KR20200130106A - Apparatus and method for providing mobile edge computing service in wireless communication system - Google Patents

Abstract

The present disclosure relates to a 5th generation (5G) or pre-5G communication system for supporting a higher data transfer rate beyond a 4th generation (4G) communication system, such as long-term evolution (LTE). The present disclosure relates to authentication and permission for use for an edge computing service. A method of operating user equipment (UE) in a wireless communication system comprises: a process of transmitting a first message including at least one of UE-related information or the type of a user agent to a server; a process of performing an authentication procedure for an edge computing service according to an authentication method determined based on the first message; a process of receiving a second message for indicating permitted authority for the edge computing service based on an authentication code generated by the server according to the performed authentication procedure; and a process of using the edge computing service within a range corresponding to the permitted authority.

Description

Device and method for providing mobile edge computing service in wireless communication system {APPARATUS AND METHOD FOR PROVIDING MOBILE EDGE COMPUTING SERVICE IN WIRELESS COMMUNICATION SYSTEM}

The present disclosure generally relates to wireless communication systems, and more particularly, to an apparatus and method for providing mobile edge computing (MEC) services in a wireless communication system.

4G (4 ^th generation) to meet the traffic demand in the radio data communication system increases since the commercialization trend, efforts to develop improved 5G (5 ^th generation) communication system, or pre-5G communication system have been made. For this reason, the 5G communication system or the pre-5G communication system is called a Beyond 4G Network communication system or a Long Term Evolution (LTE) system (Post LTE) system.

In order to achieve a high data rate, the 5G communication system is being considered for implementation in the ultra-high frequency (mmWave) band (for example, the 60 gigabyte (60 GHz) band). In order to mitigate the path loss of radio waves in the ultra-high frequency band and increase the transmission distance of radio waves, in 5G communication systems, beamforming, massive MIMO, and Full Dimensional MIMO (FD-MIMO) ), array antenna, analog beam-forming, and large scale antenna technologies are being discussed.

In addition, in order to improve the network of the system, in 5G communication system, advanced small cell, advanced small cell, cloud radio access network (cloud RAN), ultra-dense network , Device to Device communication (D2D), wireless backhaul, moving network, cooperative communication, CoMP (Coordinated Multi-Points), and interference cancellation And other technologies are being developed.

In addition, in the 5G system, the advanced coding modulation (Advanced Coding Modulation, ACM) method of FQAM (Hybrid Frequency Shift Keying and Quadrature Amplitude Modulation) and SWSC (Sliding Window Superposition Coding), and advanced access technology, FBMC (Filter Bank Multi Carrier) ), NOMA (Non Orthogonal Multiple Access), and SCMA (Sparse Code Multiple Access) are being developed.

Meanwhile, technologies for providing edge computing services in connection with these 5G systems are emerging. Edge computing is a technology that provides computing resources required by users to a physically close location. In particular, mobile edge computing is an edge computing realized in a mobile environment such as a 5G system, and is expected to provide more powerful computing power with a short delay.

Based on the above discussion, the present disclosure provides an apparatus and method for providing mobile edge computing (MEC) services in a wireless communication system.

In addition, the present disclosure provides an apparatus and method for performing an authentication procedure for authorization of use of a mobile edge computing service in a wireless communication system.

In addition, the present disclosure provides an apparatus and method for determining an authentication method for permission to use a mobile edge computing service in a wireless communication system.

In addition, the present disclosure provides an apparatus and method for determining whether to permit use of a mobile edge computing service in a wireless communication system.

According to various embodiments of the present disclosure, a method of operating a user equipment (UE) in a wireless communication system includes a process of transmitting a first message including at least one of information related to the UE or a type of a user agent to a server, A process of performing an authentication procedure for an edge computing service according to an authentication method determined based on the first message, and allowing for the edge computing service based on an authentication code generated by the server according to the performed authentication procedure. And a process of receiving a second message for indicating the authorized authority, and a process of using the edge computing service within a range corresponding to the permitted authority.

According to various embodiments of the present disclosure, an apparatus of a UE in a wireless communication system includes a transmission/reception unit and at least one processor connected to the transmission/reception unit, and the at least one processor includes information related to the UE or of a user agent. Transmitting a first message including at least one of the types to the server, performing an authentication procedure for the edge computing service according to an authentication method determined based on the first message, and by the server according to the performed authentication procedure. It is configured to receive a second message for indicating the permitted authority for the edge computing service based on the generated authentication code, and to use the edge computing service within a range corresponding to the permitted authority.

According to various embodiments of the present disclosure, in a wireless communication system, a method of operating a server for permission to use an edge computing service includes at least one of a type of user agent or information related to the UE from the UE. A process of receiving a message, a process of performing an authentication procedure according to a method determined based on the first message, a process of transmitting an authentication code generated according to the performed authentication procedure to the UE, and the authentication code And transmitting a second message for indicating the allowed authority for the edge computing service, and the edge computing service is used by the UE within a range corresponding to the allowed authority.

According to various embodiments of the present disclosure, in a wireless communication system, an apparatus of a server for permission to use an edge computing service includes a transmission/reception unit and at least one processor connected to the transmission/reception unit, and the at least one processor is , From the UE, receiving a first message including at least one of the UE-related information or the type of user agent, performing an authentication procedure according to a method determined based on the first message, and performing the authentication procedure And transmits the authentication code generated according to the authentication code to the UE and, based on the authentication code, is configured to transmit a second message for indicating the permitted authority for the edge computing service, and the edge computing service, the permitted It is used by the UE in a range corresponding to the authority.

An apparatus and a method according to various embodiments of the present disclosure enable a differentiated edge computing service to be provided for each mobile communication subscriber without additional subscriber information for the edge computing service. In addition, the apparatus and method according to various embodiments of the present disclosure enable the authentication procedure to be efficiently performed using a more suitable authentication method.

The effects obtainable in the present disclosure are not limited to the above-mentioned effects, and other effects not mentioned may be clearly understood by those of ordinary skill in the technical field to which the present disclosure belongs from the following description. will be.

1 illustrates a wireless communication system according to various embodiments of the present disclosure.
2 illustrates an example of providing a mobile edge computing (MEC) service in a wireless communication system according to various embodiments of the present disclosure.
3 is a diagram illustrating a structure for authentication and permission to use an edge application in a wireless communication system according to various embodiments of the present disclosure.
4 illustrates a configuration of a terminal in a wireless communication system according to various embodiments of the present disclosure.
5 illustrates a configuration of a server in a wireless communication system according to various embodiments of the present disclosure.
6 is a flowchart of a user equipment (UE) for performing an authentication procedure for an edge application in a wireless communication system according to various embodiments of the present disclosure.
7 is a flowchart illustrating an application authentication and authorization function (AAF) for performing an authentication procedure for an edge application in a wireless communication system according to various embodiments of the present disclosure.
8A is a diagram illustrating a signal exchange diagram for performing an authentication procedure for an edge application in a wireless communication system according to various embodiments of the present disclosure.
8B is a diagram illustrating another signal exchange diagram for performing an authentication procedure for an edge application in a wireless communication system according to various embodiments of the present disclosure.
9 is a flowchart of a UE for determining an authentication method for an edge application in a wireless communication system according to various embodiments of the present disclosure.
10 is a flowchart illustrating an AAF for determining an authentication method for an edge application in a wireless communication system according to various embodiments of the present disclosure.
11 is a diagram illustrating a signal exchange diagram for performing an authentication procedure based on a SIM credential in a wireless communication system according to various embodiments of the present disclosure.
12 is a diagram illustrating a signal exchange diagram for performing an authentication procedure based on a user portal in a wireless communication system according to various embodiments of the present disclosure.
13 illustrates an example of a user portal screen for performing an authentication procedure based on a user portal in a wireless communication system according to various embodiments of the present disclosure.
14 is a diagram illustrating a signal exchange diagram for performing an authentication procedure based on an automatically generated credential in a wireless communication system according to various embodiments of the present disclosure.
15 is a diagram illustrating a signal exchange diagram for performing an OTP-based authentication procedure in a wireless communication system according to various embodiments of the present disclosure.
16 illustrates a signal exchange diagram when generation of an access token is successful in a wireless communication system according to various embodiments of the present disclosure.
17 is a diagram illustrating a signal exchange diagram when generation of an access token fails in a wireless communication system according to various embodiments of the present disclosure.
18 is a flowchart of a UE for permission to use an edge application in a wireless communication system according to various embodiments of the present disclosure.
19 is a flowchart illustrating an AAF for permission to use an edge application in a wireless communication system according to various embodiments of the present disclosure.
20 is a flowchart illustrating an application function (AF) for permission to use an edge application in a wireless communication system according to various embodiments of the present disclosure.
21 illustrates a signal exchange diagram for permission to use an edge application in a wireless communication system according to various embodiments of the present disclosure.
22 is a diagram illustrating a signal exchange diagram for obtaining a user consent for utilization of personal information in a wireless communication system according to various embodiments of the present disclosure.
23 illustrates a signal exchange diagram for utilizing personal information in a wireless communication system according to various embodiments of the present disclosure.
24 illustrates a network structure in which a structure for authentication and permission to use an edge application is mapped to an edge computing structure in a wireless communication system according to various embodiments of the present disclosure.

Terms used in the present disclosure are used only to describe a specific embodiment, and may not be intended to limit the scope of other embodiments. Singular expressions may include plural expressions unless the context clearly indicates otherwise. Terms used herein, including technical or scientific terms, may have the same meaning as commonly understood by one of ordinary skill in the technical field described in the present disclosure. Among the terms used in the present disclosure, terms defined in a general dictionary may be interpreted as having the same or similar meaning as the meaning in the context of the related technology, and unless explicitly defined in the present disclosure, an ideal or excessively formal meaning Is not interpreted as. In some cases, even terms defined in the present disclosure cannot be interpreted to exclude embodiments of the present disclosure.

In various embodiments of the present disclosure described below, a hardware approach is described as an example. However, since various embodiments of the present disclosure include technology using both hardware and software, various embodiments of the present disclosure do not exclude a software-based approach.

Hereinafter, the present disclosure relates to an apparatus and method for providing a mobile edge computing (MEC) service in a wireless communication system. Specifically, the present disclosure is a technology for providing different edge computing services for each subscriber through an authentication procedure according to an authentication method determined based on various information in a wireless communication system and an authorization procedure for an edge application. Explain.

Terms used in the following description: a term referring to a signal, a term referring to a channel, a term referring to control information, a term referring to network entities, a term referring to data stored in a network object, transmission/reception between objects The terms referring to the messages to be used, the terms referring to the components of the device, and the like are illustrated for convenience of description. Accordingly, the present disclosure is not limited to terms to be described later, and other terms having an equivalent technical meaning may be used.

In addition, the present disclosure describes various embodiments using terms used in some communication standards (eg, 3rd Generation Partnership Project (3GPP)), but this is only an example for description. Various embodiments of the present disclosure may be easily modified and applied to other communication systems.

1 illustrates a wireless communication system according to various embodiments of the present disclosure. The wireless communication system shown in FIG. 1 includes an edge computing system 100 and a 5G system 140.

Referring to FIG. 1, the edge computing system includes edge servers 102 and 106, user equipment (UE) 104, a configuration server 108, and a domain name system (DNS) server 110. ) Can be included.

Each of the edge servers 102 and 106 are servers to which the UE 104 connects to use a mobile edge computing (MEC) service. In each of the edge servers 102 and 106, a third party application server provided by a third party may be driven.

The configuration server 108 is an initial access server through which the UE 104 can receive configuration information for using the MEC service. The configuration server 108 may perform a function of delivering configuration information for using the MEC service to the UE 104. The configuration server 108 knows the deployment of edge servers 102 and 106 for each location. Accordingly, the UE 104 connects to the configuration server 108 before using the MEC service, so that configuration information required for MEC service use, for example, information of the edge servers 102 and 106 to be accessed at a specific location Can be provided.

The DNS server 110 resolves the IP (internet protocol) address of the edge servers 102 and 106 or the IP address of the application application server running in the upper layer of the edge servers 102 and 106 Can be used. That is, the DNS server 110 may be a network function that knows information on the edge servers 102 and 106 or information on an application application server running in an upper layer of the edge servers 102 and 106. The DNS server 110 may exist for each edge data network 120 covering a specific area, or one may exist throughout the edge computing system. When the DNS server for MEC 110 exists for each edge data network 120 covering a specific area, the UE 104 needs to know the DNS information for the corresponding location. When one DNS server 110 exists throughout the entire edge computing system, the DNS server 110 provides server information of the edge servers 102 and 106 disposed throughout the network and application applications that can be provided by the edge computing system. It is necessary to know information about the servers, and the information may be provided to the DNS server 110 by the edge servers 102 and 106.

The UE 104 is a device used by a user and communicates with the 5G-RAN 142 through a radio channel. In some cases, the UE 104 may operate without user involvement. That is, the UE 104 is a device that performs machine type communication (MTC) and may not be carried by a user. UE 104 is a'terminal','mobile station','subscriber station','remote terminal','wireless terminal', or It may be referred to as'user device' or another term having an equivalent technical meaning.

In addition, the 5G system is a 5G-RAN (radio access network) 142, UPF (user plane function) 144, AMF (access and mobility management function) 146, SMF (session management function) 148, PCF A (policy and charging function) 150 and a network exposure function (NEF) 152 may be included. The AMF 146 is a network function for managing the mobility of the UE 104. The SMF 148 is a network function for managing a packet data network (PDN) connection provided to the UE. The connection may be referred to as a protocol data unit (PDU) session. The PCF 150 is a network function for applying a service policy of a mobile communication service provider to a UE, a billing policy, and a policy for a PDU session. Since NEF 152 can access UE management information in 5G network, subscription to the mobility management event of the UE, subscription to session management event of the UE, request for session-related information, and billing of the UE Information configuration, a request to change a PDU session policy for a corresponding UE, and transmission of small data for a corresponding UE may be performed. The 5G-RAN 142 refers to a base station that provides a wireless communication function to the UE. The UPF 144 may serve as a gateway through which packets transmitted and received by the UE are transmitted. Since the UPF 144 may be located near the edge server 106 to support MEC, low-latency transmission may be achieved by forwarding the data packet to the edge data network 120. The UPF 144 may also be connected to the data network 130 connected to the Internet. Accordingly, the UPF 144 may route data to be transmitted to the Internet among data transmitted by the UE to the data network 130. In addition, although not shown in FIG. 1, the 5G system may further include unified data management (UDM). UDM refers to a network function that stores information about subscribers.

2 illustrates an example of providing a mobile edge computing service in a wireless communication system according to various embodiments of the present disclosure.

Referring to FIG. 2, the UE 214 and the UE 216 may be located in an edge network service area in which an edge computing service may be provided through an edge data network. In this case, the mobile communication service provider may provide different services for each UE. That is, the mobile communication service provider may differentiate service contents such as whether or not to provide an edge computing service based on at least one of subscriber-related information or a service provider policy. An example of differentiated edge computing service is shown in Table 1 below.

Referring to <Table 1>, the operator may determine to provide edge computing service to UE 1, UE 2, and UE 3 and not to provide edge computing service to UE 4. In addition, the operator permits UE 1 to use edge applications APP 1 and APP 2 over the entire edge network service area, and permits UE 2 to use edge applications APP 1 over the entire edge network service area. 3 can be allowed to use the edge application APP 2 when it is located in the east of the edge network service area. On the other hand, the operator may decide not to allow UE 4 to use the edge computing service. In other words, the operator can provide differentiated services not only for the provision of edge computing services, but also for the types of edge computing services provided and service provision regions. For example, when the UE 216 corresponds to UE 1, the UE 214 may be provided with a service capable of using the edge applications APP 1 and APP 2 over the entire edge network service area. In this case, the UE 214 may use at least one of the first edge application and the second edge application provided through the EF (enabling function) 210 through the edge data network. Meanwhile, when the UE 214 corresponds to UE 4, since the UE 216 cannot use the edge computing service, at least one of the first cloud application and the second cloud application may be used through the Internet 206.

The above-described EF 204 or 210 is a function of enabling MEC service to an edge application server, and may perform a function of managing information on edge application servers. In addition, the EF (204 or 210) notifies the UE of information on which edge data network the edge application is running on and of the fully qualified domain name (FQDN) or IP address required to transmit data to the corresponding edge application server. Can perform the function for.

3 is a diagram illustrating a structure for authentication and permission to use an edge application in a wireless communication system according to various embodiments of the present disclosure.

Referring to FIG. 3, the structure for authentication and use authorization is a UE 310, an application authentication and authorization function (AAF) 320, an application function (AF) 330, a UDM 340, an authentication server function (AUSF). ) 350, and an application profile record (APR) 360.

The UE 310 may include a user agent 312 and an application 314. In this case, the application 314 is an application separate from the edge application, and the UE 310 may perform an authentication procedure for the application layer using the user agent 312 and the application 314.

The AAF 320 may include an authorization endpoint 322, an application security anchor function (ASAF) 324, a portal 326, and a token endpoint 328. have. The AAF 320 may receive messages that the UE transmits to the authorization endpoint 322 to perform an authentication procedure for using an edge computing service, and may perform an authentication procedure. In this case, the authorization endpoint 322 may be an authorization endpoint of request for comments (RFC) 8252. In addition, after the authentication procedure is completed, the AAF 320 may receive messages transmitted from the UE to the token endpoint 326 and perform a procedure for permission to use the edge computing service. In this case, the token endpoint 326 may be the token endpoint of RFC 8252. In addition, the ASAF 324 may perform a function corresponding to a security-related function performed by a security anchor function (SEAF) in the application layer when the authentication procedure is performed according to an authentication method based on SIM credential. In addition, when the authentication procedure is performed according to the authentication method based on the user portal, the AAF 320 may perform the function of a web portal server using the portal 326.

In addition, the AF 330 may perform a function of a general application server for verifying the token transmitted from the UE. For example, the AF 330 may perform a function corresponding to the function of a resource server of RFC 6750.

In addition, the UDM 340 may provide information required when an authentication procedure and a use authorization procedure between the UE and AAF are performed by storing information related to the user of the UE.

In addition, the AUSF 350 may operate as an AKA authentication server when AKA (authentication and key agreement) using SIM credentials is performed.

In addition, the APR 360 may provide information on an application that may be requested when an authentication procedure and a use permission procedure are performed by storing application-related information and a profile.

Detailed operations of the objects for authentication and use authorization as described above are described in detail below.

4 illustrates a configuration of a terminal in a wireless communication system according to various embodiments of the present disclosure. The configuration illustrated in FIG. 4 can be understood as the configuration of the UE 310 of FIG. 3. Terms such as'?? unit' and'?? group' used hereinafter refer to units that process at least one function or operation, which may be implemented as hardware or software, or a combination of hardware and software.

Referring to FIG. 4, the UE includes a communication unit 410, a storage unit 420, and a control unit 430.

The communication unit 410 performs functions for transmitting and receiving signals through a wireless channel. For example, the communication unit 410 performs a function of converting between a baseband signal and a bit stream according to the physical layer standard of the system. For example, when transmitting data, the communication unit 410 generates complex symbols by encoding and modulating a transmission bit stream. In addition, when receiving data, the communication unit 410 restores the received bit sequence through demodulation and decoding of the baseband signal. In addition, the communication unit 410 up-converts the baseband signal to an RF band signal and transmits it through an antenna, and down-converts the RF band signal received through the antenna into a baseband signal. For example, the communication unit 410 may include a transmission filter, a reception filter, an amplifier, a mixer, an oscillator, a DAC, an ADC, and the like.

In addition, the communication unit 410 may include a plurality of transmission/reception paths. Furthermore, the communication unit 410 may include at least one antenna array composed of a plurality of antenna elements. In terms of hardware, the communication unit 410 may include a digital circuit and an analog circuit (eg, radio frequency integrated circuit (RFIC)). Here, the digital circuit and the analog circuit may be implemented in one package. In addition, the communication unit 410 may include a plurality of RF chains. Furthermore, the communication unit 410 may perform beamforming.

The communication unit 410 transmits and receives signals as described above. Accordingly, all or part of the communication unit 410 may be referred to as a'transmitting unit', a'receiving unit', or a'transmitting/receiving unit'. In addition, in the following description, transmission and reception performed through a wireless channel is used in a sense including the processing as described above is performed by the communication unit 410.

The storage unit 420 stores data such as a basic program, an application program, and configuration information for the operation of the UE. The storage unit 420 may be formed of a volatile memory, a nonvolatile memory, or a combination of a volatile memory and a nonvolatile memory. In addition, the storage unit 420 provides stored data according to the request of the control unit 430.

The controller 430 controls overall operations of the UE. For example, the control unit 430 transmits and receives signals through the communication unit 410. In addition, the control unit 430 writes and reads data in the storage unit 420. In addition, the control unit 430 may perform functions of the protocol stack required by the communication standard. To this end, the control unit 430 may include at least one processor or a micro processor, or may be a part of a processor. In addition, a part of the communication unit 410 and the control unit 430 may be referred to as a communication processor (CP). According to various embodiments, the controller 430 may control the UE to perform operations according to various embodiments to be described later.

5 illustrates a configuration of a server in a wireless communication system according to various embodiments of the present disclosure. The structure illustrated in FIG. 5 may be understood as a configuration of a device having at least one function of the AAF 320, AF 330, UDM 340, AUSF 350, and APR 360 of FIG. 3. . Terms such as'?? unit' and'?? group' used hereinafter refer to units that process at least one function or operation, which may be implemented as hardware or software, or a combination of hardware and software.

Referring to FIG. 5, the server includes a communication unit 510, a storage unit 520, and a control unit 530.

The communication unit 510 provides an interface for performing communication with other devices in the network. That is, the communication unit 510 converts a bit stream transmitted from the server to another device into a physical signal, and converts a physical signal received from another device into a bit stream. That is, the communication unit 510 may transmit and receive signals. Accordingly, the communication unit 510 may be referred to as a modem, a transmitter, a receiver, or a transceiver. At this time, the communication unit 510 enables the server to communicate with other devices or systems through a backhaul connection (eg, wired backhaul or wireless backhaul) or through a network.

The storage unit 520 stores data such as a basic program, an application program, and setting information for the operation of the server. The storage unit 520 may be formed of a volatile memory, a nonvolatile memory, or a combination of a volatile memory and a nonvolatile memory. In addition, the storage unit 520 provides stored data according to the request of the control unit 530.

The controller 530 controls overall operations of the server. For example, the control unit 530 transmits and receives a signal through the communication unit 510. In addition, the control unit 530 writes and reads data in the storage unit 520. To this end, the control unit 530 may include at least one processor. According to various embodiments, the controller 530 may control the server to perform operations according to various embodiments described below.

6 is a flowchart of a UE for performing an authentication procedure for an edge application in a wireless communication system according to various embodiments of the present disclosure. 6 illustrates a method of operation of the UE 310.

Referring to FIG. 6, in step 601, the UE transmits an authentication initiation message to the AAF (eg, AAF 320). That is, the UE may transmit a message for initiating an authentication procedure for obtaining permission to use the edge application to the AAF. According to various embodiments, the authentication initiation message may include information for indicating an authentication method to be performed between the UE and the AAF. For example, the authentication initiation message includes an identifier associated with a terminal user, an edge enabler client (EEC) identifier, a response type, a redirection URL (uniform resource locator), and a user. It may include at least one of the types of agents. The identifier associated with the terminal user may be a subscriber identifier such as a subscription private identity (SUPI) or a generic public subscription identity (GPSI). Here, the GPSI may be identification information such as an email address and a mobile station international subscriber directory number (MSISDN). In addition, the identifier associated with the terminal user may be an identifier of a terminal device such as a permanent equipment identifier (PEI). The response type means the type of information or message for indicating an authentication result to be transmitted from the AAF after the authentication procedure is completed. For example, the response type may be at least one of an authentication code or an access token. The redirection address is an address for inducing authentication for an edge application, and indicates a web address to which the UE accesses when authentication is successful. The user agent may be at least one of an identifier of a browser or an identifier of a program for performing an authentication procedure.

In step 603, the UE performs an authentication procedure according to the determined authentication method. Specifically, the UE may perform an authentication procedure according to an authentication method determined based on information included in the authentication initiation message. The authentication method may include at least one of an authentication method based on SIM credential, an authentication method based on a user portal, an authentication method based on an automatically generated credential, or an authentication method based on OTP. According to an embodiment, at least one of the above-described authentication methods may be determined by the AAF by identifying information included in the authentication initiation message. According to another embodiment, after the authentication method is determined by the UE, an authentication initiation message including information for indicating the determined authentication method may be transmitted to the AAF. According to various embodiments, the authentication method may be determined by additionally considering a policy of a mobile communication service provider and a policy related to an application in addition to an identifier related to a terminal user and a type of a user agent included in the authentication initiation message.

In step 605, the UE receives the authentication result from the AAF. When the authentication procedure according to the determined authentication method is successfully performed, the UE may receive a message indicating that authentication was successfully performed from the AAF. For example, the UE may receive a message including an authentication code from AAF. In addition, the UE may receive a message additionally including a redirection address. According to various embodiments, the authentication code may be issued based on the use permission profile information for edge applications for each subscriber. Specifically, the AAF may receive a subscriber-specific permission profile corresponding to the information included in the authentication initiation message from the UDM, and generate an authentication code based on the subscriber-specific permission profile. The UE may use the authentication code to request issuance of an access token by receiving the authentication code generated based on the use permission profile for each subscriber. In addition, the UE may access a web site indicated by the redirection address included in the message for indicating the authentication result.

7 is a flowchart illustrating an AAF for performing an authentication procedure for an edge application in a wireless communication system according to various embodiments of the present disclosure. 7 illustrates an operation method of the AAF 320.

Referring to FIG. 7, in step 701, the AAF receives an authentication initiation message from the UE. That is, the AAF may receive a message from the UE for initiating an authentication procedure for obtaining permission to use the edge application. According to various embodiments, the authentication initiation message may include information for indicating an authentication method to be performed between the UE and the AAF. For example, the authentication initiation message may include at least one of an identifier related to a terminal user, a response type, a redirection address, and a user agent type. The identifier associated with the terminal user may be a subscriber identifier such as SUPI or GPSI. Here, the GPSI may be identification information such as an email address and MSISDN. In addition, the identifier associated with the terminal user may be an identifier of a terminal device such as PEI. The response type means the type of information or message for indicating an authentication result to be transmitted from the AAF after the authentication procedure is completed. For example, the response type may be at least one of an authentication code or an access token. The redirection address is an address for inducing authentication for an edge application, and indicates a web address to which the UE accesses when authentication is successful. The user agent may be at least one of an identifier of a browser or an identifier of a program for performing an authentication procedure.

In step 703, the AAF performs an authentication procedure according to the determined authentication method. Specifically, the AAF may perform an authentication procedure according to an authentication method determined based on information included in the authentication initiation message. The authentication method may include at least one of an authentication method based on SIM credential, an authentication method based on a user portal, an authentication method based on an automatically generated credential, or an authentication method based on OTP. According to an embodiment, at least one of the above-described authentication methods may be determined by the AAF by identifying information included in the authentication initiation message. According to another embodiment, after the authentication method is determined by the UE, an authentication initiation message including information for indicating the determined authentication method may be transmitted to the AAF. According to various embodiments, the authentication method may be determined by additionally considering a policy of a mobile communication service provider and a policy related to an application in addition to an identifier related to a terminal user and a type of a user agent included in the authentication initiation message.

In step 705, the AAF transmits an authentication result to the UE. When the authentication procedure according to the determined authentication method is successfully performed, the AAF may transmit a message indicating that the authentication has been successfully performed to the UE. For example, the AAF may transmit a message including an authentication code to the UE. In addition, the AAF may transmit a message additionally including a redirection address. According to various embodiments, the authentication code may be issued based on the use permission profile information for edge applications for each subscriber. Specifically, the AAF may receive a subscriber-specific permission profile corresponding to the information included in the authentication initiation message from the UDM, and generate an authentication code based on the subscriber-specific permission profile. By receiving the authentication code generated based on the permission profile for each subscriber from the AAF, the UE can use the authentication code to request issuance of an access token. In addition, the UE may access a web site indicated by the redirection address included in the message for indicating the authentication result.

8A is a diagram illustrating a signal exchange diagram for performing an authentication procedure for an edge application in a wireless communication system according to various embodiments of the present disclosure. The signal exchange diagram illustrated in FIG. 8A may be understood as a signal flow exchanged between the UE 310, the AAF 320, and the UDM 340.

Referring to FIG. 8A, in step 801, the UE 310 transmits an authentication initiation message to the AAF 320. The AAF 320 may receive an authentication initiation message from the UE 310. That is, a message for initiating an authentication procedure for obtaining permission to use the edge application may be transmitted from the UE 310 to the AAF 320. According to various embodiments, the authentication initiation message may include information for indicating an authentication method to be performed between the UE 310 and the AAF 320. For example, the authentication initiation message may include at least one of an identifier related to a terminal user, a response type, a redirection address, and a user agent type. The identifier associated with the terminal user may be a subscriber identifier such as SUPI or GPSI. Here, the GPSI may be identification information such as an email address and MSISDN. In addition, the identifier associated with the terminal user may be an identifier of a terminal device such as PEI. The response type means the type of information or message for indicating the authentication result to be transmitted from the AAF 320 after the authentication procedure is completed. For example, the response type may be at least one of an authentication code or an access token. The redirection address is an address for inducing authentication for an edge application, and indicates a web address to which the UE 310 accesses when authentication is successful. The user agent may be at least one of an identifier of a browser or an identifier of a program for performing an authentication procedure.

In step 803, the AAF 320 determines an authentication method. The AAF 320 may determine an authentication method based on information included in the authentication initiation message received from the UE 310. The AAF 320 may determine an authentication method by additionally considering a mobile communication service provider's policy and an application-related policy, in addition to the terminal user-related identifier, the EEC identifier, and the type of the user agent included in the authentication initiation message. According to various embodiments, the authentication method may include at least one of an authentication method based on a SIM credential, an authentication method based on a user portal, an authentication method based on an automatically generated credential, or an authentication method based on OTP. The AAF 320 may identify an identifier related to a terminal user and an authentication method corresponding to the type of the user agent among the above authentication methods. Alternatively, the AAF 320 determines whether an identifier related to a terminal user and a type of a user agent correspond to at least one of authentication methods supported by a policy related to a mobile communication service provider or an application, thereby determining an authentication method. I can. In an environment in which the terminal is securely connected to the operator's network according to the policy of the edge computing operator or mobile communication operator, the AAF 320 may determine no authentication.

In step 805, the UE 310 and the AAF 320 perform an authentication procedure according to the determined authentication method. That is, the UE 310 and the AAF 320 are configured by the AAF 320 from among an authentication method based on SIM credential, an authentication method based on a user portal, an authentication method based on an automatically generated credential, or an authentication method based on OTP. The authentication process can be performed according to the determined authentication method. Although not shown in FIG. 8A, signal exchange with at least one other object other than the UE 310, AAF 320, 320, and UDM 340 and 340 may be performed according to the determined authentication method. Alternatively, when the AAF 320 determines no authentication, the AAF 320 and the UE 310 do not perform the authentication procedure.

In step 807, the AAF 320 transmits an authorization request message to the UDM 340. The UDM 340 may receive an authorization request message from the AAF 320. Specifically, when the authentication procedure is successfully performed, a permission request message for requesting a permission profile for an edge application may be transmitted from the AAF 320 to the UDM 340. According to various embodiments, the permission request message is at least one of a subscriber identifier (eg, SUPI, GPSI, etc.), an identifier of a terminal device (eg, PEI), or an indicator for setting the purpose of the edge application (eg, application use). It may include at least one of (application usage)). In this case, the subscriber identifier and the terminal device identifier may be obtained from information included in the authentication initiation message received from the UE 310.

In step 809, the UDM 340 transmits an authorization response message to the AAF 320. The AAF 320 may receive an authorization response message from the UDM 340. Specifically, the UDM 340 may identify information related to a terminal user based on information included in the received permission request message, and a permission response message including a use permission profile corresponding to the identified subscriber is sent to the UDM 340 ) May be transmitted to the AAF 320. According to various embodiments, the use permission profile includes information on whether to allow the requested edge computing service to the UE 310, information on whether a user of the UE 310 has subscribed to the requested edge computing service, and edge It may include at least one of a computing service profile identifier, an edge computing service profile index, subscriber category information, and a subscriber level. The edge computing service profile identifier and the edge computing service profile index mean an identifier indicating negotiation information determined through a prior agreement between a mobile communication service provider and an edge application service provider. In addition, the subscriber category refers to a subscriber's class or category information (eg, class A or class B) managed by a mobile communication service provider. In addition, the subscriber level refers to a priority given to a corresponding subscriber, information for differentiating and providing edge computing services, or information on a grade for each subscriber (eg, level 1 or level 2). That is, the UDM 340 includes information such as a subscriber level corresponding to the identifier associated with the UE 310 that requested authentication, information on the requested edge computing service, and information on the relationship between the user of the UE 310 and the corresponding edge application. May be searched, and the searched information may be provided to the AAF 320 as an authorization response message.

In step 811, the AAF 320 generates an authentication result. When the AAF 320 determines no authentication and allows access of the terminal 310 or an edge enabler client (EEC) within the terminal, a successful authentication result may be generated. The AAF 320 may generate an authentication result based on the authorization response message received from the UDM 340. That is, the AAF 320 may determine whether to generate an authentication code based on the authorization response message received from the UDM 340. Specifically, when the AAF 320 identifies information for indicating not to allow the requested edge computing service based on the permission profile included in the permission response message, the authentication code may not be generated. Also, when the AAF 320 identifies information for indicating that the requested edge computing service is allowed, it may generate an authentication code.

In step 813, the AAF 320 transmits the authentication result to the UE 310. The UE 310 may receive the authentication result from the AAF 320. According to various embodiments, when the authentication code is generated, the AAF 320 may transmit a message to the UE 310 to indicate that authentication has been successfully performed. That is, the AAF 320 may transmit a message including the authentication code to the UE 310. In addition, the AAF 320 may transmit a message additionally including a redirection address. By receiving the authentication code generated based on the permission profile for each subscriber from the AAF 320, the UE 310 may use the authentication code to request issuance of an access token. In addition, the UE 310 may access a web site indicated by the redirection address included in the message for indicating the authentication result. According to various embodiments, when the authentication code is not generated, the AAF 320 may transmit a message indicating that the authentication has failed to the UE 310.

8B is a diagram illustrating another signal exchange diagram for performing an authentication procedure for an edge application in a wireless communication system according to various embodiments of the present disclosure. The signal exchange diagram illustrated in FIG. 8B may be understood as a signal flow exchanged between the UE 310, the AAF 320, and the UDM 340.

Referring to FIG. 8B, in step 851, the UE 310 determines an authentication method. Before initiating the authentication procedure, the UE 310 may determine an authentication method in advance. Specifically, the UE 310 determines an authentication method based on a user's input or a previously obtained operator's policy, and identifies an identifier related to a terminal user, an EEC identifier, and a type of user agent corresponding to the determined authentication method. I can. According to various embodiments, the authentication method may include at least one of an authentication method based on a SIM credential, an authentication method based on a user portal, an authentication method based on an automatically generated credential, or an authentication method based on OTP. That is, the UE 310 determines an authentication method corresponding to a user's input from among the above authentication methods or an authentication method supported by the operator's policy, and an identifier and a user used in the authentication procedure according to the determined authentication method. You can identify the type of agent.

In step 853, the UE 310 transmits an authentication initiation message to the AAF 320. The AAF 320 may receive an authentication initiation message from the UE 310. That is, a message for initiating an authentication procedure for obtaining permission to use the edge application may be transmitted from the UE 310 to the AAF 320. According to various embodiments, the authentication initiation message may include information for indicating an authentication method to be performed between the UE 310 and the AAF 320. For example, the authentication initiation message may include at least one of an identifier associated with a terminal user, an EEC identifier, a response type, a redirect address, and a user agent type. The identifier associated with the terminal user may be a subscriber identifier such as SUPI or GPSI. Here, the GPSI may be identification information such as an email address and MSISDN. In addition, the identifier associated with the terminal user may be an identifier of a terminal device such as PEI. The response type means the type of information or message for indicating the authentication result to be transmitted from the AAF 320 after the authentication procedure is completed. For example, the response type may be at least one of an authentication code or an access token. The redirection address is an address for inducing authentication for an edge application, and indicates a web address to which the UE 310 accesses when authentication is successful. The user agent may be at least one of an identifier of a browser or an identifier of a program for performing an authentication procedure.

In step 855, the UE 310 and the AAF 320 perform an authentication procedure according to the determined authentication method. That is, the UE 310 and the AAF 320 are configured by the AAF 320 from among an authentication method based on SIM credential, an authentication method based on a user portal, an authentication method based on an automatically generated credential, or an authentication method based on OTP. The authentication process can be performed according to the determined authentication method. Although not shown in FIG. 6B, a signal exchange with at least one other object other than the UE 310, 310, AAF 320, 320, and UDM 340 and 340 is performed according to the determined authentication method. I can.

In step 857, the AAF 320 transmits an authorization request message to the UDM 340. The UDM 340 may receive an authorization request message from the AAF 320. Specifically, when the authentication procedure is successfully performed, a permission request message for requesting a permission profile for an edge application may be transmitted from the AAF 320 to the UDM 340. According to various embodiments, the permission request message includes at least one of a subscriber identifier (eg, SUPI, GPSI, etc.), an EEC identifier, or an identifier of a terminal device (eg, PEI), or an indicator for setting the purpose of the edge application (eg : It may include at least one of (application usage). In this case, the subscriber identifier, the EEC identifier, and the terminal device identifier may be obtained from information included in the authentication initiation message received from the UE 310.

In step 859, the UDM 340 transmits an authorization response message to the AAF 320. The AAF 320 may receive an authorization response message from the UDM 340. Specifically, the UDM 340 may identify information related to a terminal user based on information included in the received permission request message, and a permission response message including a use permission profile corresponding to the identified subscriber is sent to the UDM 340 ) May be transmitted to the AAF 320. According to various embodiments, the use permission profile includes information on whether to allow the requested edge computing service to the UE 310, information on whether a user of the UE 310 has subscribed to the requested edge computing service, and edge It may include at least one of a computing service profile identifier, an allowed EEC identifier, an edge computing service profile index, subscriber category information, and a subscriber level. The edge computing service profile identifier and the edge computing service profile index mean an identifier indicating negotiation information determined through a prior agreement between a mobile communication service provider and an edge application service provider. In addition, the subscriber category refers to a subscriber's grade or category information (eg, grade A or grade B) managed by a mobile communication service provider. In addition, the subscriber level refers to a priority given to a corresponding subscriber, information for differentiating and providing edge computing services, or information on a grade for each subscriber (eg, level 1 or level 2). That is, the UDM 340 includes information such as an identifier related to the UE 310 that has requested authentication or a subscriber level corresponding to the EEC identifier, information of the requested edge computing service, and the relationship between the user of the UE 310 and the corresponding edge application. It is possible to search for information on and provide the searched information to the AAF 320 as an authorization response message.

In step 861, the AAF 320 generates an authentication result. The AAF 320 may generate an authentication result based on the authorization response message received from the UDM 340. That is, the AAF 320 may determine whether to generate an authentication code based on the authorization response message received from the UDM 340. Specifically, when the AAF 320 identifies information for indicating not to allow the requested edge computing service based on the permission profile included in the permission response message, the authentication code may not be generated. Also, when the AAF 320 identifies information for indicating that the requested edge computing service is allowed, it may generate an authentication code.

In step 863, the AAF 320 transmits the authentication result to the UE 310. The UE 310 may receive the authentication result from the AAF 320. According to various embodiments, when the authentication code is generated, the AAF 320 may transmit a message to the UE 310 to indicate that authentication has been successfully performed. That is, the AAF 320 may transmit a message including the authentication code to the UE 310. In addition, the AAF 320 may transmit a message additionally including a redirection address. By receiving the authentication code generated based on the permission profile for each subscriber from the AAF 320, the UE 310 may use the authentication code to request issuance of an access token. In addition, the UE 310 may access a web site indicated by the redirection address included in the message for indicating the authentication result. According to various embodiments, when the authentication code is not generated, the AAF 320 may transmit a message indicating that the authentication has failed to the UE 310.

9 is a flowchart of a UE for determining an authentication method for an edge application in a wireless communication system according to various embodiments of the present disclosure. 9 illustrates a method of operation of the UE 310.

Referring to FIG. 9, in step 901, the UE receives a policy for an authentication scheme. The UE may predetermine an authentication method before initiating the authentication procedure. That is, the UE may determine the authentication method in consideration of the operator's policy including information on the authentication method set by the operator. Information about the above-described authentication method may be delivered to the UE through various paths. For example, the UE may obtain information on an authentication method set by a provider through an application layer through a user plane from a separate configuration server. For example, the UE may obtain information on the authentication method set by the operator through a non-access stratum (NAS) message from the 5G system. Information on the authentication method set by the operator that can be stored in advance in the UE may include at least one of a type of authentication credential information, an authentication domain of the operator, and an authentication method. The type of authentication credential information includes at least one of SUPI, SUCI (subscription concealed identifier), GPSI including MSISDN, EEC identifier, or indicator for indicating the type of application layer ID (identification) managed by the operator. can do. In addition, the authentication domain of the operator may include at least one of the operator's identifier, the operator's domain name, the operator's mobile network code (MNC), or the operator's mobile country code (MCC) information. In addition, the authentication method includes an authentication method based on SIM credential, an authentication method based on a user portal, an authentication method based on an automatically generated credential, an authentication method based on OTP, an authentication method using a general bootstrapping architecture (GBA), and stored in the UE. It may include at least one of authentication methods using a certificate.

In step 903, the UE determines an authentication method based on at least one of the received policy or user input. That is, the UE may determine an authentication method based on at least one of a received policy or user input, and may identify an identifier related to a terminal user corresponding to the determined authentication method, an EEC identifier, and a type of user agent. The UE may perform an authentication procedure according to the determined authentication method by transmitting an authentication initiation message including an identifier associated with the identified terminal user and the type of user agent to the AAF. The operator policy may include information on a plurality of authentication methods that may be supported by the operator, and the UE may determine at least one of the plurality of authentication methods. For example, when a plurality of authentication methods are identified in the received policy, the UE may determine an authentication method corresponding to a user input from among the plurality of authentication methods. For example, the UE may determine an authentication method according to a priority set for each of a plurality of authentication methods identified by the received policy. According to various embodiments, the identifier associated with the terminal user may include at least one of SUPI, SUCI, MSISDN, a separate user identifier used by a service provider to manage subscribers, or an identifier of a terminal device (eg, PEI). . Alternatively, the identifier associated with the terminal user may be an edge enabler client (EEC) identifier of the terminal. For example, if the authentication method set by the operator is an authentication method based on SIM credential, the UE sends an authentication initiation message including at least one of SUPI or SUCI as an identifier associated with the terminal user, or GPSI associated with SUPI or SUCI. It can be sent to the AAF. In addition, the UE may transmit to the AAF an authentication initiation message including an identifier for distinguishing whether it is a web browser for implementing an authentication method based on SIM credential as a type of user agent or a separate user agent. In this case, a separate user agent designated by the operator or developed by the manufacturer of the terminal device may be used.

10 is a flowchart illustrating an AAF for determining an authentication method for an edge application in a wireless communication system according to various embodiments of the present disclosure. 10 illustrates an operation method of the AAF 320.

Referring to FIG. 10, in step 1001, the AAF identifies information included in the authentication initiation message. Specifically, the AAF may identify the form of an identifier related to a terminal user or an edge enabler client identifier (EEC ID) included in the authentication initiation message. For example, when an identifier associated with a terminal user is GPSI, the AAF may determine an authentication method based on a user name and a domain name included in the identifier. For example, when the identifier associated with the terminal user is MSISDN, the AAF may identify a home network for performing an authentication procedure and an AUSF corresponding to the home network based on the identified MSISDN. For example, when the identifier associated with the terminal user is PEI, the AAF may determine the authentication method by identifying information on the terminal device.

In step 1003, the AAF determines an authentication method based on at least one of the identified information or policy. The AAF may determine an authentication method based on information identified from the authentication initiation message. In an embodiment, when the identifier associated with the terminal user is GPSI, the AAF may select a different authentication method according to the format of the user name and domain name. Alternatively, the AAF can select a different authentication method through the EEC identifier. That is, when the identifier has a NAI (network access identifier) format, the identifier can be configured in a format such as'username@domainname', and AAF authenticates differently according to the format of each of the'username'and'domainname' parts. You can choose the method. For example, when the domain name has a format of '5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org', the user name may include an international mobile subscriber identity (IMSI) or a value of SUCI. In this case, the AAF may identify the home network for performing the authentication procedure from the MNC and the MCC based on the domain name and the AUSF corresponding to the home network, and select an AUSF group based on SUCI included in the user name. Accordingly, the AAF may select an authentication method based on SIM credentials, which is a method of using HTTP (hypertext transfer protocol) to perform the authentication procedure. In another example, the domain name has the same format as the 'operator.com', the user name may include a separate terminal subscriber identifier registered with the provider or a third party (3 ^rd party) to the portal server operators operating . In this case, when a separate terminal subscription identifier is supported by AAF and the type of user agent included in the authentication initiation message is identified by a web browser, the AAF may select an authentication method based on the user portal to perform the authentication procedure. . According to another embodiment, when the identifier associated with the terminal user is MSISDN, the AAF may select a home network and an AUSF of the home network based on MSISDN, and may select an authentication method based on OTP, which is a method using MSISDN. According to another embodiment, when the identifier associated with the terminal user is PEI, the AAF may select an authentication method based on an automatically generated credential that uses the subscription information of the terminal. Alternatively, when the AAF 320 uses an authentication and key management for application (AKMA) key from the terminal, and the AAF 320 receives a key generation request from AAnF (AKMA Anchor Function) or AUSF in the 5GC network, AAF ( 320) may request a key generation from NEF or AUSF in the 5GC network.

11 is a diagram illustrating a signal exchange diagram for performing an authentication procedure based on a SIM credential in a wireless communication system according to various embodiments of the present disclosure. The signal exchange diagram shown in FIG. 11 may be understood as a signal flow exchanged between the UE 310, the AAF 320, the authentication credential repository and processing function (UDM/ARPF) 340, and the AUSF 350. The authentication procedure described in FIG. 11 may follow the HTTP AKA procedure.

Referring to FIG. 11, in step 1101, the AAF 320 transmits a first authentication request message to the AUSF 350. The AUSF 350 may receive the first authentication message from the AAF 320. Specifically, the AAF 320 identifies the AUSF 350 for performing the authentication procedure based on the SIM credential determined based on the authentication initiation message received from the UE 310. When the AUSF 350 is identified, the AAF 320 transmits a first authentication request message for requesting authentication to the identified AUSF 350. The first authentication request message may be referred to as authenticate request, but is not limited thereto, and various names for requesting authentication may be used. According to various embodiments, the first authentication request message may include at least one of an identifier associated with a terminal user, an identifier of the AAF 320 (AAF ID), and an identifier of an application provider (application provider ID). In this case, the identifier associated with the terminal user may be an identifier corresponding to an authentication method determined from among GPSI, SUPI, and SUCI. In addition, the identifier of the AAF 320 may be an identifier for identifying the individual AAF 320 that transmits the first authentication request message. In addition, the identifier of the application provider is an identifier for identifying a separate operator in cooperation with the mobile communication operator, and may have a form of a reverse fully qualified domain name (FQDN).

In step 1103, the AUSF 350 transmits an authentication acquisition request message to the UDM/ARPF 340. The UDM/ARPF 340 may receive an authentication acquisition request message from the AUSF 350. The authentication acquisition request message may be referred to as an'UE authentication get request message'. Specifically, the AUSF 350 selects the UDM/ARPF 340 and transmits an authentication acquisition request message to the selected UDM/ARPF 340. The authentication acquisition request message may be understood as a message for the AUSF 350 to deliver the information received from the AAF 320 to the UDM/ARPF 340. According to various embodiments, the authentication acquisition request message may include at least one of an identifier associated with a terminal user, an identifier of the AAF 320, and an identifier of an application provider. That is, the authentication acquisition request message includes the same information as the information included in the first authentication request message received from the AAF 320, or by adding the above-described information to the information included in the first authentication request message, UDM/ARPF It may be transmitted to 340. The identifier associated with the terminal user may be an identifier corresponding to an authentication method determined from among GPSI, SUPI, and SUCI. In addition, the identifier of the AAF 320 may be an identifier for identifying the individual AAF 320 that has transmitted the first authentication request message. In addition, the identifier of the application provider is an identifier for identifying a separate operator in a cooperative relationship with the mobile communication operator, and may take the form of a reverse FQDN.

In step 1105, the UDM/ARPF 340 generates an authentication vector. That is, the UDM/ARPF 340 may generate an authentication vector (AV) based on information included in the received authentication acquisition request message. Specifically, the UDM/ARPF 340 may identify the SIM credential of the terminal based on the identifier associated with the terminal user identified in the authentication acquisition request message. For example, the UDM/ARPF 340 may identify the SIM credential of the terminal by performing conversion of the GPSI identified in the authentication acquisition request message. The UDM/ARPF 340 may identify the identified SIM credential, and generate an authentication vector using information included in the authentication acquisition request message. For example, the UDM/ARPF 340 may generate XRES* using at least one of the received identifier of the AAF 320 and the identifier of the application provider. That is, when XRES* is generated, at least one of the identifier of the AAF 320 and the identifier of the application provider may be added. Accordingly, the UDM/ARPF 340 is an authentication including XRES*, a random number (RAND), an authentication token (AUTN), and a KAUSF 350 used as an authentication key, which is information necessary for the UE 310 to perform authentication. You can create vectors.

In step 1107, the UDM/ARPF 340 transmits an authentication acquisition response message to the AUSF 350. The AUSF 350 may receive an authentication acquisition response message from the UDM 340. The authentication acquisition response message may be referred to as an'UE authentication get response message'. That is, the UDM/ARPF 340 may transmit a message to the AUSF 350 to deliver information required to perform authentication to the UE 310. Specifically, the UDM/ARPF 340 may transmit an authentication acquisition response message including an application layer authentication vector to the AUSF 350, and the application layer authentication vector includes XRES*, RAND, AUTN, and KAUSF 350 can do. That is, the authentication vector may be expressed as'application HE AV= RAND, AUTN, XRES*, KAUSF (350)'.

In step 1109, the AUSF 350 stores XRES* and generates HXRES*. That is, the AUSF 350 may identify the authentication vector in the authentication acquisition response message received from the UDM/ARPF 340 and store information included in the identified authentication vector. For example, the AUSF 350 may store the XRES* of the authentication vector and derive the HXRES* based on the XRES*.

In step 1111, the AUSF 350 transmits a first authentication response message to the AAF 320. The AAF 320 may receive a first authentication response message from the AUSF 350. That is, the AUSF 350 may transmit a message to the AAF 320 for transmitting information necessary for the UE 310 to perform authentication. Specifically, the AUSF 350 may transmit a first authentication response message including an application layer authentication vector to the AAF 320. The application layer authentication vector may include HXRES* generated by the AUSF 350. That is, the application layer authentication vector transmitted by the AUSF 350 may include RAND, AUTN, and HXRES*, and may be expressed as'application HE AV= RAND, AUTN, HXRES*'.

In step 1113, the AAF 320 transmits a second authentication request message to the UE 310. The UE 310 may receive a second authentication request message from the AAF 320. The second authentication request message may be referred to as an'application authentication request message'. That is, the AAF 320 may transmit a message for delivering information required for authentication received from the AUSF 350 to the UE 310. According to various embodiments, since the authentication method based on SIM credential can be performed according to the HTTP protocol, the second authentication request message may be transmitted as an HTTP response message. For example, the second authentication request message may be transmitted to the UE 310 as a '401 Not Found' response code or a'WWW-authentication: Digest' message. In this case,'Digest' may include RAND and AUTN from among information included in the application layer authentication vector received from the AUSF 350. That is, a second authentication request message having a format of'WWW-authentication: Digest (RAND, AUTN)' may be transmitted from the AAF 320 to the UE 310.

In step 1115, the UE 310 performs the AKA algorithm. Specifically, the UE 310 may generate RES and AUTN by performing the AKA algorithm. The UE 310 verifies whether the generated AUTN value and the AUTN value included in the second authentication request message received from the AAF 320 match.

In step 1117, the UE 310 transmits a second authentication response message to the AAF 320. The AAF 320 may receive a second authentication response message from the UE 310. The second authentication request message may be referred to as an'application authentication response message'. Specifically, when authentication is successful by comparing the value of the AUTN generated by the UE 310 and the value of the AUTN received from the AAF 320, the UE 310 transmits RES* to the AAF 320 A second authentication response message may be transmitted. According to various embodiments, the second authentication response message may be transmitted as an HTTP request message. In this case, the second authentication response message may include an authorization digest header. That is, a second authentication response message having a format of'authorization digest (RES*)' may be transmitted from the UE 310 to the AAF 320.

In step 1119, the AAF 320 calculates XRES* and HXRES*. The AAF 320 may calculate XRES* and HXRES* by using the RES* included in the second authentication response message received from the UE 310. The UE 310 may compare whether the value of HXRES* matches the target value. In this case, the target value may be identified as HXRES* included in the authentication vector of the first authentication response message. The AAF 320 may check whether the HXRES* value and the target value correspond to each other for authentication of the user of the UE 310.

In step 1121, the AAF 320 transmits a third authentication request message to the AUSF 350. The AUSF 350 may receive a third authentication request message from the AAF 320. As the AAF 320 confirms that the calculated HXRES* value matches the HXRES* value received from the AUSF 350, a message for delivering the RES* received from the UE 310 to the AUSF 350 Can be sent. Accordingly, the third authentication request message may include RES*.

In step 1123, the AUSF 350 checks RES*. That is, the AUSF 350 may determine whether the value of RES* transmitted from the terminal corresponds to a value stored in the AUSF 350. By checking the value of RES*, the AUSF 350 can identify whether the authentication for the UE 310 is successful.

In step 1125, the AUSF 350 transmits a third authentication response message to the AAF 320. The AAF 320 may receive a third authentication response message from the AUSF 350. When it is identified that authentication for the UE 310 is successful, the AUSF 350 may transmit a message for indicating the authentication success to the AAF 320. In this case, the AUSF 350 transmits a third authentication response message including the KAAF 320 used as an authentication key and a separate indicator for indicating that authentication has been successful to the AAF 320.

When the authentication method based on the user portal is determined by the UE, the UE may transmit an authentication initiation message including a type of user agent for indicating at least one of various browsers to the AAF. Alternatively, when the type of user agent included in the authentication initiation message received by the AAF indicates at least one of various browsers, the AAF may determine to perform a procedure according to an authentication method based on the user portal. Alternatively, when the AAF fails to determine an appropriate authentication method based on the authentication initiation message, the authentication method based on the user portal may be determined. Hereinafter, an authentication procedure when an authentication method based on a user portal is determined in FIGS. 12 and 13 will be described in detail.

12 is a diagram illustrating a signal exchange diagram for performing an authentication procedure based on a user portal in a wireless communication system according to various embodiments of the present disclosure. 13 illustrates an example of a user portal screen for performing an authentication procedure based on a user portal in a wireless communication system according to various embodiments of the present disclosure. The signal exchange diagram shown in FIG. 12 may be understood as a signal flow exchanged between the UE 310 and the AAF 320. Hereinafter, FIG. 10 will be described with reference to FIG. 11.

Referring to FIG. 12, in step 1201, the AAF 320 transmits a message for inputting authentication credential information to the UE 310. The UE 310 may receive a message for inputting authentication credential information from the AAF 320. Specifically, the AAF 320 may transmit to the UE 310 a message including an HTML address for displaying a screen in which credential information for authentication, such as a user ID and a password, can be input. For example, the AAF 320 may transmit the HTML address of the screen 1100 including the input field 1110 for inputting a user ID and the input field 1120 for inputting a password to the UE 310. have.

In step 1203, the UE 310 transmits authentication credential information to the AAF 320. The AAF 320 may receive authentication credential information from the UE 310. The UE 310 may display the screen 1300 on the display panel of the UE 310 by rendering the received HTML file using a browser corresponding to the type of user agent indicated in the authentication initiation message. The UE 310 may receive input of at least one of a user ID or an email address for the input box 1310 and an input of a password for the input box 1320. The UE 310 may transmit the input user ID and password to the AAF 320 as authentication credential information.

In step 1205, the UE 310 and the AAF 320 perform an authentication procedure using the input authentication credential information. The UE 310 may perform an authentication procedure for verifying the user ID and password through interaction with the portal included in the AAF 320.

According to the above-described embodiment of determining the authentication method, the UE and the AAF may determine to perform an authentication procedure based on the automatically generated credential. In this case, authentication information is generated using at least one of SUPI, PEI, and MSISDN, which are terminal user-related information that is difficult to disclose to the outside, and authentication information generated through a mutually negotiated one-way hash function Can be verified. Hereinafter, an authentication procedure according to an authentication method based on an automatically generated credential will be described in detail in FIG. 14.

14 is a diagram illustrating a signal exchange diagram for performing an authentication procedure based on an automatically generated credential in a wireless communication system according to various embodiments of the present disclosure. The signal exchange diagram shown in FIG. 14 may be understood as a signal flow exchanged between the UE 310, the AAF 320, and the UDM 340.

Referring to FIG. 14, in step 1401, the AAF 320 transmits a profile request message to the UDM 340. The UDM 340 may receive a profile request message from the AAF 320. Specifically, the AAF 320 may select the UDM 340 for performing the authentication procedure using information on the type of the user agent and the identifier associated with the terminal user identified from the authentication initiation message received from the UE 310. have. The AAF 320 may request information for performing an authentication procedure based on the automatically generated credential from the selected UDM 340. That is, the AAF 320 may transmit a profile request message including an identifier related to the terminal user to the UDM 340. For example, by transmitting a profile request message including GPSI, the AAF 320 may request the UDM 340 for information for performing authentication for a user of a terminal corresponding to the GPSI.

In step 1403, the UDM (340) transmits a profile response message to the AAF (320). The AAF 320 may receive a profile response message from the UDM 340. That is, the UDM 340 may transmit a profile response message including subscriber information for indicating at least one of SUPI, PEI, and MSISDN corresponding to GPSI to the AAF 320. As described above, SUPI, PEI, and MSISDN are identifiers that are not disclosed to the outside and may be used to automatically generate a credential. That is, an authentication method based on credentials generated using information related to the UE 310 may be used.

In step 1405, the AAF 320 generates a digest. The AAF 320 may acquire subscriber information for identifying the terminal based on the profile response message received from the UDM 340. In addition, the AAF 320 generates a RAND, and generates a digest using the acquired subscriber information and a random number (RAND). In this case, as described above, the subscriber information may correspond to at least one of SUPI, PEI, and MSISDN, and the digest may be expressed as'Digest = H(RAND | SUPI)'.

In step 1407, the AAF 320 transmits an authentication request message to the UE 310. The UE 310 may receive an authentication request message from the AAF 320. The authentication request message may be referred to as an'application authentication request message'. That is, the AAF 320 may transmit a message for delivering the generated digest to the UE 310. According to various embodiments, the authentication request message may be transmitted in the form of an HTTP response message. The AAF 320 may transmit an HTTP response message to the UE 310 by inserting the generated digest into the'WWW-authenticate' field. In this case, the authentication request message may include a format such as'WWW-authenticate: Digest Random: RAND'.

In step 1409, the UE 310 verifies the digest and generates a message authentication code (MAC). When the digest identified from the authentication request message is verified, the UE 310 uses at least one of SUPI, PEI, MSISDN, or RAND generated by the AAF 320 corresponding to subscriber information for identifying the UE 310. MAC can be created. That is, the MAC can be expressed as'MAC = H(RANND | MSISDN | PEI | SUPI)'.

In step 1411, the UE 310 transmits an authentication response message to the AAF 320. The AAF 320 may receive an authentication response message from the UE 310. The authentication response message may be referred to as an'application authentication response message'. Specifically, the UE 310 may transmit an authentication response message in which the MAC generated based on the verified digest is inserted to the AAF 320. According to various embodiments, the authentication response message may be transmitted in the form of an HTTP request message. In this case, the UE 310 may transmit an authentication response message to the AAF 320 by including the MAC in the'authorization' header field of the HTTP request message.

In step 1413, the AAF 320 verifies the MAC. That is, the AAF 320 may verify that the UE 310 is the same as the identifier associated with the terminal user received from the UDM 340 through the generated MAC. MAC verification can be performed according to various methods such as a method based on a hash function.

In step 1415, the AAF 320 generates an authentication code. When the AAF 320 verifies the MAC, it may be determined that the authentication is successful. Accordingly, the AAF 320 may generate an authentication code that the UE 310 can use to obtain an access token for the edge application.

In step 1417, the AAF (320) transmits the authentication result to the UE (310). The UE 310 may receive the authentication result from the AAF 320. The authentication result may be referred to as an'application authentication result message'. The AAF 320 may transmit a message indicating to the UE 310 that authentication has been successfully performed. According to various embodiments, the AAF 320 may transmit a message including an authentication code to the UE 310. In addition, the AAF 320 may transmit a message additionally including a redirection address to the UE 310.

15 is a diagram illustrating a signal exchange diagram for performing an OTP-based authentication procedure in a wireless communication system according to various embodiments of the present disclosure. The signal exchange diagram shown in FIG. 15 may be understood as a signal flow exchanged between the UE 310, the AAF 320, and the UDM 340.

Referring to FIG. 15, in step 1501, the AAF 320 transmits a profile request message to the UDM 340. The UDM 340 may receive a profile request message from the AAF 320. Specifically, the AAF 320 may select the UDM 340 for performing the authentication procedure using information on the type of the user agent and the identifier associated with the terminal user identified from the authentication initiation message received from the UE 310. have. The AAF 320 may transmit a profile request message including an identifier related to a terminal user to the selected UDM 340. For example, by transmitting a profile request message including GPSI, the AAF 320 may request the UDM 340 for information for performing authentication for a user of a terminal corresponding to the GPSI.

In step 1503, the UDM 340 transmits a profile response message to the AAF 320. The AAF 320 may receive a profile response message from the UDM 340. The UDM 340 may identify at least one of SUPI, PEI, and MSISDN for the UE 310 based on the received GPSI. Accordingly, the UDM 340 may transmit a profile response message including subscriber information for indicating at least one of the identified SUPI, PEI, and MSISDN to the AAF 320.

In step 1505, the OTP is transmitted from the AAF 320 to the UE 310. The AAF 320 may acquire subscriber information for identifying the terminal based on the profile response message received from the UDM 340. In this case, as described above, the subscriber information may correspond to at least one of SUPI, PEI, and MSISDN. The AAF 320 may transmit a one time password (OTP) to the UE 310 corresponding to at least one of the acquired SUPI, PEI, and MSISDN through a separate path. For example, the AAF 320 may deliver the OTP to the UE 310 corresponding to the acquired subscriber information through a short message service (SMS). For example, the AAF 320 may deliver the OTP to the UE 310 corresponding to the acquired subscriber information through a NAS message.

In step 1507, the AAF 320 transmits an authentication request message to the UE 310. The UE 310 may receive an authentication request message from the AAF 320. The authentication request message may be referred to as an'application authentication request message'. That is, as the AAF 320 receives a request for initiating an authentication procedure from the UE 310, after passing through a predetermined procedure, the AAF 320 may transmit an authentication request message as a response message. In this case, the AAF 320 generates a random number (RAND) that can be used for verification of a message authentication code (MAC), and transmits an authentication request message including the generated RAND to the UE 310 I can.

In step 1509, the UE 310 generates a MAC. The UE 310 may generate a MAC using at least one of SUPI, PEI, MSISDN, RAND generated by the AAF 320, and received OTP values corresponding to subscriber information for identifying the UE 310. . That is, MAC can be expressed as'MAC = H(OTP, RANND | MSISDN | PEI | SUPI)'.

In step 1511, the UE 310 transmits an authentication response message to the AAF 320. The AAF 320 may receive an authentication response message from the UE 310. The authentication response message may be referred to as an'application authentication response message'. Specifically, the UE 310 may transmit to the AAF 320 an authentication response message in which the MAC generated based on at least one of the above-described subscriber information, RAND, and OTP values is inserted.

In step 1513, the AAF 320 verifies the MAC. The AAF 320 generates a MAC based on at least one of subscriber information received from the UDM 340 through a profile response message, a RAND generated by the AAF 320, and an OTP transmitted to the UE 310 can do. In addition, the AAF 320 may identify the MAC generated by the UE 310 from the authentication response message received from the UE 310. Accordingly, the AAF 320 may verify the MAC generated by the UE 310 using the MAC generated by itself.

In step 1515, the AAF 320 generates an authentication code. When the AAF 320 verifies the MAC and determines that the authentication is successful, the AAF 320 may generate an authentication code. According to various embodiments, the AAF 320 may generate an authentication code according to the OAUTH2 framework, which is a protocol for managing authentication and authorization of a third party using a token. That is, the AAF 320 may generate an authentication code that the UE 310 can use to obtain an access token for an edge application.

In step 1517, the AAF 320 transmits the authentication result to the UE 310. The UE 310 may receive the authentication result from the AAF 320. The authentication result may be referred to as an'application authentication result message'. The AAF 320 may transmit a message indicating to the UE 310 that authentication has been successfully performed. According to various embodiments, the AAF 320 may transmit a message including an authentication code to the UE 310. In addition, the AAF 320 may transmit a message additionally including a redirection address to the UE 310.

When the UE obtains the authentication code by performing the above-described authentication procedures, the UE may perform a procedure for obtaining an access token using the obtained authentication code. Hereinafter, in FIGS. 16 and 17, a procedure for obtaining an access token is described in detail.

16 illustrates a signal exchange diagram when generation of an access token is successful in a wireless communication system according to various embodiments of the present disclosure. The signal exchange diagram shown in FIG. 16 may be understood as a signal flow exchanged between the UE 310, the AAF 320, and the APR 360.

Referring to FIG. 16, in step 1601, the UE 310 transmits a request message to the AAF 320. The AAF 320 may receive a request message from the UE 310. That is, after the authentication procedure is successfully performed, the UE 310 may transmit a message to the AAF 320 for requesting an access token. According to various embodiments, the request message may include at least one of a grant type (grant_type), an authentication code, a redirect address, and a client ID. The request message may be referred to as an'access token request message'.

In step 1603, the AAF 320 verifies the authentication code. The AAF 320 may identify the authentication code based on the received request message. The AAF 320 may verify the validity of the identified authentication code based on at least one predetermined criterion. For example, the validity of the authentication code may be determined based on at least one of information other than the authentication code included in the request message, the GPSI identified in the authentication code, the valid time of the authentication code.

In step 1605, the AAF 320 acquires profile information. When the validity of the authentication code is verified, the AAF 320 may acquire a subscriber profile corresponding to the verified authentication code. According to various embodiments, the subscriber profile includes information for identifying a user of the UE 310 requesting issuance of an access token (eg, an identifier related to a terminal user) and subscriber information corresponding to the user (eg, subscriber level, subscriber). Categories, etc.). Although not shown in FIG. 16, the AAF 320 may obtain information on the UE 310 or the user who requested issuance of an access token by requesting a subscriber profile from the UDM.

In step 1607, the AAF 320 transmits a profile request message to the APR 360. The APR 360 may receive a profile request message from the AAF 320. The profile request message may be referred to as an'application profile request message'. That is, the AAF 320 may transmit a message to the APR 360 to request a profile for at least one edge application. In this case, profile information on the edge application for which issuance of an access token is requested by the UE 310 is requested. According to various embodiments, the profile request message may include at least one of an application profile ID or a category of a corresponding application profile.

In step 1609, the APR (360) transmits a profile response message to the AAF (320). The AAF 320 may receive a profile response message from the APR 360. The profile response message may be referred to as an'application profile response message'. The APR 360 may identify whether the application profile requested by the profile request message is allowed based on information about the pre-stored edge applications. At least one application profile may be requested from the AAF 320, and the APR 360 may search or identify an allowed application profile based on a policy related to the application. Accordingly, the APR 360 may transmit a profile response message including information for indicating at least one of an allowed application profile or a disallowed application profile to the AAF 320.

In step 1611, the AAF 320 generates an access token. The AAF 320 may obtain an allowed application profile based on the profile response message received from the APR 360. The AAF 320 may generate an access token by setting authority according to the acquired subscriber profile. According to various embodiments, the access token identifies an identifier associated with a terminal user (eg, a subscriber identifier, an identifier of a terminal device), an identifier of an application profile, a subscriber category, a subscriber level, and the AAF 320 for verification of an access token. It includes at least one of the information to be described. The information for identifying the AAF 320 for verification of the access token may include at least one of an address of the AAF 320 end point, an identifier of an application provider, and an AAF 320 ID.

In step 1613, the AAF (320) transmits a response message to the UE (310). The UE 310 may receive a response message from the AAF 320. Specifically, after performing encryption on the generated access token, the AAF 320 may transmit a response message for delivering the encrypted access token to the UE 310. Accordingly, the access token may be used to determine whether to allow the UE 310 to use the edge computing service corresponding to the application profile. The response message may be referred to as an'access token response message'.

17 is a diagram illustrating a signal exchange diagram when generation of an access token fails in a wireless communication system according to various embodiments of the present disclosure. The signal exchange diagram shown in FIG. 17 may be understood as a signal flow exchanged between the UE 310 and the AAF 320.

Referring to FIG. 17, in step 1701, the UE 310 transmits a request message to the AAF 320. The AAF 320 may receive a request message from the UE 310. That is, after the authentication procedure is successfully performed, the UE 310 may transmit a message to the AAF 320 for requesting an access token. According to various embodiments, the request message may include at least one of an authorization type, an authentication code, a redirection address, and a client ID. The request message may be referred to as an'access token request message'.

In step 1703, the AAF 320 verifies the authentication code. The AAF 320 may identify the authentication code based on the received request message. The AAF 320 may determine whether to not generate an access token using information identified in the request message. For example, if the validity time of the authentication code has elapsed, the GPSI identified in the authentication code does not match the GPSI received from the UDM, or the client ID included in the request message does not match, the AAF 320 May decide not to generate an access token. In addition, if the profile information received from the UDM is identified as invalid, the AAF 320 may determine that the AAF 320 does not generate an access token.

In step 1705, the AAF (320) transmits a response message to the UE (310). The UE 310 may receive a response message from the AAF 320. That is, the AAF 320 may transmit a message indicating that the access token has not been generated to the UE 310. For example, the response message may include at least one of information on a reason for rejection of the authentication code and a redirection address. That is, the AAF 320 may transmit the reason for rejecting the authentication code to the UE 310 through a response message. In addition, the AAF 320 may transmit a redirect address that can be determined according to the reason for rejection of the authentication code through a response message. The response message may be referred to as an'access token response message'.

18 is a flowchart of a UE for permission to use an edge application in a wireless communication system according to various embodiments of the present disclosure. 18 illustrates a method of operation of the UE 310.

Referring to FIG. 18, in step 1801, the UE transmits a request message including an access token to the AF. That is, upon receiving the access token from the AAF as the authentication code is successfully verified, the UE may transmit a request message for requesting permission to use the edge application to the AF. In this case, the UE may deliver the access token to the AF through the request message. The access token includes at least one of information for identifying an identifier related to a terminal user (eg, a subscriber identifier, an identifier of a terminal device), an identifier of an application profile, a subscriber category, a subscriber level, and AAF for verification of an access token. can do.

In step 1803, the UE receives a response message based on the verification result of the access token from the AF. Specifically, the AF may identify an AAF for verification of the access token based on the received access token. The AF may transmit a message including information for requesting permission to use an access token and an edge application to the identified AAF. When the verification of the access token by the AAF is successful, the AF receives at least one of information on the permission permission of the edge application corresponding to the information included in the access token from the AAF or an allowed application profile. Accordingly, the UE may receive a response message including information on an edge application allowed according to at least one of a subscriber category and a subscriber level related to the UE from the AF. According to various embodiments, the information on the edge application may include an address of an application server corresponding to the edge application. For example, the address of the application server may include at least one of an FQDN, an internet protocol (IP) address, or an edge computing service end point address. When the verification of the access token by the AAF fails, the AF receives a verification response message indicating the reason for the failure of the verification of the access token from the AAF. Accordingly, the UE may receive a response message including at least one of information indicating the reason why the verification of the access token has failed from the AF and a redirection address for re-performing the authentication procedure to obtain a valid access token.

19 is a flowchart illustrating an AAF for permission to use an edge application in a wireless communication system according to various embodiments of the present disclosure. 19 illustrates an operation method of the AAF 320.

Referring to FIG. 19, in step 1901, the AAF receives a request message for requesting verification of an access token from the AF. Specifically, the AF may identify the AAF for verification of the access token based on the access token included in the request message received from the UE. The AAF may receive a verification request message including information for requesting permission to use an access token and an edge application from the AF. That is, the AAF may receive a message for requesting verification of the access token from the AF after being identified by the AF.

In step 1903, the AAF performs verification on the access token. The AAF may verify the access token based on at least one of information related to the validity time of the access token and the authority of the access token. For example, the AAF may identify whether the valid time of the access token has elapsed at the time of performing verification. If the validity time has not elapsed, the AAF may determine that the verification of the access token was successful. If the validity time has elapsed, the AAF may determine that the verification of the access token has failed. In addition, the AAF may identify whether at least one of a resource permitted by the access token or a resource requested by the UE is included in the authority of the access token. When at least one of the resources allowed by the access token or the resources requested by the UE is included within the authority of the access token, the AAF may determine that the verification of the access token has been successful. When at least one of the resources allowed by the access token or the resources requested by the UE is not included in the authority of the access token, the AAF may determine that the verification of the access token has failed.

In step 1905, the AAF transmits a verification response message based on the verification result for the access token to the AF. That is, the AAF may transmit a response message for indicating the verification result of the access token to the AF. If it is determined that the verification of the access token has been successful, the AAF may transmit a verification response message including at least one of information on the permission of the edge application corresponding to the information contained in the access token or the permitted application profile to the AF. have. When it is determined that the verification of the access token has failed, the AAF may send a verification response message to indicate to the AF why verification of the access token has failed. In this case, a reason for verification failure such as an invalid access token due to the lapse of the valid time or that the requested resource is not included in the scope of the access token may be transmitted to the AF.

20 is a flowchart of an AF for permission to use an edge application in a wireless communication system according to various embodiments of the present disclosure. 20 illustrates an operation method of the AF 330.

Referring to FIG. 20, in step 2001, the AF transmits a request message for requesting verification of the received access token to the AAF. Specifically, the AF may identify the AAF for verification of the access token based on information for identifying the AAF for verification of the access token included in the access token received from the UE. According to various embodiments, the information for identifying the AAF for verification of the access token may include at least one of an address of an AAF endpoint, an identifier of an application provider, and an AAF ID. For example, when the access token has a json web token (JWT) format, the issuer ID field, which is the identification information of the token issuer, includes information determined based on the identifier of the application provider and the AAF ID, The IAT (issued at) field, which is information for indicating the token issuance time, may include the address of the AAF endpoint. Accordingly, the AF may transmit a verification request message including the access token and permission request information to the identified AAF.

In step 2003, the AF receives a verification response message based on the verification result for the access token from the AAF. That is, the AF may receive a response message indicating the verification result of the access token from the AAF. When it is determined that the verification of the access token has been successful, the AF may receive a verification response message including at least one of information on the permission of the edge application corresponding to the information included in the access token from the AAF or an allowed application profile. have. When it is determined that the verification of the access token has failed, the AF may receive a verification response message indicating the reason that the verification of the access token has failed from the AAF. In this case, a reason for verification failure such as an invalid access token due to the lapse of the valid time or that the requested resource is not included in the scope of the access token may be transmitted to the AF.

In step 2005, the AF transmits a response message to the UE based on the verification response message. When the verification of the access token by the AAF is successful, the AF receives a verification response message indicating that the verification was successful from the AAF, so that the edge application is allowed according to at least one of a subscriber category related to the UE and a subscriber level. A response message including information may be transmitted to the UE. According to various embodiments, the information on the edge application may include an address of an application server corresponding to the edge application. For example, the address of the application server may include at least one of an FQDN, an IP address, or an edge computing service endpoint address. As described above, when the verification of the access token is successful, the verification response message may include at least one of information about permission to allow an edge application corresponding to information included in the access token or an allowed application profile. When the verification of the access token by the AAF fails, the AF receives a verification response message from the AAF indicating the reason why the verification of the access token has failed, so that information indicating the reason for the failure of the verification of the access token and a valid access token In order to obtain a response message including at least one of the redirection addresses for re-performing the authentication procedure, a response message including at least one of the redirection addresses may be transmitted to the UE.

21 illustrates a signal exchange diagram for permission to use an edge application in a wireless communication system according to various embodiments of the present disclosure. The signal exchange diagram shown in FIG. 21 may be understood as a signal flow exchanged between the UE 310, the AAF 320, and the AF 330.

Referring to FIG. 21, in step 2101, the UE 310 transmits a request message to the AF 330. The AF 330 may receive a request message from the UE 310. The request message may be referred to as an'application request message'. That is, when the access token is received from the AAF 320 as the authentication code is successfully verified, the UE 310 may transmit a request message for requesting permission to use the edge application to the AF 330. In this case, the UE 310 may deliver the access token to the AF 330 through a request message. The access token is at least one of an identifier associated with a terminal user (eg, a subscriber identifier, an identifier of a terminal device), an identifier of an application profile, a subscriber category, a subscriber level, and information for identifying the AAF 320 for verification of the access token. It can contain one.

In step 2103, the AF (330) transmits a verification request message to the AAF (320). The AAF 320 may receive a verification request message from the AF 330. Specifically, the AF (330) based on the information for identifying the AAF (320) for verification of the access token included in the access token received from the UE (310), the AAF (320) for verification of the access token. Can be identified. The verification request message may be referred to as an'access token verification request message'. According to various embodiments, the information for identifying the AAF 320 for verification of the access token may include at least one of the address of the AAF 320 end point, the identifier of the application provider, and the AAF 320 ID. have. For example, when the access token has a JWT format, the issuer ID field, which is the identification information of the token issuer, includes information determined based on the identifier of the application provider and the AAF 320 ID, and The IAT (issued at) field, which is information for indicating the issuance time, may include the address of the AAF 320 end point. Accordingly, the AF 330 may transmit a verification request message including the access token and permission request information to the identified AAF 320.

In step 2105, the AAF 320 transmits a verification response message to the AF 330. The AF 330 may receive a verification response message from the AAF 320. That is, the AAF 320 may transmit a response message for indicating the verification result of the access token to the AF 330. The verification response message may be referred to as an'access token verification response message'. When it is determined that the verification of the access token is successful, the AAF 320 verifies the AF 330 including at least one of information on the permission of the edge application corresponding to the information included in the access token or the permitted application profile. You can send a response message. When it is determined that the verification of the access token has failed, the AAF 320 may transmit a verification response message to the AF 330 indicating why verification of the access token has failed. In this case, a reason for verification failure, such as an invalid access token due to the lapse of the validity time or that the requested resource is not included in the scope of the access token may be transmitted to the AF 330.

In step 2107, the AF 330 transmits a response message to the UE 310. The UE 310 may receive a response message from the AF 330. The response message may be referred to as an'application response message'. When the verification of the access token by the AAF 320 is successful, the AF 330 receives a verification response message indicating that the verification was successful from the AAF 320, and thus the subscriber category and subscriber associated with the UE 310 A response message including information on an edge application allowed according to at least one of the levels may be transmitted to the UE 310. According to various embodiments, the information on the edge application may include an address of an application server corresponding to the edge application. For example, the address of the application server may include at least one of an FQDN, an IP address, or an edge computing service endpoint address. As described above, when the verification of the access token is successful, the verification response message may include at least one of information about permission to allow an edge application corresponding to information included in the access token or an allowed application profile. When the verification of the access token by the AAF 320 fails, the AF 330 receives the verification response message indicating the reason for the failure of the verification of the access token from the AAF 320, so the reason for the failure of the verification of the access token A response message including at least one of a redirection address for re-performing the authentication procedure in order to obtain a valid access token and information for indicating a response message may be transmitted to the UE.

As described in FIGS. 18 to 21, different edge computing services may be provided for each UE or user of the UE based on information included in the access token. That is, the AF may deliver information for providing differentiated edge computing services according to an application profile, a subscriber category, and a subscriber class to the UE in order to permit the use of the edge computing service. For example, when the AF receives a request for an edge application list from the UE, the AF may verify the access token and determine the list of edge applications available by the UE based on the subscriber category received from the AAF. . An example of the list of edge applications available for each subscriber level is shown in Table 2 below.

Referring to <Table 2>, for a subscriber whose subscriber level is class A, the use of APP 1 and APP 2 may be permitted. In addition, for a subscriber whose subscriber level is class B, the use of APP 1 and APP 2 may be permitted. In addition, for a subscriber whose subscriber level is class C, only the use of APP 1 is permitted and the use of APP 2 may not be permitted. That is, different edge applications may be provided according to the subscriber level.

In addition, when a request for an address of an application server of a corresponding edge application is received from the UE as information about an available edge application is transmitted to the UE, the AF is different for the corresponding application based on the subscriber category and the subscriber level to the UE. You can pass the address. An example of the application server address of the edge application is shown in Table 3 below.

Referring to <Table 3>, in the case of APP 1, when an FQDN is requested as an address of an application server, an address'ex.app1.com' may be provided. In addition, when the subscriber level is class A, the address “fast.app1.com” may be provided to the UE, and when the subscriber level is class B, the address “slow.app1.com” may be provided to the UE. That is, the edge application APP 1 may be provided at different rates according to the subscriber level. Similarly, in the case of APP 2, when an FQDN is requested as the address of the application server, the address'svc.app2.com' may be provided. In addition, when the subscriber level is class A, the address “fast.app2.com” may be provided to the UE, and when the subscriber level is class B, the address “slow.app2.com” may be provided to the UE. That is, the edge application APP 2 may be provided at different rates according to the subscriber level.

Hereinafter, in FIGS. 22 and 23, when personal information on a user is required to provide an edge computing service, an embodiment of user consent and utilization of personal information will be described in detail.

22 is a diagram illustrating a signal exchange diagram for obtaining a user consent for utilization of personal information in a wireless communication system according to various embodiments of the present disclosure. The signal exchange diagram shown in FIG. 22 may be understood as a signal flow exchanged between the UE 310 and the EF 210.

Referring to FIG. 22, in step 2201, the UE 310 and the EF 210 perform a procedure for obtaining user consent for the use of personal information. For example, while the above-described authentication procedure is being performed or after the authentication procedure is completed, personal information for a user may be requested by a client, that is, an external user agent. That is, consent to granting permission to personal information is requested to the user of the UE 310 requesting the edge computing service. Personal information about the user may include various information such as location information of the UE 310.

In step 2203, the EF 210 stores information on whether the user consents or not. The EF 210 may store information on whether the user has consented or disagreeed with the use of personal information. Information on whether the user consents or not may be maintained during the validity period of the authentication result obtained through the above-described authentication procedure. When the validity period in which the authentication result can be recognized validly expires, the EF 210 may delete information on whether the user consents or not.

23 is a diagram illustrating a signal exchange diagram for utilizing personal information in a wireless communication system according to various embodiments of the present disclosure. The signal exchange diagram shown in FIG. 23 may be understood as a signal flow exchanged between the AMF 150 and NEF 152, EFs 204 and 210, and edge servers 102 and 106.

Referring to FIG. 23, in step 2301, the edge servers 102 and 106 transmit a request message for utilization of personal information to the EFs 204 and 210. EF (204, 210) receives a request message for the use of personal information from the edge server (102, 106). The edge servers 102 and 106 providing the edge application to the UE may transmit a message to the EFs 204 and 210 to request utilization of personal information related to the user of the UE.

In step 2303, the EFs 204 and 210 check whether the user consents or not. As described in FIG. 22, the EFs 204 and 210 may check whether the user has agreed to the use of the requested personal information, based on information on whether or not the user consents previously stored. In this case, the EFs 204 and 210 may confirm the availability of the requested personal information before the expiration of the validity period in which the authentication result can be recognized as valid.

In step 2305, the EF (204, 210) transmits a personal information request message to the AMF (150) and NEF (204, 210). The AMF 150 and NEF 152 receive a personal information request message from the EFs 204 and 210. If it is confirmed that the user has consented to the use of the requested personal information based on the information on whether or not the user has consented, the EF (204, 210) sends a request message to secure the information at the present time for the corresponding personal information. It can be transmitted to the AMF 150 and NEF 152. That is, the EFs 204 and 210 may obtain information currently valid for a function that has obtained consent from the user (eg, determining the location of the UE). Although the AMF 150 and NEF 152 have been described in FIG. 23, additional entities may receive the request message according to the type of requested personal information. For example, when the edge server (102, 106) requests the location information of the UE, EF (204, 210) in addition to the AMF (150) and NEF (152) LCS (location services) the current location information of the UE You can send a message for requesting.

24 illustrates a network structure in which a structure for authentication and permission to use an edge application is mapped to an edge computing structure in a wireless communication system according to various embodiments of the present disclosure.

Specifically, FIG. 24 illustrates a network structure in which entities according to various embodiments of the present disclosure are mapped to an edge computing structure.

Referring to FIG. 24, an edge enabler client (EEC) 318 may be a software module including both a user agent 312 and an application 314. Alternatively, the EEC 318 in the UE 310 may be a software module including the user agent 312.

The edge enabler client 318 may be identified by an EEC identifier. The EEC identifier may be a value derived from the subscriber's identifier. When the EEC identifier is derived from the subscriber's identifier, the EEC identifier is the mobile operator's identifier and the mobile operator from SUPI (subscription permanent identifier), MSISDN (mobile station international subscriber directory number), or GPSI (generic public subscription identifier). It may include serial numbers that are identified within. When the EEC identifier is provided from the terminal manufacturer, the EEC identifier may be derived from a permanent equipment identifier (PEI). When the EEC identifier is derived from the PEI, the EEC identifier may include identification information including a manufacturer identifier, manufacturer's number, SW number, model name, and the like. Alternatively, the EEC identifier may be a value previously set with the software module of the EEC. When the EEC identifier is an identifier of a software module, it may follow the format of a universally unique identifier (UUID). The EEC identifier can include a unique software package name that can identify the software package, and this notation can follow the inverse form of a fully qualified domain name (FQDN), for example com.samsung.mecframework. . In addition, the software package name may include a version name of the software. The EEC identifier may be downloaded from an edge computing provider and installed in the terminal. The EEC identifier may contain a series of numbers issued by the edge computing service provider. In addition, the EEC identifier may include an identifier for identifying edge computing service providers.

In the embodiment of FIG. 24, the edge enabler client 318 may include functions of the user agent 312 and the application 314 in the embodiment of FIG. 3.

In the embodiment of FIG. 24, the AAF 320 performs the function of the AAF 320 in the embodiment of FIG. 3. The AAF 320 may exist in the 3GPP core network 2410. Alternatively, the AAF 32 may be implemented together with an edge configuration server 2430. Alternatively, as illustrated in FIG. 24, the AAF 320 may operate separately from the 3GPP core network 2410 and the edge setting server 2430.

The edge enabler client 318 receives configuration information necessary for exchanging application data traffic with the edge application server 2422. Address information on the edge application server 2422 available in the edge data network 2420 is acquired.

In the embodiment of FIG. 24, the edge enabler server (EES) 2424 performs the following functions necessary for the edge application server 2422 and the edge enabler client 318.

1. Setting information required to exchange application data traffic with the edge application server 2422

2. Provides edge application server 2422 related information to the edge enabler client 318

3. Provision of API (application programming interface) for network functions provided by 3GPP network

In the embodiment of FIG. 24, the edge configuration server (ECS) 2430 performs a function necessary for the edge enabler client 318 to connect to the edge enabler server 2424. The edge setting server 2430 provides advance information on the edge setting information to the edge enabler client 318. The edge setting information is information necessary for the edge enabler client 318 to connect to the edge enabler server 2424 and information for creating a connection to the edge enabler server 2424.

In the embodiment of FIG. 24, an application client 316 is an application program installed and operated in the UE 310. In the embodiment of FIG. 24, an edge application server (EAS) 2422 performs a function of a server in an edge hosting platform or an edge hosting environment in the edge data network 242. The application client 316 is connected to a service available in the edge application server 2424.

The methods according to the embodiments described in the claims or the specification of the present disclosure may be implemented in the form of hardware, software, or a combination of hardware and software.

When implemented in software, a computer-readable storage medium storing one or more programs (software modules) may be provided. One or more programs stored in a computer-readable storage medium are configured to be executable by one or more processors in an electronic device (device). The one or more programs include instructions that cause the electronic device to execute methods according to embodiments described in the claims or specification of the present disclosure.

These programs (software modules, software) include random access memory, non-volatile memory including flash memory, read only memory (ROM), and electrically erasable programmable ROM. (electrically erasable programmable read only memory, EEPROM), magnetic disc storage device, compact disc-ROM (CD-ROM), digital versatile discs (DVDs) or other forms of It may be stored in an optical storage device or a magnetic cassette. Alternatively, it may be stored in a memory composed of a combination of some or all of them. In addition, a plurality of configuration memories may be included.

In addition, the program is through a communication network composed of a communication network such as the Internet, an intranet, a local area network (LAN), a wide area network (WAN), or a storage area network (SAN), or a combination thereof. It may be stored in an attachable storage device that can be accessed. Such a storage device may be connected to a device performing an embodiment of the present disclosure through an external port. In addition, a separate storage device on the communication network may access a device performing an embodiment of the present disclosure.

In the above-described specific embodiments of the present disclosure, components included in the disclosure are expressed in the singular or plural according to the presented specific embodiments. However, the singular or plural expression is selected appropriately for the situation presented for convenience of description, and the present disclosure is not limited to the singular or plural constituent elements, and even constituent elements expressed in plural are composed of the singular or singular. Even the expressed constituent elements may be composed of pluralities.

Meanwhile, although specific embodiments have been described in the detailed description of the present disclosure, various modifications are possible without departing from the scope of the present disclosure. Therefore, the scope of the present disclosure is limited to the described embodiments and should not be determined, and should be determined by the scope of the claims as well as the equivalents of the claims to be described later.

Claims (20)

In a method of operating a user equipment (UE) in a wireless communication system,
A process of transmitting a first message including at least one of information related to the UE or a type of a user agent to a server,
A process of performing an authentication procedure for an edge computing service according to an authentication method determined based on the first message, and
Receiving a second message for indicating the permission allowed for the edge computing service based on the authentication code generated by the server according to the performed authentication procedure, and
And a process of using the edge computing service within a range corresponding to the permitted authority.
The method according to claim 1,
The authentication method is an authentication method based on SIM credential, an authentication method using a user portal, an authentication method based on a credential generated using information related to the UE, or an authentication method based on transmission of a one time password (OTP). A method comprising at least one of.
The method according to claim 1,
When the authentication method determined based on the first message corresponds to an authentication method based on SIM credential, the process of performing the authentication procedure,
A process of receiving a message including random number information and an authentication token required for the UE to perform an authentication procedure from the server, and
And checking whether the received authentication token and the authentication token generated by the UE match.
The method according to claim 1,
When the authentication method determined based on the first message corresponds to an authentication method using a user portal, the process of performing the authentication procedure,
Displaying a screen for inputting the authentication credential information based on a message for inputting authentication credential information received from the server; and
The process of detecting the input of the authentication credential information,
And transmitting the authentication credential information to the server,
The authentication credential information includes at least one of a user ID (ID) and a password (password).
The method according to claim 1,
When the authentication method determined based on the first message corresponds to an authentication method based on a credential generated using information related to the UE, the process of performing an authentication procedure according to the authentication method,
Receiving a request message including random number information generated by the server from the server, and
A process of generating a message authentication code (MAC) based on at least one of the received random number information or information related to the UE,
Transmitting a response message including the MAC to the server, and
And receiving the authentication code from the server based on the verification of the MAC included in the response message.
The method according to claim 1,
When the authentication method determined based on the first message corresponds to an authentication method based on transmission of one time password (OTP), the process of performing the authentication procedure,
Receiving the OTP from the server,
Receiving a request message including random number information generated by the server from the server, and
A process of generating a message authentication code (MAC) based on at least one of the received random number information, the OTP value, or information related to the UE,
Transmitting a response message including the MAC to the server, and
And receiving the authentication code from the server based on the verification of the MAC included in the response message.
The method according to claim 1,
The process of receiving the authentication code generated by the server from the server,
A process of transmitting a request message for requesting an access token to the server, and the request message includes the authentication code,
When the access token is generated based on the authentication code, receiving a response message including the access token from the server,
If the access token is not generated based on the authentication code, the method further comprising the step of receiving a response message including information for indicating a reason for rejection of the access token generation from the server.
The method according to claim 1,
Further comprising the process of transmitting a request message for requesting permission to use the edge computing service, the request message includes an access token generated based on the authentication code,
The process of receiving the second message,
And receiving the second message including information on an edge computing service allowed according to information related to the UE when it is identified that the verification of the access token is successful.
The method of claim 8,
When it is identified that the verification of the access token has failed, the method further comprising the step of receiving a response message including information for indicating the reason for the failure of the verification of the access token.
In the method of operating a server for permission to use edge computing services,
A process of receiving a first message including at least one of information related to the UE or a type of a user agent from a user equipment (UE); and
A process of performing an authentication procedure according to a method determined based on the first message, and
Transmitting the authentication code generated according to the performed authentication procedure to the UE, and
Based on the authentication code, including the process of transmitting a second message for indicating the permitted authority for the edge computing service,
The edge computing service is a method used by the UE in a range corresponding to the permitted authority.
In the apparatus of a user equipment (UE) in a wireless communication system,
A transceiver; And
Including at least one processor connected to the transceiver,
The at least one processor,
Sending a first message including at least one of the UE-related information or the type of user agent to the server,
Performing an authentication procedure for an edge computing service according to an authentication method determined based on the first message,
Receiving a second message for indicating the permission allowed for the edge computing service based on the authentication code generated by the server according to the performed authentication procedure,
An apparatus configured to use the edge computing service within a range corresponding to the permitted authority.
The method of claim 11,
The authentication method is an authentication method based on SIM credential, an authentication method using a user portal, an authentication method based on a credential generated using information related to the UE, or an authentication method based on transmission of a one time password (OTP). Device comprising at least one of.
The method of claim 11,
When the authentication method determined based on the first message corresponds to an authentication method based on SIM credential, the at least one processor, in order to perform the authentication procedure,
From the server, the UE receives a message including random number information and an authentication token required to perform an authentication procedure,
The apparatus further configured to check whether the received authentication token and the authentication token generated by the UE match.
The method of claim 11,
When the authentication method determined based on the first message corresponds to an authentication method using a user portal, the at least one processor, to perform the authentication procedure,
Displaying a screen for inputting the authentication credential information based on a message for inputting authentication credential information received from the server,
Detects the input of the authentication credential information,
Further configured to transmit the authentication credential information to the server,
The authentication credential information includes at least one of a user ID (ID) and a password (password).
The method of claim 11,
When the authentication method determined based on the first message corresponds to an authentication method based on a credential generated using information related to the UE, the at least one processor, in order to perform the authentication procedure,
Receiving a request message including random number information generated by the server from the server,
Generating a message authentication code (MAC) based on at least one of the received random number information or information related to the UE,
Sending a response message including the MAC to the server,
The apparatus further configured to receive the authentication code from the server based on the verification of the MAC included in the response message.
The method of claim 11,
When the authentication method determined based on the first message corresponds to an authentication method based on transmission of a one time password (OTP), the at least one processor, to perform the authentication procedure,
Receive the OTP from the server,
Receiving a request message including random number information generated by the server from the server,
Generates a message authentication code (MAC) based on at least one of the received random number information, the OTP value, or information related to the UE,
Sending a response message including the MAC to the server,
The apparatus further configured to receive the authentication code from the server based on the verification of the MAC included in the response message.
The method of claim 11,
The at least one processor,
Receiving an authentication code generated by the server from the server,
Sending a request message for requesting an access token to the server, and the request message includes the authentication code,
When the access token is generated based on the authentication code, receiving a response message including the access token from the server,
When the access token is not generated based on the authentication code, the apparatus further configured to receive a response message including information for indicating a reason for rejection of the access token generation from the server.
The method of claim 11,
The at least one processor,
Further configured to transmit a request message for requesting permission to use the edge computing service, wherein the request message includes an access token generated based on the authentication code,
The at least one processor, to receive the second message,
If the verification of the access token is identified as successful, the apparatus further configured to receive the second message including information on an edge computing service allowed according to the information related to the UE.
The method of claim 18,
The at least one processor,
When it is identified that the verification of the access token has failed, the apparatus further configured to receive a response message including information for indicating a reason for the failure of the verification of the access token.
In the device of the server for permission to use edge computing service,
A transceiver; And
Including at least one processor connected to the transceiver,
The at least one processor,
Receiving, from a user equipment (UE), a first message including at least one of information related to the UE or a type of a user agent,
Performing an authentication procedure according to a method determined based on the first message,
Transmitting an authentication code generated according to the performed authentication procedure to the UE,
Based on the authentication code, configured to transmit a second message for indicating permitted authority for the edge computing service,
The edge computing service is an apparatus used by the UE within a range corresponding to the permitted authority.

Images