN SP And τ is UE E.g. T', outputting secondary authentication type S k Authentication is exempted;
if DNN UE =DNN SP And is and
Figure BDA0003883369680000031
outputting a secondary authentication type S k In order to be authenticated;
secondary authentication type S to be output by ATLF module k Sending the authentication information to an SMF network element, wherein the SMF network element is used for authenticating the type S according to the secondary authentication type k And confirming whether to exempt from performing secondary authentication on the user terminal.
That is, in this possible design, the condition that the user terminal is allowed to skip the secondary authentication for directly accessing the data service private network is that only the DNN subscribed to the user terminal is the DNN dedicated to the data service private network, and the TAC carried by the DNN is an element of the temporary TAC set T' temporarily configuring the data service private network base station.
Further, if the user terminal information belongs to the pre-planned access resource information, the user terminal is not required to perform secondary authentication and establish a connection between the user terminal and the data service private network, which specifically comprises:
if the SMF network element receives the secondary authentication type S k If the user terminal can be free from authentication, the SMF network element sends a request for establishing connection to a data service private network for the user terminal to a UPF network element; and the UPF network element responds to the connection request and establishes a connection channel between the user terminal and the data service private network.
Further, if the ue information does not belong to the pre-planned admission resource information, the core network side does not perform secondary authentication on the ue, including:
if the SMF network element receives the secondary authentication type S k In order to deny the authentication, the SMF network element directly refuses the user terminal to access the data service network;
if the SMF network element receives the secondary authentication type S k In order to need authentication, the SMF network element transmits a secondary identity authentication message about the user terminal to the AAA network element and establishes an authentication channel between the user terminal and the AAA network element; the secondary authentication message comprises DNN UE And further includes one or more of an IMSI (International Mobile Subscriber Identity), an IMEI (International Mobile Equipment Identity), an MSISDN (Mobile Subscriber Integrated Services Digital Number), and an ULI (User Location Information) of the User terminal.
Preferably, after the SMF network element forwards the secondary authentication message to the AAA network element and establishes the authentication channel between the user terminal and the AAA network element, the AAA network element performs secondary authentication on the user terminal according to the received secondary authentication message and outputs a secondary authentication result r p To the SMF network element; wherein the secondary authentication result r p Including one of authenticated or not authenticated.
Optionally, the AAA network element performs secondary authentication on the user terminal and outputs a secondary authentication result r p After reaching the SMF network element, the method further comprises the following steps:
when the secondary authentication result r received by the SMF network element p When the user terminal passes the authentication, the SMF network element sends a request for establishing connection to a data service private network for the user terminal to a UPF network element, and the UPF network element responds to the connection request and establishes a connection channel between the user terminal and the data service private network;
when the secondary authentication result r received by the SMF network element p And if the authentication is not passed, the SMF network element refuses the user terminal to access the data service network.
A second aspect, an authentication system applied to the authentication method proposed in any technical solution of the first aspect, includes a core network side and a data service private network, where the core network side includes an AUSF network element, an SMF network element, an UPF network element, and an AAA network element, the SMF network element includes an ATLF module, and the ATLF module is configured to obtain a user terminal information according to the obtained user terminal informationMatching the information with the pre-planned access resource information, judging, recording and outputting a secondary authentication type S k (ii) a The user terminal information comprises a DNN signed by a user terminal requesting to access a data service private network and a TAC carried by the DNN, the pre-planned access resource information comprises a DNN signed by a SIM card of a credit communication terminal and a temporary TAC used for temporarily configuring a base station of the data service private network, and the output secondary authentication type S k Including one of denial of authentication, exemption of authentication, and necessity of authentication.
In the technical scheme, the ATLF module is arranged on the core network side to acquire the information of the user terminal such as TAC and DNN, the secondary authentication type of the terminal is registered and used as the condition judgment for the subsequent authentication type selection, the secondary authentication is avoided for the credible user terminal, and the improvement of the response efficiency of the private network of the data service is facilitated.
As a preferred scheme, if the secondary authentication type S output by the ATLF module k The SMF network element does not communicate with the AAA network element for authentication exemption or authentication refusal; if the secondary authentication type S output by the ATLF module k The SMF network element communicates with an AAA network element in order to have to authenticate.
Compared with the prior art, the technical scheme of the invention has the beneficial effects that:
(1) The authentication method provided by the invention plans the exclusive DNN of the data service private network and the temporary data service private network base station TAC in advance as the basis of credit granting, namely the admission resource information, only avoids secondary authentication for the user terminal which has signed the data service private network and is accessed to the temporary data service private network base station, and forces secondary authentication or directly refuses access for the user terminal with insufficient credit granting conditions, thereby improving the reasonability of the selection of the secondary authentication type of the user terminal on the premise of ensuring the communication safety of the data service network.
(2) The invention acquires the information of TAC, DNN and the like of the user terminal by deploying the ATLF module at the core network side, registers the secondary authentication type of the terminal, and is used for condition judgment of subsequent authentication type selection, thereby avoiding secondary authentication for the credible user terminal and being beneficial to improving the response efficiency of the private network of the data service.
(3) Compared with the prior art, the invention reduces the communication frequency between the SMF network element and the AAA network element and can save network resources to a certain extent.
Drawings
FIG. 1 is a flow chart of a method of authentication;
FIG. 2 is a flow chart of a user terminal requesting network entry in a data service network;
FIG. 3 is a flowchart illustrating a user terminal requesting network entry in an emergency network;
fig. 4 is a flow chart of the establishment of a session between a user terminal and an emergency private network;
fig. 5 is an architecture diagram of an authentication system.
Detailed Description
The drawings are for illustrative purposes only and are not to be construed as limiting the patent;
for the purpose of better illustrating the embodiments, certain features of the drawings may be omitted, enlarged or reduced, and do not represent the size of an actual product;
it will be understood by those skilled in the art that certain well-known structures in the drawings and descriptions thereof may be omitted.
The technical solution of the present invention is further described below with reference to the accompanying drawings and examples.
Example 1
The embodiment provides an authentication method, which is applied to a data service network with reference to fig. 1, where the data service network is a private network of a data network established, owned, managed, and used by an enterprise, an organization, or a department to meet its own needs, and the method includes:
the core network side receives the request of the user terminal accessing the data service private network and establishes a user plane data channel between the user terminal side and the core network side after finishing one authentication; the core network comprises an AUSF network element, an SMF network element, a UPF network element and an AAA network element; the SMF network element comprises an ATLF module;
the core network side acquires the user terminal information, matches the user terminal information with the pre-planned access resource information, and confirms whether to avoid performing secondary authentication on the user terminal according to the matching result:
if the user terminal information belongs to the pre-planned access resource information, the core network side does not execute secondary authentication on the user terminal and establishes the connection between the user terminal and the data service private network;
if the user terminal information does not belong to the pre-planned admission resource information, the core network side does not execute secondary authentication on the user terminal; and the user terminal information comprises a TAC signed by the user terminal and a DNN carried by the user terminal.
In this embodiment, matching the user terminal information with the pre-planned access resource information may be regarded as comparing the user terminal information with a pre-stored trust information set on the core network side, and determining whether the user terminal is a trust device and requesting to access the network through the planned data service private network.
In the specific implementation process, when the user terminal is identified as a credit granting device by the core network side and requests to access the network through the planned private network for the data service, the core network side does not need to perform secondary authentication on the user terminal, and directly establishes connection between the user terminal and the private network for the data service; when the user terminal does not meet the credit granting condition, the core network side directly refuses the request of accessing the data service private network to the user terminal or enforces the secondary authentication. The whole response efficiency of the data service network is improved on the premise of ensuring the communication safety of the data service network, and network resources are saved to a certain extent.
As a preferred embodiment, after the core network side determines that the user terminal is not exempted from performing the secondary authentication, the core network side directly rejects the user terminal to access the data service network
As another preferred embodiment, after the core network side confirms that the user terminal is not exempted from performing the secondary authentication, the core network side performs the secondary authentication on the user terminal.
As a preferred embodiment, the pre-planned admission resource information includes:
DNN special for private network of data service signed by SIM card of crediting communication terminal and recorded as DNN SP
Temporary TAC for temporarily configuring data service private network base station, andthe number of the temporary TACs is recorded as w, and the temporary TACs are recorded as tau j ’,j=[1,2,…,w]I.e. tau j ’∈T’={τ 1 ’,τ 2 ’,…,τ w ’}。
As a preferred embodiment, the user terminal information further includes, but is not limited to, an IP address, IMEI, IMSI, MSISDN, ULI.
As an alternative embodiment, referring to fig. 2, the core network side obtains the user terminal information, matches the user terminal information with the pre-planned admission resource information, and the method is implemented by the following steps:
firstly, an SMF network element at a core network side indicates a UPF network element to send user terminal information to an ATLF module; wherein, the DNN signed by the user terminal in the user terminal information is recorded as DNN UE And the TAC carried by the user terminal is marked as tau UE
Secondly, the ATLF module judges DNN UE And DNN SP Whether they are consistent and τ UE Whether it belongs to T':
if DNN UE ≠DNN SP Outputting the secondary authentication type S k To deny authentication;
if DNN UE =DNN SP And τ is UE E.g. T', outputting secondary authentication type S k Authentication is exempted;
if DNN UE =DNN SP And is and
Figure BDA0003883369680000071
outputting a secondary authentication type S k In order to be authenticated;
subsequently, the ATLF module outputs a secondary authentication type S k Sending the authentication information to an SMF network element, wherein the SMF network element is used for authenticating the type S according to the secondary authentication type k And confirming whether to exempt from performing secondary authentication on the user terminal.
As a non-limiting example, the step of instructing, by the SMF network element on the core network side, the UPF network element to issue the user terminal information to the ATLF module specifically includes: and the SMF network element indicates the UPF network element to establish a user plane data channel for the user terminal and sends information such as an IP address, TAC, DNN and the like of the user terminal to the ATLF module.
In the specific implementation process, when the ATLF module judges the DNN UE =DNN SP The user terminal is determined to be a credit granting terminal; when ATLF module tau UE When the E is T', the user terminal is determined to request to access the data service private network through the credit granting base station; and if and only if the DNN signed by the user terminal is the DNN special for the data service private network and the TAC carried by the DNN is an element of a temporary TAC set T' of the base station temporarily configured with the data service private network, the core network side is free from performing secondary authentication on the user terminal, namely the SMF network element is not communicated with the AAA network element to perform secondary authentication on the user terminal.
Further, if the user terminal information belongs to the pre-planned access resource information, the user terminal is not required to perform secondary authentication and establish a connection between the user terminal and the data service private network, which specifically comprises:
if the SMF network element receives the secondary authentication type S k If the user terminal can be free from authentication, the SMF network element sends a request for establishing connection to a data service private network for the user terminal to a UPF network element; the UPF network element responds to the connection request and establishes a connection channel between the user terminal and the data service private network.
Specifically, the step of, if the ue information does not belong to the pre-planned allowed resource information, not performing secondary authentication on the ue by the core network side includes:
if the SMF network element receives the secondary authentication type S k In order to reject the authentication, the SMF network element directly rejects the user terminal to access the data service network;
if the SMF network element receives the secondary authentication type S k In order to need authentication, the SMF network element forwards a secondary identity authentication message to the AAA network element and establishes an authentication channel between the user terminal and the AAA network element; the secondary authentication message comprises DNN UE The Mobile terminal further includes an IMSI (International Mobile Subscriber Identity), an IMEI (International Mobile Equipment Identity), an MSISDN (Mobile Subscriber Integrated Services Digital Number), and an ULI (User Location Information) carried by the User terminalOne or more of (a).
In a specific implementation process, when the ATLF module at the core network side outputs a secondary authentication type S to the SMF network element k And after the authentication is rejected, the SMF network element directly rejects the user terminal to access the data service network.
In another specific implementation process, when the ATLF module at the core network side outputs the secondary authentication type S to the SMF network element k After the authentication is necessary, the SMF network element forwards a secondary identity authentication message to the AAA network element and establishes an authentication channel between the user terminal and the AAA network element.
Optionally, the AAA network element performs secondary authentication on the user equipment and outputs a secondary authentication result r p After reaching the SMF network element, the method further comprises the following steps:
when the secondary authentication result r received by the SMF network element p When the authentication is passed, the SMF network element sends a request for establishing connection to a data service private network for the user terminal to a UPF network element, and the UPF network element responds to the connection request and establishes a connection channel between the user terminal and the data service private network;
when the secondary authentication result r received by the SMF network element p And if the authentication is not passed, the SMF network element refuses the user terminal to access the data service network.
Example 2
The embodiment provides an authentication method, referring to fig. 1, fig. 3, and fig. 4, applied to an emergency private network, including:
TAC deployment and private network subscription;
the core network side receives a request of a user terminal for accessing an emergency private network and establishes a user plane data channel between the user terminal side and the core network side after finishing one authentication; the core network comprises an AUSF network element, an SMF network element, a UPF network element and an AAA network element; the SMF network element comprises an ATLF module;
the core network side acquires the user terminal information, matches the user terminal information with the pre-planned access resource information, and confirms whether to avoid performing secondary authentication on the user terminal according to the matching result:
if the user terminal information belongs to the pre-planned access resource information, the core network side does not execute secondary authentication on the user terminal and establishes the connection between the user terminal and the emergency private network;
if the user terminal information does not belong to the pre-planned access resource information, the core network side does not execute secondary authentication on the user terminal; and the user terminal information comprises a TAC signed by the user terminal and a DNN carried by the user terminal.
As a non-limiting example, the TAC deployment includes TAC preplanning and emergency base station TAC configuration.
The TAC preplanning specifically comprises the steps of preplanning n special TACs for temporarily configuring the emergency base station, and recording any special TAC as tau i ∈T={τ 1 ,τ 2 ,τ 3 ,……,τ n },i∈{1,2,3,……,n}。
The TAC configuration of the emergency base stations is specifically characterized in that when an emergency such as a fire disaster and an air attack occurs, an area with emergency communication guarantee requirements radiated by the emergency is marked as A, and m emergency base stations with service ranges in the area A are marked as b j ∈B={b 1 ,b 2 ,b 3 ,……,b m J is an element belonging to {1,2,3, \ 8230 \ 8230;, m }. According to the radiation ranges of m emergency base stations, selecting a proper number of currently available special TACs from a pre-planned set T, configuring the emergency base stations in a set B, and recording the number of the selected temporary TACs as w and the w temporary TACs as tau j ’∈T’={τ 1 ’,τ 2 ’,…,τ w ’}。
As a non-limiting example, the private network subscription is specifically a DNN, which is registered as DNN, for subscribing the emergency private network for the SIM card of the emergency communication terminal (i.e. credit granting terminal) in advance SP
In a specific implementation process, after the core network side receives a request of a user terminal for accessing to an emergency private network and completes one authentication, a user plane data channel is established between the user terminal side and the core network side, including:
s21, a user terminal initiates a network access request and triggers an authentication process; the DNN signed by the user terminal is recorded as DNN UE The TAC carried by it is denoted as UE
S22, the SMF network element indicates the UPF network element to establish a user plane data channel for the user terminal.
In a specific implementation process, the core network side obtains user terminal information, specifically: and the SMF network element indicates the UPF network element to send the information of the IP address, the TAC, the DNN and the like of the user terminal to the ATLF module.
As a non-limiting example, the matching the ue information with the pre-planned admission resource information and determining whether to avoid performing secondary authentication on the ue according to the matching result includes:
s23, the ATLF module determines the secondary authentication type S of the user terminal according to the user terminal information k ,S k ∈S={s 1 ,s 2 ,s 3 Its expression is as follows:
Figure BDA0003883369680000091
in one embodiment, S k The value judgment steps are as follows:
when DNN UE ≠DNN SP When k =3, the ATLF module outputs S k =S 3 = authentication denied;
when DNN UE =DNN SP And then, further judging: if tau UE E, T', let k =1, at which time the ATLF module outputs S k =S 1 = authentication exempt; if it is
Figure BDA0003883369680000092
Let k =2, at which time the ATLF module outputs S k =S 2 = must be authenticated.
As a non-limiting example, the determining whether to exempt from performing secondary authentication on the user terminal according to the matching result includes:
s24, recording S by ATLF module k Will S k Sending the data to the SMF network element;
s25, the SMF network element receives the S k Initiating execution of a secondary authentication request, skipping two timesAnd authenticating the request or refusing the user terminal to access the emergency private network.
In a specific implementation process, the SMF network element receives the S sent by the ATLF module k The value is authentication exemptable, the SMF network element initiates a request for skipping secondary authentication, and directly sends a request for establishing connection to an emergency private network for the user terminal to the UPF network element; and the UPF network element responds to the connection request and establishes a connection channel between the user terminal and the emergency private network.
In another specific implementation process, the SMF network element receives the S sent by the ATLF module k And if the value is necessary for authentication, the SMF network element forwards a secondary identity authentication message to the AAA network element and establishes an authentication channel between the user terminal and the AAA network element. The secondary identity authentication message comprises DNN carried by the user terminal UE IMSI, IMEI, MSISDN and ULI.
Further, the secondary identity authentication message also comprises an IP address.
Further, the AAA network element executes secondary authentication to the user terminal according to the received secondary identity authentication message and outputs a secondary authentication result r p To the SMF network element; wherein r is p ∈R={r 1 ,r 2 The values are as follows:
Figure BDA0003883369680000101
particularly, when r p= r 1 Namely r p When the value is authenticated, the SMF network element sends a request for establishing an emergency private network for the user terminal to the UPF network element, and the UPF network element responds to the connection request and establishes a connection channel between the user terminal and the emergency private network; when r is p= r 2 I.e. r p And when the value is not authenticated, the SMF network element refuses the user terminal to access the emergency special network.
In another specific implementation process, the SMF network element receives the S sent by the ATLF module k And if the value is authentication refusal, the SMF network element directly refuses the user terminal to access the emergency private network.
Example 3
This embodiment proposes an authentication system, and referring to fig. 5, the authentication system is applied to the authentication method proposed in embodiment 1 or embodiment 2.
An authentication system comprises a core network side and a data service private network, wherein the core network side comprises an AUSF network element, an SMF network element, a UPF network element and an AAA network element, and the SMF network element comprises an ATLF module. The ATLF module is configured to match the acquired user terminal information with pre-planned access resource information, judge, record and output a secondary authentication type S k (ii) a The user terminal information comprises a DNN signed by a user terminal requesting to access a data service private network and a TAC carried by the DNN, the pre-planned access resource information comprises a DNN signed by a SIM card of a credit communication terminal and a temporary TAC used for temporarily configuring a base station of the data service private network, and the output secondary authentication type S k Including one of denial of authentication, exemption of authentication, and necessity of authentication.
As shown in fig. 5, the architecture diagram of the Authentication system of this embodiment includes a UE (User Equipment), a RAN (Radio Access Network), an AMF (Authentication Management Function) Network element, an AUSF (Authentication Server Function) Network element, an SMF (Session Management Function) Network element, an UDM (Unified Data Management Function) Network element, an UPF (User Plane Function) Network element, and an AAA (Authentication Authorization Accounting) Network element.
As a preferred embodiment, if the secondary authentication type S output by the ATLF module is S k The SMF network element does not communicate with the AAA network element for authentication exemption or authentication refusal; if the secondary authentication type S output by the ATLF module k The SMF network element communicates with an AAA network element in order to have to authenticate.
The same or similar reference numerals correspond to the same or similar parts;
the terms describing positional relationships in the drawings are for illustrative purposes only and are not to be construed as limiting the patent;
it should be understood that the above-described embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the claims of the present invention.

Claims (10)

1. An authentication method applied to a data service network, the method comprising:
after the core network side receives the request of the user terminal for accessing the private network of the data service and completes one authentication, a user plane data channel is established between the user terminal side and the core network side; the core network comprises an AUSF network element, an SMF network element, a UPF network element and an AAA network element; the SMF network element comprises an ATLF module;
the core network side acquires user terminal information, matches the user terminal information with pre-planned access resource information, and confirms whether to execute secondary authentication on the user terminal according to a matching result:
if the user terminal information belongs to the pre-planned access resource information, the core network side does not execute secondary authentication on the user terminal and establishes the connection between the user terminal and the data service private network;
if the user terminal information does not belong to the pre-planned access resource information, the core network side does not execute secondary authentication on the user terminal; and the user terminal information comprises a TAC signed by the user terminal and a DNN carried by the user terminal.
2. The authentication method as claimed in claim 1, wherein after the core network side does not exempt from performing the secondary authentication on the ue, any of the following steps are performed:
(1) The core network side directly refuses the user terminal to access the data service network;
(2) And the core network side executes secondary authentication on the user terminal.
3. An authentication method according to any one of claims 1-2, wherein said pre-planned admission resource information comprises:
DNN special for private network of data service signed by SIM card of crediting communication terminal and recorded as DNN SP
Temporary TACs for temporarily configuring data service private network base stations, wherein the number of the temporary TACs is marked as w, and the temporary TACs are marked as tau j ’,j=[1,2,…,w]I.e. tau j ’∈T’={τ 1 ’,τ 2 ’,…,τ w ’}。
4. The authentication method as claimed in claim 3, wherein the core network side obtains the user terminal information, matches the user terminal information with the pre-planned admission resource information, and the steps include:
the SMF network element indicates the UPF network element to send user terminal information to the ATLF module; wherein, the DNN signed by the user terminal in the user terminal information is recorded as DNN UE And the TAC carried by the user terminal is marked as tau UE
ATLF module judgment DNN UE And DNN SP Whether they are consistent and τ UE Whether it belongs to T': if DNN UE ≠DNN SP Outputting the secondary authentication type S k To deny authentication; if DNN UE =DNN SP And τ is UE E.g. T', outputting secondary authentication type S k Authentication is exempted; if DNN UE =DNN SP And is and
Figure FDA0003883369670000011
outputting the secondary authentication type S k In order to be authenticated;
secondary authentication type S to be output by ATLF module k Sending the authentication information to an SMF network element, wherein the SMF network element is used for authenticating the type S according to the secondary authentication type k And confirming whether to exempt from performing secondary authentication on the user terminal.
5. The authentication method according to claim 4, wherein if the ue information belongs to the pre-planned admission resource information, the second authentication is not performed on the ue and the connection between the ue and the data service private network is established, specifically:
if the SMF network element receives the secondary authentication type S k If the user terminal can be free from authentication, the SMF network element sends a request for establishing connection to a data service private network for the user terminal to a UPF network element; the UPF network element responds to the connection request and establishes a connection channel between the user terminal and the data service private network.
6. The authentication method as claimed in claim 4, wherein if the ue information does not belong to the pre-planned allowed resource information, the core network side does not perform secondary authentication on the ue, comprising:
if the SMF network element receives the secondary authentication type S k In order to reject the authentication, the SMF network element directly rejects the user terminal to access the private network of the data service;
if the SMF network element receives the secondary authentication type S k In order to need authentication, the SMF network element transmits a secondary identity authentication message about the user terminal to the AAA network element and establishes an authentication channel between the user terminal and the AAA network element; the secondary authentication message comprises DNN UE And one or more of IMSI, IMEI, MSISDN and ULI carried by the user terminal.
7. The authentication method according to claim 6, wherein after the SMF network element forwards the secondary identity authentication message to the AAA network element and establishes the authentication tunnel between the user terminal and the AAA network element, the method further comprises:
according to the received secondary identity authentication information, the AAA network element executes secondary authentication on the user terminal and outputs a secondary authentication result r p To the SMF network element; wherein the secondary authentication result r p Including one of authenticated or not authenticated.
8. According to claim 7The authentication method is characterized in that the AAA network element executes secondary authentication on the user terminal and outputs a secondary authentication result r p After reaching the SMF network element, the method further comprises the following steps:
when the secondary authentication result r received by the SMF network element p When the user terminal passes the authentication, the SMF network element sends a request for establishing connection to a data service private network for the user terminal to a UPF network element, and the UPF network element responds to the connection request and establishes a connection channel between the user terminal and the data service private network;
when the secondary authentication result r received by the SMF network element p And when the authentication is not passed, the SMF network element refuses the user terminal to access the data service private network.
9. An authentication system, applied to the authentication method of any one of claims 1 to 8, comprising a core network and a data service private network, where the core network side includes an AUSF network element, an SMF network element, a UPF network element, and an AAA network element, and the SMF network element includes an ATLF module; the ATLF module is configured to match the acquired user terminal information with pre-planned access resource information, judge, record and output a secondary authentication type S k (ii) a The user terminal information comprises a user terminal signed DNN requesting to access a data service private network and a TAC carried by the DNN, the pre-planned access resource information comprises a data service private network signed DNN signed by a SIM card of a credit granting communication terminal and a temporary TAC used for temporarily configuring a data service private network base station, and the secondary authentication type S output by the ATLF module k Including one of denial of authentication, exemption of authentication, and necessity of authentication.
10. The authentication system of claim 9, wherein if said ATLF module outputs a secondary authentication type S k The SMF network element does not communicate with the AAA network element for authentication exemption or authentication refusal; if the secondary authentication type S output by the ATLF module k The SMF network element communicates with an AAA network element in order to have to authenticate.
CN202211235243.4A 2022-10-10 2022-10-10 Authentication method and system Pending CN115835202A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211235243.4A CN115835202A (en) 2022-10-10 2022-10-10 Authentication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211235243.4A CN115835202A (en) 2022-10-10 2022-10-10 Authentication method and system

Publications (1)

Publication Number Publication Date
CN115835202A true CN115835202A (en) 2023-03-21

Family

ID=85524504

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211235243.4A Pending CN115835202A (en) 2022-10-10 2022-10-10 Authentication method and system

Country Status (1)

Country Link
CN (1) CN115835202A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116506407A (en) * 2023-06-20 2023-07-28 阿里巴巴(中国)有限公司 Voice communication method, system, storage medium and electronic equipment
CN117041969A (en) * 2023-09-28 2023-11-10 新华三技术有限公司 Access method, system and device of 5G dual-domain private network and electronic equipment

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116506407A (en) * 2023-06-20 2023-07-28 阿里巴巴(中国)有限公司 Voice communication method, system, storage medium and electronic equipment
CN116506407B (en) * 2023-06-20 2023-11-14 阿里巴巴(中国)有限公司 Voice communication method, system, storage medium and electronic equipment
CN117041969A (en) * 2023-09-28 2023-11-10 新华三技术有限公司 Access method, system and device of 5G dual-domain private network and electronic equipment
CN117041969B (en) * 2023-09-28 2024-01-02 新华三技术有限公司 Access method, system and device of 5G dual-domain private network and electronic equipment

Similar Documents

Publication Publication Date Title
CN100417274C (en) Certificate based authentication authorization accounting scheme for loose coupling interworking
US8565764B2 (en) Telecommunications network access rejection
US6236852B1 (en) Authentication failure trigger method and apparatus
JP4586071B2 (en) Provision of user policy to terminals
US20080108321A1 (en) Over-the-air (OTA) device provisioning in broadband wireless networks
CN115835202A (en) Authentication method and system
US20110302643A1 (en) Mechanism for authentication and authorization for network and service access
JP2020510377A (en) Enhanced registration procedure in mobile systems supporting network slicing
JP4624785B2 (en) Interworking function in communication system
US20070115886A1 (en) Method of verifying integrity of an access point on a wireless network
WO2019017840A1 (en) Network verification method, and relevant device and system
US8611859B2 (en) System and method for providing secure network access in fixed mobile converged telecommunications networks
US9380038B2 (en) Bootstrap authentication framework
US20170324754A1 (en) Secure group creation in proximity based service communication
CN101120534A (en) System, method and devices for authentication in a wireless local area network (wlan)
US20050120202A1 (en) Use of a public key key pair in the terminal for authentication and authorization of the telecommunication user with the network operator and business partners
KR20090036562A (en) Method and system for controlling access to networks
US20060112269A1 (en) Level-specific authentication system and method in home network
TW564627B (en) System and method for authentication in public networks
US9473934B2 (en) Wireless telecommunications network, and a method of authenticating a message
KR101208722B1 (en) Method for accessing closed groups in radio access networks
CN111163063A (en) Edge application management method and related product
US20100304713A1 (en) Technique for restricting access to a wireless communication service
CN105744507B (en) The shared method of the communication resource, system between a kind of different operators of terminal agent
US20230010440A1 (en) System and Method for Performing Identity Management

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination