CN117528510A - Authentication method and device, electronic equipment and computer readable medium - Google Patents
Authentication method and device, electronic equipment and computer readable medium Download PDFInfo
- Publication number
- CN117528510A CN117528510A CN202210888404.3A CN202210888404A CN117528510A CN 117528510 A CN117528510 A CN 117528510A CN 202210888404 A CN202210888404 A CN 202210888404A CN 117528510 A CN117528510 A CN 117528510A
- Authority
- CN
- China
- Prior art keywords
- user equipment
- authentication
- network element
- authentication request
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 69
- 230000006854 communication Effects 0.000 claims abstract description 123
- 238000004891 communication Methods 0.000 claims abstract description 122
- 230000004044 response Effects 0.000 claims abstract description 96
- 230000006870 function Effects 0.000 claims description 232
- 238000001514 detection method Methods 0.000 claims description 53
- 238000004458 analytical method Methods 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 16
- 230000008859 change Effects 0.000 claims description 14
- 238000010586 diagram Methods 0.000 description 16
- CNQCVBJFEGMYDW-UHFFFAOYSA-N lawrencium atom Chemical compound [Lr] CNQCVBJFEGMYDW-UHFFFAOYSA-N 0.000 description 14
- ORQBXQOJMQIAOY-UHFFFAOYSA-N nobelium Chemical compound [No] ORQBXQOJMQIAOY-UHFFFAOYSA-N 0.000 description 12
- 239000003795 chemical substances by application Substances 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
- H04W12/37—Managing security policies for mobile devices or for controlling mobile applications
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Telephonic Communication Services (AREA)
Abstract
The embodiment of the application discloses an authentication method and device, electronic equipment and a computer readable medium, wherein the authentication method comprises the following steps: receiving an authentication request sent by user equipment, and sending a user permanent identifier corresponding to the user equipment and the authentication request to a service communication proxy network element; and if error response information generated when an authentication server functional network element for authenticating the identity of the user equipment is failed and the authentication request is an authentication request which is reinitiated after the user equipment is online is received, the authentication of the identity of the user equipment can be controlled to be released. The technical scheme of the application realizes reasonable control of authentication and greatly optimizes the authentication scheme.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to an authentication method, an authentication device, an electronic device, and a computer readable medium.
Background
The 5G core network (5 GC) R16 introduces an indirect communication architecture, and it can be understood that the signaling intercommunication among the service processing network elements is changed from point-to-point direct intercommunication to centralized aggregation forwarding by the service communication proxy network elements (Service Communication Proxy, SCP) network elements under indirect communication.
In the authentication scenario under the indirect communication architecture, the related technology generally uses an authentication server function network element (Authentication Server Function, AUSF) supporting a User Equipment (UE) corresponding to a User permanent identifier (SUbscription Permanent Identifier, SUPI) to implement identity authentication of the UE, specifically, when the authentication server function network element fails, a failure response is returned, so that the identity authentication of the UE fails, thereby affecting the User service.
Therefore, how to reasonably perform authentication control so that a user can use a service is a problem to be solved.
Disclosure of Invention
The embodiment of the application provides an authentication method and device, electronic equipment and a computer readable medium, so that reasonable control of authentication is realized at least to a certain extent.
In a first aspect, an embodiment of the present application provides an authentication method, where the method includes: receiving an authentication request sent by user equipment; transmitting the user permanent identifier corresponding to the user equipment and the authentication request to a service communication proxy network element; wherein the authentication request is used for indicating a service communication proxy network element to determine an authentication server function network element supporting the user permanent identifier, so that the authentication server function network element performs identity authentication on the user equipment; if error response information sent by a service communication proxy network element is received, and the authentication request is an authentication request which is reinitiated after the user equipment is online, controlling to pass the identity authentication of the user equipment; wherein the error response information is generated when the serving communication agent network element determines that the authentication server function network element supporting the user permanent identifier fails.
In one embodiment of the present application, based on the foregoing solution, if error response information sent by a serving communication proxy network element is received and the authentication request is an authentication request that is reinitiated after the user equipment is online, controlling to release identity authentication of the user equipment, including: if the error response information sent by the service communication proxy network element is received, detecting whether the authentication request is an authentication request which is reinitiated after the user equipment is online, and obtaining a detection result; and if the detection result characterizes that the authentication request is the authentication request reinitiated after the user equipment is online, controlling to release the identity authentication of the user equipment.
In one embodiment of the present application, based on the foregoing solution, the detecting whether the authentication request is an authentication request that is reinitiated after the user equipment is online, to obtain a detection result includes: detecting whether the context information of the user equipment can be acquired or not, and obtaining an acquisition result; if the acquired result represents that the contextual information is acquired, determining that the user equipment is online; and detecting whether the authentication request is an authentication request which is reinitiated after the user equipment is online according to the context information, and obtaining the detection result.
In one embodiment of the present application, based on the foregoing solution, the detecting, according to the context information, whether the authentication request is an authentication request that is reinitiated after the user equipment is online, to obtain the detection result includes: analyzing the context information to obtain an analysis result; detecting whether network switching occurs after the user equipment is online according to the analysis result; if the network switching occurs, a detection result for representing that the authentication request is reinitiated after the user equipment is online is obtained; and if the network switching does not occur, obtaining a detection result used for representing that the authentication request is not the user equipment which is on line and then reinitiating the authentication request.
In one embodiment of the present application, based on the foregoing solution, the detecting, according to the context information, whether the authentication request is an authentication request that is reinitiated after the user equipment is online, to obtain the detection result includes: analyzing the context information to obtain an analysis result; detecting whether the user equipment is subjected to position change in a network after being online according to the analysis result; if the position change occurs, a detection result for representing that the authentication request is the authentication request reinitiated after the user equipment is online is obtained; and if the position change does not occur, obtaining a detection result used for representing that the authentication request is not the authentication request reinitiated after the user equipment is online.
In one embodiment of the present application, based on the foregoing solution, after the releasing the identity authentication of the user equipment, the method further includes: generating authentication passing response information; transmitting the authentication passing response information to the user equipment; the authentication passing response information is used for representing the identity authentication passing of the user equipment and allowing the user equipment to use the service.
In one embodiment of the present application, based on the foregoing scheme, the error response information includes a user permanent identifier interval supported by the authentication server function network element; after the control passes the identity authentication of the user equipment, the method further comprises: if an authentication request sent by a designated user equipment is received and the authentication request is an authentication request reinitiated after the designated user equipment is online, detecting whether a user permanent identifier of the designated user equipment is located in the user permanent identifier interval; wherein the specified user equipment comprises the user equipment or other user equipment except the user equipment; and if the user permanent identifier of the appointed user equipment is positioned in the user permanent identifier interval, controlling to pass the identity authentication of the appointed user equipment.
In a second aspect, an embodiment of the present application provides an authentication apparatus, where the apparatus includes: the receiving module is configured to receive an authentication request sent by user equipment; the sending module is configured to send the user permanent identifier corresponding to the user equipment and the authentication request to a service communication proxy network element; wherein the authentication request is used for indicating a service communication proxy network element to determine an authentication server function network element supporting the user permanent identifier, so that the authentication server function network element performs identity authentication on the user equipment; the control module is configured to control the identity authentication of the user equipment to be released if error response information sent by a service communication proxy network element is received and the authentication request is an authentication request which is reinitiated after the user equipment is online; wherein the error response information is generated when the serving communication agent network element determines that the authentication server function network element supporting the user permanent identifier fails.
In a third aspect, embodiments of the present application provide an electronic device comprising one or more processors; and a memory for storing one or more programs that, when executed by the one or more processors, cause the electronic device to implement the authentication method as described above.
In a fourth aspect, embodiments of the present application provide a computer readable medium having stored thereon a computer program which, when executed by a processor, implements an authentication method as described above.
In a fifth aspect, embodiments of the present application provide a computer program product comprising computer instructions which, when executed by a processor, implement an authentication method as described above.
In the technical scheme provided in the embodiment of the application: receiving an authentication request sent by user equipment, and sending a user permanent identifier corresponding to the user equipment and the authentication request to a service communication proxy network element; and if error response information generated when an authentication server functional network element for authenticating the identity of the user equipment is failed and the authentication request is an authentication request which is reinitiated after the user equipment is online is received, the authentication of the identity of the user equipment can be controlled to be released.
Therefore, since the authentication request is the authentication request which is reinitiated after the user equipment is online, the probability that the identity of the user equipment has risks is small, and in general, the authentication server functional network element used for authenticating the identity of the user equipment can pass the identity authentication, so if the authentication server functional network element used for authenticating the identity of the user equipment breaks down, the identity authentication of the user equipment can be directly determined to pass, thereby avoiding the phenomenon that the user access to the network is influenced by the failure of the identity authentication of the user equipment caused by the failure of the authentication server functional network element used for authenticating the identity of the user equipment.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
FIG. 1 is a schematic diagram of an exemplary implementation environment in which the techniques of embodiments of the present application may be applied;
FIG. 2 is a flow chart of an authentication method shown in an exemplary embodiment of the present application;
FIG. 3 is a flow chart of an authentication method shown in another exemplary embodiment of the present application;
FIG. 4 is a flow chart of an authentication method shown in another exemplary embodiment of the present application;
FIG. 5 is a flow chart of an authentication method shown in another exemplary embodiment of the present application;
FIG. 6 is a flow chart of an authentication method shown in another exemplary embodiment of the present application;
FIG. 7 is a flow chart of an authentication method shown in an exemplary embodiment of the present application;
FIG. 8 is a flow chart of an authentication method shown in an exemplary embodiment of the present application;
FIG. 9 is a flow chart of an authentication method shown in an exemplary embodiment of the present application;
fig. 10 is a block diagram of an authentication device of one embodiment of the present application;
FIG. 11 is a block diagram of an authentication device of one embodiment of the present application;
fig. 12 is a block diagram of an authentication device of one embodiment of the present application;
Fig. 13 is a schematic diagram of a computer system suitable for use in implementing embodiments of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations identical to the present application. Rather, they are merely examples of apparatus and methods that are identical to some aspects of the present application, as detailed in the appended claims.
The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, the functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The flow diagrams depicted in the figures are exemplary only, and do not necessarily include all of the elements and operations/steps, nor must they be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the order of actual execution may be changed according to actual situations.
In this application, the term "plurality" means two or more. "and/or" describes an association relationship of an association object, meaning that there may be three relationships, e.g., a and/or B may represent: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship.
In the authentication scenario under the 5G core network indirect communication architecture, the related technology generally implements identity authentication on the user equipment by an authentication server functional network element supporting a user permanent identifier corresponding to the user equipment, where when the authentication server functional network element fails, a failure response is returned, so that the identity authentication of the user equipment fails, thereby affecting the user service. In this regard, there is no clear solution in the related art for how to reasonably perform authentication control so that a user can use a service.
Referring to fig. 1, fig. 1 is a schematic diagram of an implementation environment according to the present application. The implementation environment mainly comprises a user terminal 101, an access and mobility management function (Access and Mobility Management Function, AMF) network element 102, a service communication proxy network element 103, a network storage function (NF Repository Function, NRF) network element 104, and an authentication server function network element 105. It will be appreciated that the user terminal 101, the access and mobility management function network element 102, the serving communication proxy network element 103, the network storage function network element 104, and the authentication server function network element 105 may communicate over a wired or wireless network. Wherein:
In one embodiment of the present application, the authentication method may be performed by the user terminal 101.
Illustratively, the user terminal 101 sends an authentication request to the access and mobility management function network element 102.
In one embodiment of the present application, the authentication method may be performed by the access and mobility management function network element 102.
Illustratively, the access and mobility management function network element 102 may receive an authentication request sent by the user equipment 101; then, the user permanent identifier corresponding to the user equipment 101 and an authentication request are sent to the service communication proxy network element 103, wherein the authentication request is used for indicating the service communication proxy network element 103 to determine an authentication server function network element 105 supporting the user permanent identifier, so that the authentication server function network element 105 performs identity authentication on the user equipment 101; if error response information sent by the service communication proxy network element 103 is received, and the authentication request is an authentication request which is reinitiated after the user equipment 101 is online, controlling to pass the identity authentication of the user equipment 101; wherein the error response information is generated when the serving communication agent network element 103 determines that the authentication server function network element 105 supporting the user permanent identifier fails.
In one embodiment of the present application, the authentication method may be performed by the serving communication proxy network element 103.
Illustratively, the serving communication proxy network element 103 may receive the user permanent identifier and the authentication request corresponding to the user equipment 101 sent by the access and mobility management function network element 102; then generating a discovery request of the authentication server function network element 105 according to the user permanent identifier, and sending the discovery request to the network storage function network element 104; then receiving a discovery result sent by the network storage function network element 104; if the discovery result indicates that the authentication server function network element 105 fails, error response information is generated and sent to the access and mobility management function network element 102.
In one embodiment of the present application, the authentication method may be performed by the network storage function network element 104.
Illustratively, the network storage function network element 104 may receive a discovery request of the authentication server function network element 105 sent by the service communication proxy network element 103, where the discovery request carries a user permanent identifier; then, the authentication server function network element 105 supporting the user permanent identifier is discovered, and a discovery result of the authentication server function network element 105 is obtained; and then sends the discovery result to the serving communication proxy network element 103.
The technical solution of the embodiment shown in fig. 1 can be applied to various scenes in which identity authentication needs to be performed on user equipment, including but not limited to intelligent transportation, driving assistance, cloud technology, artificial intelligence, etc.; in practical application, the adjustment can be correspondingly performed according to specific application scenes.
Various implementation details of the technical solutions of the embodiments of the present application are set forth in detail below:
referring to fig. 2, fig. 2 is a flow chart illustrating an authentication method that may be performed by the access and mobility management function network element 102 according to one embodiment of the present application. As shown in fig. 2, the authentication method at least includes S201 to S204, which are described in detail as follows:
s201, receiving an authentication request sent by user equipment.
In the embodiment of the application, the user equipment can initiate an authentication request when the service is required; accordingly, the access and mobility management function network element may receive an authentication request sent by the user equipment. It can be appreciated that there are two cases of authentication request initiated by the user equipment; wherein:
in the first case, the authentication request is an authentication request which is reinitiated after the user equipment is disconnected from the network, and can also be understood as an authentication request which is initiated under the condition that the user equipment is new/first online. For example, the user equipment starts the flight mode at time T1, i.e. from time T1, the user equipment is disconnected, and then the user equipment closes the flight mode at time T2, wherein time T2 is after time T1, and the authentication request initiated by the user equipment at time T2 is the authentication request initiated by the user equipment in the case of new/first online.
In the second case, the authentication request is an authentication request initiated by the user equipment without being disconnected and restarted, and can also be understood as an authentication request initiated by the user equipment under the condition of being online. For example, the user equipment is switched from the 4G network to the 5G network, and the authentication request initiated by the user equipment is the authentication request initiated by the user equipment in the online condition.
In this embodiment, the authentication request initiated by the user equipment is a request for instructing an authentication party (which may be an authentication server functional network element) to authenticate its identity, so as to allow the user equipment to access the network and use a corresponding service after the authentication party authenticates its identity.
S202, a user permanent identifier corresponding to the user equipment and an authentication request are sent to a service communication proxy network element; wherein the authentication request is for instructing the serving communication proxy network element to determine an authentication server function network element supporting the user permanent identifier, for authenticating the user equipment by the authentication server function network element.
In the embodiment of the application, the access and mobility management function network element receives the authentication request sent by the user equipment, and then can send the user permanent identifier and the authentication request corresponding to the user equipment to the service communication proxy network element; the service communication proxy network element can then authenticate the user device by the authentication server function network element supporting the user permanent identifier based on determining the authentication server function network element supporting the user permanent identifier.
S203, if error response information sent by the service communication proxy network element is received, and the authentication request is the authentication request which is reinitiated after the user equipment is online, the identity authentication of the user equipment is controlled to be released; wherein the error response information is generated when the serving communication agent network element determines that the authentication server function network element supporting the user permanent identifier fails.
In the embodiment of the application, if the access and mobility management function network element receives the error response information sent by the service communication proxy network element and the authentication request is the authentication request which is reinitiated after the user equipment is online, the identity authentication of the user equipment is controlled to be released, namely the identity of the user equipment is not required to be authenticated.
It can be understood that, in the embodiment of the present application, there are two situations in which the response information sent by the service communication proxy network element is received by the access and mobility management function network element; wherein:
in the first case, if the access supporting the user permanent identifier and the identity authentication of the user equipment by the mobility management function network element are passed, the authentication passing response information can be returned to the access and mobility management function network element; correspondingly, the access and mobility management function network element receives authentication passing response information sent by the service communication proxy network element.
If the network element supporting the access and mobility management of the user permanent identifier fails, the identity authentication of the user equipment is not completed at the moment, and error response information can be returned to the network element supporting the access and mobility management; accordingly, the access and mobility management function network element receives the error response information sent by the serving communication proxy network element.
It will be appreciated that as described above, there are two situations for an authentication request; wherein:
the authentication request is initiated again after the user equipment is disconnected from the network: if the authentication request is a re-initiated authentication request after the user equipment is disconnected, the higher risk exists at the moment; therefore, in the embodiment of the application, when the access and mobility management function network element receives the error response information sent by the service communication proxy network element, the user equipment needs to be authenticated, that is, when the error response information sent by the service communication proxy network element is received, the user equipment is not controlled to be released, and in short, the user equipment needs to be authenticated.
For example, the access and mobility management function network element receives the authentication request sent by the user equipment a, and sends the user permanent identifier and the authentication request corresponding to the user equipment a to the service communication proxy network element; if the access and mobility management function network element receives the authentication passing response information sent by the service communication proxy network element, the authentication passing of the user equipment A is determined, and the user equipment A is allowed to access the network and use corresponding service.
The authentication request is initiated by the user equipment without off-line re-initiation: if the authentication request is the authentication request which is not reinitiated by the user equipment, the lower risk exists at the moment; therefore, when the access and mobility management function network element receives the error response information sent by the service communication proxy network element, the identity authentication of the user equipment can be directly determined to pass without authenticating the identity of the user equipment, so that the phenomenon that the user access uses corresponding service due to the fact that the identity authentication of the user equipment fails due to the fact that the authentication server function network element fails is avoided.
For example, the access and mobility management function network element receives the authentication request sent by the user equipment a, and sends the user permanent identifier and the authentication request corresponding to the user equipment a to the service communication proxy network element; if the access and mobility management function network element receives the error response information sent by the service communication proxy network element and the authentication request is the authentication request which is reinitiated after the user equipment A is online, the identity authentication of the user equipment A is controlled to be released, namely the identity of the user equipment A is not required to be authenticated any more, and the user equipment A is allowed to enter the network and use corresponding services.
For another example, the access and mobility management function network element receives the authentication request sent by the user equipment a, and sends the user permanent identifier and the authentication request corresponding to the user equipment a to the service communication proxy network element; if the access and mobility management function network element receives the error response information sent by the service communication proxy network element, but the authentication request is the authentication request newly/firstly initiated online by the user equipment A, the identity authentication of the user equipment A is determined not to pass, and the user equipment A is not allowed to access the network and use corresponding service.
In the embodiment of the application, since the authentication request is the authentication request which is reinitiated after the user equipment is online, the probability that the identity of the user equipment has risks is small, and in general, the authentication server functional network element used for authenticating the identity of the user equipment can pass the identity authentication, so if the authentication server functional network element used for authenticating the identity of the user equipment breaks down, the access and mobility management functional network element can directly determine that the identity authentication of the user equipment passes, thereby avoiding the phenomenon that the user access to the network is affected by the failure of the identity authentication of the user equipment caused by the failure of the authentication server functional network element used for authenticating the identity of the user equipment.
In one embodiment of the present application, another authentication method is provided that can be performed by the access and mobility management function network element 102. As shown in fig. 3, the authentication method may include S301 to S302, S201 to S202.
And S301, if the error response information sent by the service communication proxy network element is received, detecting whether the authentication request is the authentication request which is reinitiated after the user equipment is online, and obtaining a detection result.
The access and mobility management function network element in the embodiment of the application can detect whether the authentication request is the authentication request reinitiated after the user equipment is online when receiving the error response information sent by the service communication proxy network element, and obtain a detection result. The triggering condition for detecting whether the authentication request is the authentication request reinitiated after the user equipment is online to obtain the detection result is that the access and mobility management function network element receives the error response information sent by the service communication proxy network element. Therefore, only when receiving the error response information sent by the service communication proxy network element, the method triggers to detect whether the authentication request is the authentication request reinitiated after the user equipment is online, and obtains a detection result, thereby saving the resource consumption to a certain extent.
In one embodiment of the present application, the access and mobility management function network element may also detect, when receiving an authentication request sent by the user equipment, whether the authentication request is an authentication request reinitiated by the user equipment after being online, and obtain a detection result. The triggering condition for detecting whether the authentication request is the authentication request reinitiated after the user equipment is online to obtain the detection result is that the access and mobility management function network element receives the authentication request sent by the user equipment. In this way, once the authentication request sent by the user equipment is received, whether the authentication request is the authentication request reinitiated after the user equipment is online or not is triggered and detected, so that a detection result is obtained, the detection accuracy can be improved to a certain extent, and the phenomenon that the later re-triggering detection is easy to make mistakes is avoided.
In one embodiment of the present application, the process of detecting in S301 whether the authentication request is an authentication request that is reinitiated after the user equipment is online, and obtaining a detection result may at least include the following steps:
detecting whether the context information of the user equipment can be acquired or not to obtain an acquisition result;
if the obtained result represents that the obtained context information is obtained, determining that the user equipment is online;
And detecting whether the authentication request is an authentication request which is reinitiated after the user equipment is online according to the context information, and obtaining a detection result.
Context information in the embodiments of the present application refers to some information generated by a user equipment in a communication network environment, including but not limited to security context, bearer context, etc.; in particular, the context information includes information such as network capabilities of the user equipment, tracking area identity (Tracking Area Identity, TAI), S1AP (S1 Application Protocol) ID, authentication information, negotiated security algorithms, generated keys, created connection information, bearer information, etc.
In the embodiment of the application, the access and mobility management function network element can detect whether the context information of the user equipment can be acquired or not, and an acquisition result is obtained. If the acquired result represents that the acquired context information is acquired, the user equipment can be determined to be online, namely the user equipment is not offline; if the acquired result indicates that the contextual information is not acquired, the user equipment can be determined to be not online, i.e. the user equipment is offline.
In one embodiment of the present application, the process of detecting whether the authentication request is an authentication request that is reinitiated after the user equipment is online according to the context information to obtain a detection result may include at least the following steps:
Analyzing the context information to obtain an analysis result;
detecting whether network switching occurs after the user equipment is online according to the analysis result;
if network switching occurs, a detection result for representing that the authentication request is the user equipment which is on line and then reinitiating the authentication request is obtained;
if the network switching does not occur, a detection result used for representing that the authentication request is not the re-initiation of the authentication request after the user equipment is online is obtained.
That is, in an alternative embodiment, the access and mobility management function network element may detect whether network handover occurs after the user equipment is online according to the context information. It will be appreciated that network switching includes, but is not limited to, switching between networks of different network formats; for example, from a 4G network to a 5G network, from a 5G network to a 4G network, etc. If network switching occurs, a detection result for representing that the authentication request is that the user equipment is on line and then reinitiating the authentication request can be obtained; if no network switch occurs, a detection result for representing that the authentication request is not the user equipment which is on-line and then reinitiating the authentication request can be obtained.
In one embodiment of the present application, the process of detecting whether the authentication request is an authentication request that is reinitiated after the user equipment is online according to the context information to obtain a detection result may include at least the following steps:
Analyzing the context information to obtain an analysis result;
detecting whether position change occurs in the network after the user equipment is online according to the analysis result;
if the position changes, a detection result for representing that the authentication request is the authentication request reinitiated after the user equipment is online is obtained;
if the position change does not occur, a detection result used for representing that the authentication request is not the authentication request reinitiated after the user equipment is online is obtained.
That is, in an alternative embodiment, the access and mobility management function network element may detect whether a location change occurs in the network after the user equipment is online according to the context information. It is to be appreciated that the location change includes, but is not limited to, tracking area updates (Tracking Area Update, TAU) and the like. If the position changes, a detection result for representing that the authentication request is the authentication request reinitiated by the user equipment after being online can be obtained; if no change in location occurs, a detection result can be obtained that characterizes the authentication request as not being a re-initiated authentication request after the user device is online.
S302, if the detection result represents that the authentication request is the authentication request reinitiated after the user equipment is online, controlling to release the identity authentication of the user equipment.
In the embodiment of the application, if the characterization authentication request is an authentication request which is reinitiated after the user equipment is online, the identity authentication of the user equipment is controlled to be released.
It should be noted that, the detailed description of S201 to S202 shown in fig. 3 is please refer to S201 to S202 shown in fig. 3, and the detailed description is omitted herein.
In the embodiment of the application, the access and mobility management function network element detects whether the authentication request is the authentication request reinitiated after the user equipment is online through the context information of the user equipment, so that a detection result is obtained.
In one embodiment of the present application, another authentication method is provided that can be performed by the access and mobility management function network element 102. As shown in fig. 4, the authentication method may further include S401 to S402 after S203.
S401 to S402 are described in detail as follows:
s401, generating authentication passing response information.
In the embodiment of the application, the access and mobility management function network element controls the authentication of the user equipment to be released, namely, the authentication passing response information can be generated at the moment of determining that the authentication of the user equipment passes.
S402, sending authentication passing response information to the user equipment; the authentication passing response information is used for representing the identity authentication passing of the user equipment and allowing the user equipment to use the service.
In the embodiment of the application, the access and mobility management function network element generates authentication passing response information, and then the authentication passing response information can be sent to the user equipment; the user equipment can determine the self identity authentication passing according to the authentication passing response information, and the user equipment is allowed to access the network and use the corresponding service.
It should be noted that, for the detailed description of S201 to S203 shown in fig. 4, please refer to S201 to S203 shown in fig. 2, and the detailed description is omitted here.
According to the embodiment of the application, the access and mobility management function network element sends the authentication passing response information to the user equipment, so that the user equipment can determine that the identity authentication of the user equipment passes according to the authentication passing response information, the user equipment is more humanized, the application scene is met, and the user experience satisfaction is higher.
In one embodiment of the present application, another authentication method is provided that can be performed by the access and mobility management function network element 102. As shown in fig. 5, the authentication method may further include S501 to S502 after S203.
Wherein, the error response information in the embodiment of the application includes a user permanent identifier section (also called a user permanent identifier section) supported by the authentication server function network element; for example, the user permanent identifier interval may be [460110000000000, 460111000000000].
S501 to S502 are described in detail as follows:
s501, if an authentication request sent by a designated user equipment is received, and the authentication request is an authentication request which is reinitiated after the designated user equipment is online, detecting whether a user permanent identifier of the designated user equipment is located in a user permanent identifier interval; wherein the specified user equipment includes user equipment or other user equipment other than user equipment.
In this embodiment, the designated user equipment includes user equipment or other user equipment except for the user equipment, that is, the designated user equipment and the user equipment in the foregoing embodiment may be the same user equipment or different user equipment. For example, the user equipment described in the foregoing embodiment is a, and the designated user equipment in the embodiment of the present application may be user equipment a, user equipment B, user equipment C, user equipment D, or the like.
The network element of the access and mobility management function in the embodiment of the application can also receive an authentication request sent by the appointed user equipment, wherein the authentication request is also an authentication request reinitiated after the appointed user equipment is online, and then whether the user permanent identifier of the appointed user equipment is positioned in the user permanent identifier interval can be detected; for example, whether the user permanent identifier of the specified user equipment is located within the user permanent identifier interval 460110000000000, 460111000000000.
S502, if the user permanent identifier of the appointed user equipment is located in the user permanent identifier interval, controlling to pass the identity authentication of the appointed user equipment.
In the embodiment of the application, if the user permanent identifier of the specified user equipment is located in the user permanent identifier interval, the identity authentication of the specified user equipment can be controlled to be released, that is, the identity of the user equipment is not required to be authenticated, and the user permanent identifier and the authentication request corresponding to the specified user equipment are not required to be sent to the service communication proxy network element.
For example, taking up the foregoing example, allowing the ue a to access the network and use the corresponding service, after a period of time (e.g. after 5 minutes), the access and mobility management function network element receives the authentication request sent by the ue B, where the authentication request is an authentication request reinitiated by the ue B after the ue B is online, and detects whether the user permanent identifier of the ue B is located in the user permanent identifier interval; if the user permanent identifier of the user equipment B is located in the user permanent identifier interval, the identity authentication of the user equipment B is controlled to be released, namely the identity of the user equipment B is not required to be authenticated any more, and the user equipment B is allowed to access the network and use corresponding services.
It should be noted that, for the detailed description of S201 to S203 shown in fig. 5, please refer to S201 to S203 shown in fig. 2, and the detailed description is omitted here.
In the embodiment of the application, the access and mobility management function network element receives the authentication request sent by the appointed user equipment in the later period, and the authentication request is the authentication request which is reinitiated after the appointed user equipment is online, at the moment, whether the user permanent identifier of the appointed user equipment is positioned in the user permanent identifier interval can be directly detected, if the user permanent identifier of the appointed user equipment is positioned in the user permanent identifier interval is detected, the identity authentication of the appointed user equipment can be controlled to be released, so that the phenomenon that the user permanent identifier and the authentication request corresponding to the appointed user equipment are sent to the service communication proxy network element is avoided, and the resource consumption can be saved to a certain extent; especially when the access and mobility management function network element receives more authentication requests sent by the appointed user equipment in the later period, the resource consumption can be saved to a great extent.
In one embodiment of the present application, another authentication method is provided that can be performed by the access and mobility management function network element 102. As shown in fig. 6, the authentication method may further include S601 after S203.
The error response information in the embodiment of the application includes domain name information of the authentication server function network element. Alternatively, the domain name information may be a fully qualified domain name (fully qualified domain name, FQDN), where fully qualified domain name refers to a complete domain name for a particular computer or host on the intel network, consisting of two parts, a host name and a domain name; for example, the FQDN of a mail server is a mail.linuxrumn.com, where the mail characterizes the host name and the linuxrumn.com characterizes the domain name, i.e., the host is located in the domain name linuxrumn.com.
S601 is described in detail as follows:
s601, determining an authentication server function network element with faults according to domain name information; the failed authentication server functional network element comprises a main authentication server functional network element and a standby authentication server functional network element.
In the embodiment of the application, the access and mobility management function network element can determine the failed authentication server function network element according to the domain name information.
It can be understood that in the authentication scenario under the 5G core network indirect communication architecture, in order to ensure that the identity authentication of the user equipment can be achieved, two (or more than two) authentication server function network elements may be set for the same permanent identifier interval of the user, and when one authentication server network element (may be a primary authentication server function network element) fails, the identity authentication of the user equipment may be performed by another authentication server network element (may be a standby authentication server function network element).
For example, for a user permanent identifier interval 460110000000000, 460111000000000, two authentication server function network elements are provided, one of which is a primary authentication server function network element and the other is a backup authentication server function network element. Of course, for other user permanent identifier intervals, two or more (or more than two) authentication server function network elements can be set, and in practical application, flexible adjustment can be performed according to specific application scenarios.
Therefore, in the embodiment of the present application, in the case of setting two authentication server function network elements, the error response information may include domain name information corresponding to the primary authentication server function network element and the standby authentication server function network element that fail simultaneously; accordingly, the access and mobility management function network element can determine the positions of the primary authentication server function network element and the standby authentication server function network element according to the domain name information corresponding to the primary authentication server function network element and the standby authentication server function network element respectively, so as to perform corresponding management such as statistics of the probability of simultaneous failure of the primary authentication server function network element and the standby authentication server function network element, thereby determining to increase or decrease the number of the authentication server function network elements and the like.
It should be noted that, for the detailed description of S201 to S203 shown in fig. 6, please refer to S201 to S203 shown in fig. 2, and the detailed description is omitted here.
In the embodiment of the application, the access and mobility management function network element receives the error response information corresponding to the domain name information containing the authentication server function network element, so that the access and mobility management function network element can perform corresponding management according to the error response information corresponding to the domain name information containing the authentication server function network element, is more humanized and accords with an application scene.
It should be noted that the embodiments shown in fig. 3 to fig. 6 are explained from the perspective of the access and mobility management function network element 103, and the following details of implementation of the technical solution of the embodiments of the present application are explained in detail from the perspective of the serving communication proxy network element 103 in conjunction with fig. 7:
referring to fig. 7, fig. 7 is a flow chart illustrating an authentication method that may be performed by the serving communication proxy network element 103 according to one embodiment of the present application. As shown in fig. 7, the authentication method at least includes S701 to S703, which are described in detail as follows:
s701, receiving a user permanent identifier and an authentication request corresponding to user equipment sent by an access and mobility management function network element.
In the embodiment of the application, the access and mobility management function network element receives the authentication request sent by the user equipment, and can send the user permanent identifier and the authentication request corresponding to the user equipment to the service communication proxy network element; accordingly, the serving communication proxy network element may receive the user permanent identifier and the authentication request corresponding to the user equipment sent by the access and mobility management function network element.
S702, generating a discovery request of the authentication server function network element according to the user permanent identifier, and sending the discovery request to the network storage function network element; the discovery request is used for indicating the network storage function network element to discover the authentication server function network element supporting the user permanent identifier, and a discovery result of the authentication server function network element is obtained.
In the embodiment of the application, the service communication proxy network element generates a discovery request of the authentication server function network element according to the user permanent identifier, and sends the discovery request to the network storage function network element; thus, the network storage function network element can discover the authentication server function network element supporting the user permanent identifier through the discovery service, thereby obtaining the discovery result of the authentication server function network element, and returning the discovery result to the service communication proxy network element.
S703, receiving the discovery result sent by the network storage function network element.
In the embodiment of the application, the network storage function network element sends the discovery result to the service communication proxy network element; accordingly, the service communication proxy network element receives the discovery result sent by the network storage function network element.
And S704, if the authentication server functional network element is found to be faulty, error response information is generated, and the error response information is sent to the access and mobility management functional network element, so that the access and mobility management functional network element controls whether to release the identity authentication of the user equipment according to the error response information.
In the embodiment of the application, the service communication proxy network element determines that the authentication server functional network element is fault as the discovery result, and then error response information can be generated and sent to the access and mobility management functional network element; thus, the access and mobility management function network element can control whether the identity authentication of the user equipment is released or not according to the error response information.
In the embodiment of the application, when the service communication proxy network element determines that the authentication server functional network element fails, error response information is generated, and the error response information is returned to the access and mobility management functional network element, so that support is provided for the access and mobility management functional network element to control whether to release the identity authentication of the user equipment according to the error response information.
It should be noted that, the embodiment shown in fig. 7 is illustrated from the perspective of the serving communication proxy network element 103, and the following details of implementation of the technical solution of the embodiment of the present application are described in detail from the perspective of the network storage function network element 104 with reference to fig. 8:
referring to fig. 8, fig. 8 is a flowchart illustrating an authentication method that may be performed by the network element 104, which is a network storage function, according to one embodiment of the present application. As shown in fig. 8, the authentication method at least includes S801 to S803, which are described in detail as follows:
s801, receiving a discovery request of an authentication server function network element sent by a service communication proxy network element; wherein the discovery request carries a user permanent identifier.
In the embodiment of the application, a service communication proxy network element sends a discovery request of an authentication server function network element to a network storage function network element; accordingly, the network storage function network element may receive a discovery request of the authentication server function network element sent by the serving communication proxy network element.
S802, discovering the authentication server function network element supporting the user permanent identifier to obtain the discovery result of the authentication server function network element.
In the embodiment of the application, the network storage function network element can discover the authentication server function network element supporting the user permanent identifier through the discovery service, so that the discovery result of the authentication server function network element can be obtained rapidly and accurately. Wherein the discovery service is program code written by a developer for implementing the discovery authentication server function network element function.
S803, sending the discovery result to the service communication proxy network element; wherein the discovery result is used for the service communication proxy network element to determine whether to generate error response information.
In the embodiment of the application, the network element with the network storage function can send the discovery result to the service communication proxy network element; accordingly, the service communication proxy network element may receive the discovery result sent by the network storage function network element.
In the embodiment of the application, the network storage function network element discovers the authentication server function network element supporting the user permanent identifier, obtains the discovery result of the authentication server function network element, returns the discovery result to the service communication proxy network element, and provides support for the service communication proxy network element to determine how to generate the response information.
One specific scenario of the embodiments of the present application is described in detail below:
referring to fig. 9, referring also to the implementation environment shown in fig. 1, fig. 9 is a flowchart of an authentication method according to an embodiment of the present application. As shown in fig. 9, the authentication method at least includes S901 to S9010, which are described in detail as follows:
s901, the authentication request sent by the user equipment is sent to the access and mobility management function network element.
In the embodiment of the present application, the user equipment may reinitiate the authentication request after the network is disconnected, or may reinitiate the authentication request without the network disconnection, where the reinitiating the authentication request without the network disconnection for the user equipment may be an authentication request initiated by the user equipment when the user equipment performs network switching, or may be an authentication request initiated by the user equipment having a position change in the network.
For example, let the user equipment initiating the authentication request here be user equipment a, whose corresponding user permanent identifier is 460110000000001.
S902, the access and mobility management function network element sends a user permanent identifier and an authentication request corresponding to the user equipment to the service communication proxy network element.
In the embodiment of the application, an authentication request sent by user equipment is sent to an access and mobility management functional network element; accordingly, the access and mobility management function network element receives the authentication request sent by the user equipment, and then the access and mobility management function network element may send the user permanent identifier and the authentication request corresponding to the user equipment to the service communication proxy network element.
In one embodiment of the present application, the authentication request may include a user permanent identifier corresponding to the user equipment, and when the authentication request includes the user permanent identifier corresponding to the user equipment, the access and mobility management function network element sends the authentication request to the serving communication proxy network element.
S903, the service communication proxy network element generates a discovery request of the authentication server function network element according to the user permanent identifier, and sends the discovery request to the network storage function network element.
In the embodiment of the application, an access and mobility management function network element sends a user permanent identifier and an authentication request corresponding to user equipment to a service communication proxy network element; accordingly, the service communication proxy network element receives the user permanent identifier and the authentication request corresponding to the user equipment sent by the access and mobility management function network element, and then the service communication proxy network element can generate a discovery request of the authentication server function network element according to the user permanent identifier and send the discovery request to the network storage function network element.
S904, the network storage function network element discovers the authentication server function network element supporting the user permanent identifier, obtains the discovery result of the authentication server function network element, and sends the discovery result of the authentication server function network element to the service communication proxy network element.
In the embodiment of the application, a service communication proxy network element sends a discovery request to a network storage function network element; accordingly, the network storage function network element receives the discovery request sent by the service communication proxy network element, then the network storage function network element discovers the authentication server function network element supporting the user permanent identifier, obtains the discovery result of the authentication server function network element, and sends the discovery result of the authentication server function network element to the service communication proxy network element.
In one embodiment of the present application, in an authentication scenario under a 5G core network indirect communication architecture, two authentication server function network elements are respectively provided for each user permanent identifier interval, one of which is a primary authentication server function network element, and the other is a standby authentication server function network element.
For example, in carrying out the foregoing examples, the network storage function network element discovers the primary authentication server function network element 1 and the standby authentication server function network element 2 supporting the user permanent identifier 460110000000001, obtains discovery results of the primary authentication server function network element 1 and the standby authentication server function network element 2, and sends discovery results of the primary authentication server function network element 1 and the standby authentication server function network element 2 to the service communication proxy network element.
S905, the service communication proxy network element sends an authentication request to all authentication server function network elements supporting the user permanent identifier.
For example, in carrying the foregoing example, the serving communication proxy network element sends authentication requests to the primary authentication server function network element 1 and the backup authentication server function network element 2.
S906, the authentication server functional network element fails, and the identity authentication of the user equipment cannot be completed.
For example, in connection with the previous example, the primary authentication server function network element 1 and the backup authentication server function network element 2 are both malfunctioning, so that the authentication of the user equipment cannot be achieved.
S907, if the service communication proxy network element does not receive the authentication information returned by all authentication server network elements supporting the user permanent identifier within a preset time period, determining that the authentication server function network element fails, generating error response information, and sending the error response information to the access and mobility management function network element.
For example, in carrying the foregoing example, if the service communication proxy network element does not receive the authentication information returned by the primary authentication server function network element 1 and the standby authentication server function network element 2 within the preset period of time, it is determined that both the primary authentication server function network element 1 and the standby authentication server function network element 2 fail, error response information is generated, and error response information is sent to the access and mobility management function network element.
S908, if the error response information sent by the service communication proxy network element is received, and the authentication request is the authentication request which is reinitiated after the user equipment is online, the access and mobility management function network element controls the identity authentication of the user equipment to be released.
In the embodiment of the application, the service communication proxy network element sends error response information to the access and mobility management function network element; accordingly, the access and mobility management function network element receives the error response information sent by the serving communication proxy network element.
In one embodiment of the application, when the access and mobility management function network element receives the error response information sent by the service communication proxy network element, whether the authentication request is an authentication request reinitiated after the user equipment is online or not can be detected, and a detection result is obtained; and if the detection result indicates that the authentication request is the authentication request reinitiated after the user equipment is online, the identity authentication of the user equipment is controlled to be released, and if the detection result indicates that the authentication request is the authentication request reinitiated after the user equipment is online, error response information is sent to the user equipment.
For example, in carrying out the foregoing example, if the access and mobility management function network element receives the error response information sent by the serving communication proxy network element and the authentication request is an authentication request that is reinitiated after the user equipment a is online, the access and mobility management function network element controls to release the identity authentication of the user equipment a.
In one embodiment of the present application, the error response information may include a user permanent identifier interval supported by the authentication server function network element. For example, in furtherance of the previous example, the error response information includes a user permanent identifier interval 460110000000000, 460111000000000.
In one embodiment of the present application, the error response information includes domain name information of the authentication server function network element. For example, in the foregoing example, the error response information includes domain name information corresponding to the primary authentication server function network element 1 and the backup authentication server function network element 2, respectively.
If an authentication request sent by the specified user equipment is received and the authentication request is an authentication request that is reinitiated after the specified user equipment is online, the access and mobility management function network element detects whether the user permanent identifier of the specified user equipment is located in the user permanent identifier interval or not S909.
In the embodiment of the application, the user equipment is specified to include user equipment or other user equipment besides the user equipment.
For example, in carrying the foregoing example, the access and mobility management function network element receives the authentication request sent by the specified user equipment B, and the authentication request is an authentication request that is reinitiated after the specified user equipment B is online, the access and mobility management function network element may detect whether the user permanent identifier of the specified user equipment B is located in the user permanent identifier interval, i.e. detect whether the user permanent identifier of the specified user equipment B is located in the user permanent identifier interval [460110000000000, 460111000000000].
S9010, if the user permanent identifier of the specified user equipment is located in the user permanent identifier interval, the access and mobility management function network element controls to pass the identity authentication of the specified user equipment.
For instance, assuming that the user permanent identifier of the specified user equipment B is 460110000000005, which is obviously located in the user permanent identifier interval [460110000000000, 460111000000000], the access and mobility management function network element may control the release of the identity authentication of the specified user equipment B.
It should be noted that, please refer to the foregoing embodiments for the detailed description of S901 to S9010 in fig. 9, and the detailed description is omitted here.
In the embodiment of the application:
on the one hand, when the access and mobility management function network element receives the error response information sent by the service communication proxy network element and the authentication request is the authentication request reinitiated after the user equipment is online, the identity of the user equipment is not required to be authenticated any more, and the identity authentication of the user equipment can be determined to pass; therefore, the phenomenon that the user accesses the network to use the corresponding service is influenced due to the failure of the identity authentication of the user equipment caused by the failure of the authentication server function network element is avoided, the application scene is met, and the user experience satisfaction is higher.
In yet another aspect, the access and mobility management function network element receives an authentication request sent by the designated user equipment in the later period, and the authentication request is also an authentication request reinitiated after the designated user equipment is online, and the identity authentication of the user equipment can be determined to pass by detecting that the user permanent identifier of the designated user equipment is located in the user permanent identifier interval, so that the phenomenon that the user permanent identifier and the authentication request corresponding to the designated user equipment are sent to the service communication proxy network element is avoided, and resource consumption is saved.
Fig. 10 is a block diagram of an authentication device according to one embodiment of the present application. As shown in fig. 10, the authentication apparatus is applied to an access and mobility management function network element, and the apparatus includes:
a receiving module 1001 configured to receive an authentication request sent by a user equipment;
a sending module 1002 configured to send a user permanent identifier and an authentication request corresponding to the user equipment to the service communication proxy network element; wherein the authentication request is used for indicating the service communication proxy network element to determine an authentication server function network element supporting the user permanent identifier, so that the authentication server function network element performs identity authentication on the user equipment;
A control module 1003, configured to control to release the identity authentication of the user equipment if the error response information sent by the service communication proxy network element is received and the authentication request is the authentication request reinitiated after the user equipment is online; wherein the error response information is generated when the serving communication agent network element determines that the authentication server function network element supporting the user permanent identifier fails.
In one implementation of the present application, the control module 1003 is specifically configured to:
if error response information sent by a service communication proxy network element is received, detecting whether the authentication request is an authentication request which is reinitiated after the user equipment is online, and obtaining a detection result;
and if the detection result represents that the authentication request is the authentication request reinitiated after the user equipment is online, controlling to release the identity authentication of the user equipment.
In one embodiment of the present application, the control module 1003 is further specifically configured to:
detecting whether the context information of the user equipment can be acquired or not to obtain an acquisition result;
if the obtained result represents that the obtained context information is obtained, determining that the user equipment is online;
and detecting whether the authentication request is an authentication request which is reinitiated after the user equipment is online according to the context information, and obtaining a detection result.
In one embodiment of the present application, the control module 1003 is further specifically configured to:
analyzing the context information to obtain an analysis result;
detecting whether network switching occurs after the user equipment is online according to the analysis result;
if network switching occurs, a detection result for representing that the authentication request is the user equipment which is on line and then reinitiating the authentication request is obtained;
if the network switching does not occur, a detection result used for representing that the authentication request is not the re-initiation of the authentication request after the user equipment is online is obtained.
In one embodiment of the present application, the control module 1003 is further specifically configured to:
analyzing the context information to obtain an analysis result;
detecting whether position change occurs in the network after the user equipment is online according to the analysis result;
if the position changes, a detection result for representing that the authentication request is the authentication request reinitiated after the user equipment is online is obtained;
if the position change does not occur, a detection result used for representing that the authentication request is not the authentication request reinitiated after the user equipment is online is obtained.
In one embodiment of the present application, the apparatus further comprises:
the generation module is configured to generate authentication passing response information;
A sending module 1002 further configured to send authentication passing response information to the user equipment; the authentication passing response information is used for representing the identity authentication passing of the user equipment and allowing the user equipment to use the service.
In one embodiment of the present application, the error response information includes a user permanent identifier interval supported by the authentication server function network element;
the control module 1003 is further configured to detect whether the user permanent identifier of the specified user equipment is located in the user permanent identifier interval if an authentication request sent by the specified user equipment is received and the authentication request is an authentication request reinitiated after the specified user equipment is online; wherein the specified user equipment comprises user equipment or other user equipment besides the user equipment;
the control module 1003 is further configured to control the releasing of the identity authentication of the specified user equipment if the user permanent identifier of the specified user equipment is located in the user permanent identifier interval.
In one embodiment of the present application, the error response information includes domain name information of the authentication server function network element; the apparatus further comprises:
the determining module is configured to determine the failed authentication server function network element according to the domain name information; the failed authentication server functional network element comprises a main authentication server functional network element and a standby authentication server functional network element.
Fig. 11 is a block diagram of an authentication device according to one embodiment of the present application. As shown in fig. 11, the authentication apparatus is applied to a serving communication proxy network element, and the apparatus includes:
a receiving module 1101 configured to receive a user permanent identifier and an authentication request corresponding to a user equipment sent by an access and mobility management function network element;
a sending module 1102 configured to generate a discovery request for authenticating the server function network element according to the user permanent identifier, and send the discovery request to the network storage function network element; the discovery request is used for indicating the network storage function network element to discover the authentication server function network element supporting the user permanent identifier, and a discovery result of the authentication server function network element is obtained;
the receiving module 1101 is further configured to receive a discovery result sent by the network storage function network element;
the sending module 1102 is further configured to generate error response information if the discovery result indicates that the authentication server functional network element fails, and send the error response information to the access and mobility management functional network element, so that the access and mobility management functional network element controls to release the identity authentication of the user equipment according to the error response information.
Fig. 12 is a block diagram of an authentication device according to one embodiment of the present application. As shown in fig. 12, the authentication device is applied to a network element with a network storage function, and the device includes:
A receiving module 1201 configured to receive a discovery request of an authentication server function network element sent by a service communication proxy network element; wherein the discovery request carries a user permanent identifier;
a discovery module 1202 configured to discover an authentication server function network element supporting a user permanent identifier, to obtain a discovery result of the authentication server function network element;
a sending module 1203 configured to send the discovery result to a service communication proxy network element; wherein the discovery result is used for the service communication proxy network element to determine whether to generate error response information.
It should be noted that the apparatus provided in the foregoing embodiment and the method provided in the foregoing embodiment belong to the same concept, and the specific manner in which the respective modules and units perform the operations have been described in detail in the method embodiment.
The embodiment of the application also provides electronic equipment, which comprises: one or more processors; and a memory for storing one or more programs that, when executed by the one or more processors, cause the electronic device to implement the authentication method as before.
Fig. 13 is a schematic diagram of a computer system suitable for use in implementing embodiments of the present application.
It should be noted that, the computer system 1300 of the electronic device shown in fig. 13 is only an example, and should not impose any limitation on the functions and the application scope of the embodiments of the present application.
As shown in fig. 13, the computer system 1300 includes a central processing unit (Central Processing Unit, CPU) 1301, which can perform various appropriate actions and processes, such as performing the methods in the above-described embodiments, according to a program stored in a Read-Only Memory (ROM) 1302 or a program loaded from a storage portion 1308 into a random access Memory (Random Access Memory, RAM) 1303. In the RAM 1303, various programs and data required for the system operation are also stored. The CPU 1301, ROM 1302, and RAM 1303 are connected to each other through a bus 1304. An Input/Output (I/O) interface 1305 is also connected to bus 1304.
The following components are connected to the I/O interface 1305: an input section 1306 including a keyboard, a mouse, and the like; an output portion 1307 including a Cathode Ray Tube (CRT), a liquid crystal display (Liquid Crystal Display, LCD), and the like, a speaker, and the like; a storage portion 1308 including a hard disk or the like; and a communication section 1309 including a network interface card such as a LAN (Local Area Network ) card, a modem, or the like. The communication section 1309 performs a communication process via a network such as the internet. The drive 1310 is also connected to the I/O interface 1305 as needed. Removable media 1311, such as magnetic disks, optical disks, magneto-optical disks, semiconductor memory, and the like, is installed as needed on drive 1310 so that a computer program read therefrom is installed as needed into storage portion 1308.
In particular, according to embodiments of the present application, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising a computer program for performing the method shown in the flowchart. In such embodiments, the computer program may be downloaded and installed from a network via the communication portion 1309 and/or installed from the removable medium 1311. When executed by a Central Processing Unit (CPU) 1301, performs the various functions defined in the system of the present application.
It should be noted that, the computer readable medium shown in the embodiments of the present application may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable medium can be, for example, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-Only Memory (ROM), an erasable programmable read-Only Memory (Erasable Programmable Read Only Memory, EPROM), flash Memory, an optical fiber, a portable compact disc read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present application, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with a computer-readable computer program embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. A computer program embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. Where each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units involved in the embodiments of the present application may be implemented by means of software, or may be implemented by means of hardware, and the described units may also be provided in a processor. Wherein the names of the units do not constitute a limitation of the units themselves in some cases.
Another aspect of the present application also provides a computer readable medium having stored thereon a computer program which, when executed by a processor, implements an authentication method as before. The computer-readable medium may be included in the electronic device described in the above embodiment or may exist alone without being incorporated in the electronic device.
Another aspect of the present application also provides a computer program product or computer program comprising computer instructions stored in a computer readable medium. The processor of the computer device reads the computer instructions from the computer-readable medium, and the processor executes the computer instructions, so that the computer device performs the authentication method provided in the above embodiments.
The foregoing is merely a preferred exemplary embodiment of the present application and is not intended to limit the embodiments of the present application, and those skilled in the art may make various changes and modifications according to the main concept and spirit of the present application, so that the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A method of authentication, the method comprising:
receiving an authentication request sent by user equipment;
transmitting the user permanent identifier corresponding to the user equipment and the authentication request to a service communication proxy network element; wherein the authentication request is used for indicating a service communication proxy network element to determine an authentication server function network element supporting the user permanent identifier, so that the authentication server function network element performs identity authentication on the user equipment;
if error response information sent by a service communication proxy network element is received, and the authentication request is an authentication request which is reinitiated after the user equipment is online, controlling to pass the identity authentication of the user equipment; wherein the error response information is generated when the serving communication agent network element determines that the authentication server function network element supporting the user permanent identifier fails.
2. The method according to claim 1, wherein controlling the releasing of the identity authentication of the user equipment if the error response information sent by the serving communication agent network element is received and the authentication request is an authentication request re-initiated after the user equipment is online, comprises:
If the error response information sent by the service communication proxy network element is received, detecting whether the authentication request is an authentication request which is reinitiated after the user equipment is online, and obtaining a detection result;
and if the detection result characterizes that the authentication request is the authentication request reinitiated after the user equipment is online, controlling to release the identity authentication of the user equipment.
3. The method according to claim 2, wherein the detecting whether the authentication request is an authentication request that is reinitiated after the user equipment is online, to obtain a detection result, includes:
detecting whether the context information of the user equipment can be acquired or not, and obtaining an acquisition result;
if the acquired result represents that the contextual information is acquired, determining that the user equipment is online;
and detecting whether the authentication request is an authentication request which is reinitiated after the user equipment is online according to the context information, and obtaining the detection result.
4. A method according to claim 3, wherein said detecting whether the authentication request is an authentication request that is reinitiated after the user equipment is online according to the context information, to obtain the detection result, comprises:
Analyzing the context information to obtain an analysis result;
detecting whether network switching occurs after the user equipment is online according to the analysis result;
if the network switching occurs, a detection result for representing that the authentication request is reinitiated after the user equipment is online is obtained;
and if the network switching does not occur, obtaining a detection result used for representing that the authentication request is not the user equipment which is on line and then reinitiating the authentication request.
5. A method according to claim 3, wherein said detecting whether the authentication request is an authentication request that is reinitiated after the user equipment is online according to the context information, to obtain the detection result, comprises:
analyzing the context information to obtain an analysis result;
detecting whether the user equipment is subjected to position change in a network after being online according to the analysis result;
if the position change occurs, a detection result for representing that the authentication request is the authentication request reinitiated after the user equipment is online is obtained;
and if the position change does not occur, obtaining a detection result used for representing that the authentication request is not the authentication request reinitiated after the user equipment is online.
6. The method according to any of claims 1 to 5, characterized in that after said passing of the authentication of the user equipment, the method further comprises:
generating authentication passing response information;
transmitting the authentication passing response information to the user equipment; the authentication passing response information is used for representing the identity authentication passing of the user equipment and allowing the user equipment to use the service.
7. The method according to any of claims 1 to 5, wherein the error response information comprises a user permanent identifier interval supported by the authentication server function network element; after the control passes the identity authentication of the user equipment, the method further comprises:
if an authentication request sent by a designated user equipment is received and the authentication request is an authentication request reinitiated after the designated user equipment is online, detecting whether a user permanent identifier of the designated user equipment is located in the user permanent identifier interval; wherein the specified user equipment comprises the user equipment or other user equipment except the user equipment;
And if the user permanent identifier of the appointed user equipment is positioned in the user permanent identifier interval, controlling to pass the identity authentication of the appointed user equipment.
8. An authentication device, the device comprising:
the receiving module is configured to receive an authentication request sent by user equipment;
the sending module is configured to send the user permanent identifier corresponding to the user equipment and the authentication request to a service communication proxy network element; wherein the authentication request is used for indicating a service communication proxy network element to determine an authentication server function network element supporting the user permanent identifier, so that the authentication server function network element performs identity authentication on the user equipment;
the control module is configured to control the identity authentication of the user equipment to be released if error response information sent by a service communication proxy network element is received and the authentication request is an authentication request which is reinitiated after the user equipment is online; wherein the error response information is generated when the serving communication agent network element determines that the authentication server function network element supporting the user permanent identifier fails.
9. An electronic device, comprising:
one or more processors;
a memory for storing one or more programs that, when executed by the electronic device, cause the electronic device to implement the authentication method of any of claims 1-7.
10. A computer readable medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the authentication method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210888404.3A CN117528510A (en) | 2022-07-26 | 2022-07-26 | Authentication method and device, electronic equipment and computer readable medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210888404.3A CN117528510A (en) | 2022-07-26 | 2022-07-26 | Authentication method and device, electronic equipment and computer readable medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117528510A true CN117528510A (en) | 2024-02-06 |
Family
ID=89757163
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210888404.3A Pending CN117528510A (en) | 2022-07-26 | 2022-07-26 | Authentication method and device, electronic equipment and computer readable medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117528510A (en) |
-
2022
- 2022-07-26 CN CN202210888404.3A patent/CN117528510A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2022052702A1 (en) | Multicast and broadcast service communication method, apparatus, electronic device, and storage medium | |
| CN110750393B (en) | Method, device, medium and equipment for avoiding network service double-machine hot standby brain cracking | |
| US9198223B2 (en) | Telecommunication network | |
| US20200007385A1 (en) | Compromised network node detection system | |
| US20230079314A1 (en) | Service server switching control method and apparatus, electronic device, and storage medium | |
| US20220014432A1 (en) | Method and apparatus for restoring network device to factory defaults, and network device | |
| CN112398689A (en) | Network recovery method and device, storage medium and electronic equipment | |
| US20190349436A1 (en) | Methods, apparatus and systems for resuming transmission link | |
| EP2974159B1 (en) | Method, device and system for voice communication | |
| CN110932876A (en) | Communication system, method and device | |
| CN108900441B (en) | Network switching method, first electronic device and readable storage medium | |
| CN114938395A (en) | Service response method, device, equipment and storage medium | |
| CN110895469A (en) | Method and device for upgrading dual-computer hot standby system, electronic equipment and storage medium | |
| CN114268938A (en) | Method, device, equipment and storage medium for managing user front equipment | |
| KR20220146557A (en) | Network Monitoring at the Service Enabler Architecture Layer (SEAL) | |
| JP2023518779A (en) | Network connection method and apparatus for training participants of common training model | |
| CN117528510A (en) | Authentication method and device, electronic equipment and computer readable medium | |
| CN110784510A (en) | Method for accessing target service node to bus and information interaction method of service node | |
| CN112822729B (en) | Edge service switching method and edge management system | |
| US20120066292A1 (en) | Apparatus and method for controlling service mobility | |
| CN116367204B (en) | User equipment service processing method, electronic equipment, storage medium and system | |
| US20030093536A1 (en) | Support interface module | |
| CN116545777B (en) | User category switching method and device, storage medium and electronic equipment | |
| US20230161601A1 (en) | System and method for facilitating management of edge computing nodes of an edge computing network | |
| CN115348595A (en) | Mobile network backup method and device, electronic equipment and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |