TWI755951B - Communication system and communication method - Google Patents

Communication system and communication method Download PDF

Info

Publication number
TWI755951B
TWI755951B TW109142195A TW109142195A TWI755951B TW I755951 B TWI755951 B TW I755951B TW 109142195 A TW109142195 A TW 109142195A TW 109142195 A TW109142195 A TW 109142195A TW I755951 B TWI755951 B TW I755951B
Authority
TW
Taiwan
Prior art keywords
server
user equipment
virtual
authentication
user
Prior art date
Application number
TW109142195A
Other languages
Chinese (zh)
Other versions
TW202224396A (en
Inventor
林盈達
德泰 張
德 司
李奇育
賴源正
Original Assignee
國立陽明交通大學
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 國立陽明交通大學 filed Critical 國立陽明交通大學
Priority to TW109142195A priority Critical patent/TWI755951B/en
Application granted granted Critical
Publication of TWI755951B publication Critical patent/TWI755951B/en
Publication of TW202224396A publication Critical patent/TW202224396A/en

Links

Images

Landscapes

  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Provided is a communication system for executing a third-party authentication between an edge service terminal and a cloud service terminal, which includes a first authentication procedure executing module disposed in a proxy for executing a first authentication procedure and a second authentication procedure executing module disposed in the proxy for executing a second authentication procedure. The first authentication procedure executing module includes a virtual home subscriber server and a virtual user. The second authentication procedure executing module includes a virtual open identify provider and a virtual user equipment. When a subscriber of the cloud service terminal requests a service from the edge service terminal, the first authentication procedure executing module executes the first authentication procedure.

Description

通訊系統及通訊方法 Communication system and communication method

本發明關於通訊技術領域,特別是通訊之認證技術領域。 The present invention relates to the technical field of communication, especially the technical field of authentication of communication.

隨著通訊技術的發展,雲端(cloud)的通訊服務已廣為人知,且使用率日益增加。然而,雲端通訊的速度通常比不上本地端的電信服務(或稱為邊界(edge)服務),因此當使用者需求高頻寬或低延遲的傳輸品質時,還是需要使用本地端的業者所提供的電訊服務。目前使用者若要使用雲端服務及邊界服務,不僅在雲端服務端必須具備帳戶,在邊界服務端也必須具備帳戶,且必須切換帳戶才能使用兩者的服務,如此會造成不方便。此外,目前雲端服務端與邊界服務端採用不同的通訊協定,因此兩者系統間難以進行溝通。 With the development of communication technology, communication services in the cloud have become widely known, and the usage rate is increasing day by day. However, the speed of cloud communication is usually not as fast as that of local telecommunications services (or edge services). Therefore, when users require high bandwidth or low latency transmission quality, they still need to use telecommunications services provided by local operators. . Currently, if a user wants to use the cloud service and the edge service, not only the cloud server must have an account, but also the edge server must have an account, and they must switch accounts to use both services, which will cause inconvenience. In addition, currently the cloud server and the border server use different communication protocols, so it is difficult to communicate between the two systems.

有鑑於此,本發明提供一種改良的通訊系統及通訊方法,來解決上述的問題。 In view of this, the present invention provides an improved communication system and communication method to solve the above problems.

基於上述目的,本發明提供了一種通訊系統,用於進行邊界服務端及雲端服務端之間的第三方認證。通訊系統包含:設置於代理伺服器的第一認 證機制執行模組,用於執行第一認證機制。第一認證機制執行模組包含虛擬歸屬用戶伺服器(virtual home subscriber server,V HSS)及虛擬使用者(virtual user,vUSER),其中虛擬歸屬用戶伺服器用於與邊界服務端進行通訊,第一虛擬使用者單元用於與雲端服務端進行通訊。其中,當雲端服務端的帳戶欲使用邊界服務端的服務時,第一認證機制執行模組執行第一認證機制。 Based on the above purpose, the present invention provides a communication system for performing third-party authentication between a border server and a cloud server. The communication system includes: the first authentication set on the proxy server The authentication mechanism execution module is used to execute the first authentication mechanism. The first authentication mechanism execution module includes a virtual home subscriber server (VHSS) and a virtual user (virtual user, vUSER), wherein the virtual home subscriber server is used to communicate with the border server, and the first The virtual user unit is used to communicate with the cloud server. Wherein, when the account of the cloud server wants to use the service of the boundary server, the first authentication mechanism execution module executes the first authentication mechanism.

此外,本發明另提供一種用於通訊系統的通訊方法,用於進行邊界服務端及雲端服務端之間的第三方認證。通訊方法包含步驟:當雲端服務端的帳戶欲使用邊界服務端的服務時,藉由設置於代理伺服器的第一認證機制執行模組執行第一認證機制,其中第一認證機制執行模組包含虛擬歸屬用戶伺服器及第一虛擬使用者單元,虛擬歸屬用戶伺服器用於與邊界服務端進行通訊,第一虛擬使用者單元用於與雲端服務端進行通訊。 In addition, the present invention further provides a communication method for a communication system, which is used for third-party authentication between a border server and a cloud server. The communication method includes the steps of: when the account of the cloud server wants to use the service of the boundary server, the first authentication mechanism is executed by a first authentication mechanism execution module set on the proxy server, wherein the first authentication mechanism execution module includes a virtual home The user server and the first virtual user unit, the virtual home user server is used for communicating with the border server, and the first virtual user unit is used for communicating with the cloud server.

1:通訊系統 1: Communication system

2:代理伺服器 2: Proxy server

3:雲端服務端 3: Cloud server

4:邊界服務端 4: Boundary server

5:使用者設備 5: User Equipment

6:訊息轉換映射表 6: Message conversion mapping table

21a:第一認證機制執行模組 21a: The first authentication mechanism execution module

21b:第二認證機制執行模組 21b: Second Authentication Mechanism Execution Module

211:虛擬歸屬用戶伺服器 211: Virtual home user server

212:虛擬使用者 212: Virtual User

213:虛擬使用者設備 213: Virtual User Equipment

214:虛擬開放式帳戶提供者 214: Virtual Open Account Provider

310:雲端資料庫 310: Cloud Database

320:依賴端 320: Dependent side

410:移動性管理實體 410: Mobility Management Entity

420:歸屬用戶伺服器 420: home user server

510:嵌入式用戶身分模組 510: Embedded User Identity Module

520:通用行動通訊系統用戶身分模組 520: Universal Mobile Communication System User Identity Module

7:第二代理伺服器 7: Second proxy server

8:第二邊界服務端 8: Second border server

9:第三代理伺服器 9: Third proxy server

10:第二雲端服務端 10: Second cloud server

S201~S214:步驟 S201~S214: Steps

S301~S317:步驟 S301~S317: Steps

圖1是本發明一實施例的通訊系統的系統架構圖。 FIG. 1 is a system architecture diagram of a communication system according to an embodiment of the present invention.

圖2(A)是本發明一實施例的通訊系統執行第一認證機制的訊號傳輸示意圖。 FIG. 2(A) is a schematic diagram of signal transmission for executing a first authentication mechanism in a communication system according to an embodiment of the present invention.

圖2(B)是本發明一實施例的通訊方法(第一認證機制)的細部流程圖。 FIG. 2(B) is a detailed flowchart of a communication method (first authentication mechanism) according to an embodiment of the present invention.

圖3(A)為本發明一實施例的通訊系統執行第二認證機制的傳輸示意圖。 FIG. 3(A) is a schematic transmission diagram of a communication system executing a second authentication mechanism according to an embodiment of the present invention.

圖3(B)是本發明一實施例的通訊方法(第二認證機制)的細部流程圖。 3(B) is a detailed flowchart of a communication method (second authentication mechanism) according to an embodiment of the present invention.

圖4是本發明另一實施例的通訊方法的細部流程圖。 FIG. 4 is a detailed flowchart of a communication method according to another embodiment of the present invention.

圖5(A)為本發明另一實施例的通訊系統的系統架構圖。 FIG. 5(A) is a system architecture diagram of a communication system according to another embodiment of the present invention.

圖5(B)為本發明又另一實施例的通訊系統的系統架構圖。 FIG. 5(B) is a system architecture diagram of a communication system according to yet another embodiment of the present invention.

以下將透過多個實施例說明本發明的實施態樣及運作原理。本發明所屬技術領域中具有通常知識者,透過上述實施例可理解本發明的特徵及功效,而可基於本發明的精神,進行組合、修飾、置換或轉用。 The embodiments and operation principles of the present invention will be described below through a number of embodiments. Those with ordinary knowledge in the technical field to which the present invention pertains can understand the features and effects of the present invention through the above embodiments, and can combine, modify, replace or transfer based on the spirit of the present invention.

本文所指的“連接”一詞係包括直接連接或間接連接等態樣,且並非限定。本文中關於”當...”、”...時”的一詞係表示”當下、之前或之後”,且並非限定。 The term "connected" as referred to herein includes aspects such as direct connection or indirect connection, and is not limiting. The terms "when", "when" used herein mean "now, before or after" and are not limiting.

本文中所使用的序數例如“第一”、“第二”等之用詞,是用於修飾請求元件,其本身並不意含及代表該請求元件有任何之前的序數,也不代表某一請求元件與另一請求元件的順序、或是製造方法上的順序,該些序數的使用僅用來使具有某命名的一請求元件得以和另一具有相同命名的請求元件能作出清楚區分。 Terms such as "first", "second", etc. used in this document are used to modify the request element, and they do not imply or represent that the request element has any previous ordinal numbers, nor does it represent a request The order of an element and another requested element, or the order of the manufacturing method, the use of these ordinal numbers is only used to clearly distinguish a requested element with a certain name from another requested element with the same name.

本文記載多個功效(或元件)時,若在多個功效(或元件)之間使用「或」一詞,係表示功效(或元件)可獨立存在,但亦不排除多個功效(或元件)可同時存在的態樣,換言之,只要描述的態樣合理,「或」一詞包含「及」之態樣。 When multiple functions (or elements) are described herein, if the word "or" is used between multiple functions (or elements), it means that the functions (or elements) can exist independently, but multiple functions (or elements) are not excluded. ) may coexist, in other words, the word "or" includes the aspect of "and" as long as the described aspect is reasonable.

圖1是本發明一實施例的通訊系統1的系統架構圖。如圖1所示,本發明的通訊系統1可透過一代理伺服器2執行一雲端服務端3及一邊界服務端4之間的第三方認證,其目的是讓雲端服務端3的帳戶可直接使用邊界服務端4的服務而無須再於邊界服務端4進行註冊,或者是讓邊界服務端4的帳戶可直接使用雲端服務端3的服務而無須再於雲端服務端3進行註冊。 FIG. 1 is a system architecture diagram of a communication system 1 according to an embodiment of the present invention. As shown in FIG. 1 , the communication system 1 of the present invention can perform third-party authentication between a cloud server 3 and a border server 4 through a proxy server 2 , so that the account of the cloud server 3 can directly Use the services of the border server 4 without registering with the border server 4, or allow the account of the border server 4 to directly use the services of the cloud server 3 without registering with the cloud server 3.

在本文中,雲端服務端3的帳戶欲使用邊界服務端4的服務的情況定義為「雲端對邊界(cloud-to-edge)」,後續段落將直接以cloud-to-edge稱之。此外,邊界服務端4的帳戶欲使用雲端服務端3的服務的情況定義為「邊界對雲端(edge-to-cloud)」,後續段落亦將以edge-to-cloud稱之。 In this paper, the situation where the account of the cloud server 3 wants to use the services of the edge server 4 is defined as "cloud-to-edge", and the following paragraphs will be directly referred to as cloud-to-edge. In addition, the situation where the account of the edge server 4 wants to use the services of the cloud server 3 is defined as "edge-to-cloud", which will also be referred to as edge-to-cloud in subsequent paragraphs.

此外,雲端服務端3可例如是谷歌(Google)、亞馬遜(Amazon)、T-Mobile等電子商務公司,而雲端服務端3的服務可例如是這些電子商務公司所提供的各種雲端服務,例如基礎設施即服務(infrastructure as a service,IaaS)、軟體即服務(software as a service,SaaS)或平台即服務(platform as a service,PaaS)等,且不限於此。另外,邊界服務端4可例如是本地端的各種電信公司,例如中華電信(Hinet)、遠傳電信(FETnet)、AT&T行動(AT&T mobile)、T行動(T-Mobile)或威訊(Verizon)等,而邊界服務端4的服務是各電信業者所提供的服務,例如第三代合作夥伴計劃(third generation partnership project,以下簡稱3GPP)、第三代行動通訊技(third generation,3G)、第四代行動通訊技術(fourth generation,4G)或第五代行動通訊技術(fifth generation,5G),且不限於此。 In addition, the cloud server 3 can be, for example, e-commerce companies such as Google (Google), Amazon (Amazon), T-Mobile, etc., and the services of the cloud server 3 can be, for example, various cloud services provided by these e-commerce companies, such as basic Infrastructure as a service (IaaS), software as a service (SaaS), or platform as a service (PaaS), etc., but not limited thereto. In addition, the border server 4 can be, for example, various telecommunications companies at the local end, such as Chunghwa Telecom (Hinet), FETnet (FETnet), AT&T mobile (AT&T mobile), T-Mobile (T-Mobile) or Verizon (Verizon), etc. , and the services of the border server 4 are provided by various telecom operators, such as the third generation partnership project (hereinafter referred to as 3GPP), the third generation mobile communication technology (third generation, 3G), the fourth The fourth generation mobile communication technology (4G) or the fifth generation mobile communication technology (5G), but not limited thereto.

在一實施例中,本發明的通訊系統1包含代理伺服器2、雲端服務端3及邊界服務端4,因此通訊系統1可包含代理伺服器2、雲端服務端3及邊界服務端4的硬體設備及至少一部份軟體。在另一實施例中,本發明的通訊系統1可包含代理伺服器2的硬體設備及至少一部份軟體,但僅包含雲端服務端3及邊界服務端4的軟體部分。又在一實施例中,本發明的通訊系統1可僅包含代理伺服器2、雲端服務端3及邊界服務端4的至少一部份軟體,而不包含硬體設備。 In one embodiment, the communication system 1 of the present invention includes a proxy server 2 , a cloud server 3 and a border server 4 , so the communication system 1 may include the hardware of the proxy server 2 , the cloud server 3 and the border server 4 . body equipment and at least a portion of the software. In another embodiment, the communication system 1 of the present invention may include the hardware device of the proxy server 2 and at least a part of software, but only includes the software part of the cloud server 3 and the border server 4 . In yet another embodiment, the communication system 1 of the present invention may only include at least a part of the software of the proxy server 2 , the cloud server 3 and the border server 4 , but does not include hardware devices.

首先說明代理伺服器2的細節。代理伺服器2可設置有一第一認證機制執行模組21a及一第二認證機制執行模組21b。在cloud-to-edge的情況下(當雲 端服務端3的帳戶透過使用者設備5欲使用邊界服務端4的服務時),第一認證機制執行模組21a執行一第一認證機制,而當第一認證機制完成時,邊界服務端4可對使用者設備5提供服務。在edge-to-cloud的情況下(當邊界服務端4的帳戶透過使用者設備5欲使用雲端服務端3的服務時),第二認證機制執行模組21b執行一第二認證機制,而當第二認證機制完成時,雲端服務端3可對使用者設備5提供服務。需注意的是,「第一認證機制執行模組21a執行第一認證機制」或「第二認證機制執行模組21b執行第二認證機制」包含了第一認證機制或第二認證機制的一部份步驟是由第一認證機制執行模組21a或第二認證機制執行模組21b執行之態樣(非所有步驟都由第一認證機制執行模組21a或第二認證機制執行模組21b執行)。 First, the details of the proxy server 2 will be described. The proxy server 2 may be provided with a first authentication mechanism execution module 21a and a second authentication mechanism execution module 21b. In the cloud-to-edge case (when the cloud When the account of the end server 3 wants to use the service of the border server 4 through the user equipment 5), the first authentication mechanism execution module 21a executes a first authentication mechanism, and when the first authentication mechanism is completed, the border server 4 A service may be provided to the user equipment 5 . In the case of edge-to-cloud (when the account of the edge server 4 wants to use the service of the cloud server 3 through the user equipment 5), the second authentication mechanism execution module 21b executes a second authentication mechanism, and when When the second authentication mechanism is completed, the cloud server 3 can provide services to the user equipment 5 . It should be noted that "the first authentication mechanism execution module 21a executes the first authentication mechanism" or "the second authentication mechanism execution module 21b executes the second authentication mechanism" includes a part of the first authentication mechanism or the second authentication mechanism. Each step is executed by the first authentication mechanism execution module 21a or the second authentication mechanism execution module 21b (not all steps are executed by the first authentication mechanism execution module 21a or the second authentication mechanism execution module 21b) .

其中,第一認證機制執行模組21a包含一虛擬歸屬用戶伺服器(virtual home subscriber server,vHSS)211及一第一虛擬使用者(virtual user,vUSER)212。虛擬歸屬用戶伺服器211用於與邊界服務端4進行通訊。虛擬使用者212用於與雲端服務端3進行通訊。虛擬歸屬用戶伺服器211可用於模擬實際歸屬用戶伺服器(home subscriber server,HSS)的功能,例如資料配置、用戶身份管理、儲存用戶狀態等,並可做為3GPP網路中提供帳戶資訊的資料庫,且不限於此。虛擬使用者212可用於模擬實際使用者設備5的功能,因此可使代理伺服器2在雲端服務端3上進行註冊、登入等行為。 The first authentication mechanism execution module 21a includes a virtual home subscriber server (virtual home subscriber server, vHSS) 211 and a first virtual user (virtual user, vUSER) 212 . The virtual home user server 211 is used to communicate with the border server 4 . The virtual user 212 is used to communicate with the cloud server 3 . The virtual home subscriber server 211 can be used to simulate the functions of an actual home subscriber server (HSS), such as data configuration, user identity management, user status storage, etc., and can be used as data for providing account information in the 3GPP network library, and is not limited to this. The virtual user 212 can be used to simulate the functions of the actual user equipment 5 , so that the proxy server 2 can perform registration, login and other actions on the cloud server 3 .

第二認證機制執行模組21b包含一虛擬使用者設備(virtual user equipment,vUE)213及一虛擬開放式身分提供者(virtual open identify(openID)provider,vOP)214。虛擬使用者設備213用於與邊界服務端4進行通訊,虛擬開放式身分提供者214用於與雲端服務端3及使用者設備5進行通訊。在一實施例 中,虛擬開放式身分提供者214用於執行一開放式身分連結(openID connect,以下簡稱OIDC)之認證機制。 The second authentication mechanism execution module 21b includes a virtual user equipment (vUE) 213 and a virtual open identity (openID) provider (vOP) 214 . The virtual user equipment 213 is used to communicate with the border server 4 , and the virtual open identity provider 214 is used to communicate with the cloud server 3 and the user equipment 5 . one embodiment Among them, the virtual open identity provider 214 is used to implement an open ID connect (openID connect, hereinafter referred to as OIDC) authentication mechanism.

在一實施例中,虛擬歸屬用戶伺服器211、虛擬使用者212、虛擬使用者設備213、虛擬開放式身分提供者214可以是由電腦程式產品(亦即軟體)來實現功能的功能模組,也可以由硬體設備搭配軟體來實現,例如具備微處理器的硬體搭配軟體,且不限於此。因此,在一實施例中,代理伺服器2可包含一微處理器,用於執行電腦程式產品而實現虛擬歸屬用戶伺服器211、虛擬使用者212、虛擬使用者設備213、虛擬開放式身分提供者214的功能。在一實施例中,代理伺服器2可更包含一記憶體,用於儲存電腦程式產品及執行第一認證機制及第二認證機制所需的資料。 In one embodiment, the virtual home user server 211, the virtual user 212, the virtual user equipment 213, and the virtual open identity provider 214 may be functional modules whose functions are implemented by computer program products (ie, software). It can also be implemented by a hardware device with software, such as hardware with a microprocessor and software, but not limited to this. Therefore, in one embodiment, the proxy server 2 may include a microprocessor for executing a computer program product to realize the virtual home user server 211 , the virtual user 212 , the virtual user equipment 213 , and the virtual open identity provisioning function of the reader 214. In one embodiment, the proxy server 2 may further include a memory for storing the computer program product and data required for executing the first authentication mechanism and the second authentication mechanism.

接著說明雲端服務端3。在一實施例中,雲端服務端3可包含一雲端資料庫310及一依賴端(relying party,RP)320。在cloud-to-edge的情況下,使用者設備5的一嵌入式用戶身分模組(embedded subscriber identity module,以下簡稱eSIM)是由雲端服務端3提供,因此雲端服務端3可具備用戶的資料,並透過雲端資料庫310儲存用戶資料。依賴端320用於與虛擬開放式身分提供者214執行OIDC之認證機制。在一實施例中,雲端資料庫310可透過記憶體、硬碟等方式實現。在一實施例中,雲端服務端3包含微處理器,而依賴端320可透過微處理器執行電腦程式產品而實現,且不限於此。 Next, the cloud server 3 will be described. In one embodiment, the cloud server 3 may include a cloud database 310 and a relying party (RP) 320 . In the case of cloud-to-edge, an embedded subscriber identity module (hereinafter referred to as eSIM) of the user equipment 5 is provided by the cloud server 3, so the cloud server 3 can have the user's data , and store user data through the cloud database 310 . The relying side 320 is used to implement the OIDC authentication mechanism with the virtual open identity provider 214 . In one embodiment, the cloud database 310 may be implemented by means of a memory, a hard disk, or the like. In one embodiment, the cloud server 3 includes a microprocessor, and the dependent end 320 can be implemented by executing a computer program product through the microprocessor, but is not limited thereto.

接著說明邊界服務端4。在一實施例中,邊界服務端4可包含一移動性管理實體(mobility management entity,MME)410及一歸屬用戶伺服器(home subscriber server,HSS)420。移動性管理實體410用於與虛擬歸屬用戶伺服器211及虛擬使用者設備213進行通訊。移動性管理實體410可用於處理使用者設備5對 於核心網路(core network)的存取、支援分配、追蹤、傳呼、漫游、網路資源交遞、管理演進節點B(eNodeB)、協助處理閘道器傳訊、執行保全程序、終端對網路通信期間之處理、及閒置終端位置之管理等行為,且不限於此。歸屬用戶伺服器420的功能則如同前述段落所述。 Next, the border server 4 will be described. In one embodiment, the border server 4 may include a mobility management entity (MME) 410 and a home subscriber server (HSS) 420 . The mobility management entity 410 is used for communicating with the virtual home user server 211 and the virtual user equipment 213 . Mobility management entity 410 may be used to handle user equipment 5 pairs Access to the core network, support allocation, tracking, paging, roaming, network resource handover, manage eNodeBs, assist in gateway messaging, perform security procedures, end-to-end network Actions such as processing during communication and management of idle terminal locations are not limited to this. The functions of the home user server 420 are as described in the preceding paragraphs.

需注意的是,由於雲端服務端3與邊界服務端4採用的通訊協定不同,因此兩者之間必須透過代理伺服器2做為通訊中介元件。 It should be noted that, since the communication protocols adopted by the cloud server 3 and the border server 4 are different, the proxy server 2 must be used as a communication intermediary element between the two.

在一實施例中,在cloud-to-edge的情況下,邊界服務端4與代理伺服器2之間是以例如漫遊(roaming)的方式進行通訊,而漫遊可採取3GPP協定之S6a規範,而3GPP漫遊所需的認證步驟可例如是EPS-AKA,因此可透過虛擬歸屬用戶伺服器211來執行。此外,代理伺服器2與雲端服務端3之間可採取一般網頁登入之認證方式,因此可透過虛擬使用者212來執行。 In one embodiment, in the case of cloud-to-edge, the communication between the border server 4 and the proxy server 2 is performed by means of, for example, roaming, and the roaming can adopt the S6a specification of the 3GPP agreement, and The authentication steps required for 3GPP roaming can be EPS-AKA, for example, and thus can be performed by the virtual home user server 211 . In addition, the authentication method of common web page login can be adopted between the proxy server 2 and the cloud server 3 , so it can be performed by the virtual user 212 .

在一實施例中,在edge-to-cloud的情況下,邊界服務端4與代理伺服器2之間亦是執行EPS-AKA認證,因此可透過虛擬使用者設備214扮演實際使用者設備的角色來進行EPS-AKA認證。此外,代理伺服器2與雲端服務端3之間是採用OIDC的認證方式,因此可透過虛擬開放式身分提供者214做為開放式身分的提供者,並透過雲端服務端3做為依賴端。 In one embodiment, in the case of edge-to-cloud, EPS-AKA authentication is also performed between the edge server 4 and the proxy server 2, so that the virtual user equipment 214 can play the role of the actual user equipment for EPS-AKA certification. In addition, the OIDC authentication method is used between the proxy server 2 and the cloud server 3, so the virtual open identity provider 214 can be used as an open identity provider, and the cloud server 3 can be used as a relying end.

接著說明使用者設備5。在一實施例中,使用者設備5可以是各種具備物聯網(Internet of Things,IoT)功能的設備,例如筆記型電腦、平板電腦、桌上型電腦、智慧型手機、各種智慧型攜帶裝置(例如智慧型手錶、手環等類似裝置)、數位相機等,且不限於此。 Next, the user equipment 5 will be described. In one embodiment, the user equipment 5 may be various devices with Internet of Things (Internet of Things, IoT) functions, such as notebook computers, tablet computers, desktop computers, smart phones, various smart portable devices ( For example, smart watches, wristbands and the like), digital cameras, etc., but not limited thereto.

在一實施例中,當cloud-to-edge時,雲端服務端3可提供使用者設備5各種型態的用戶身分模組,例如eSIM510;為方便說明,後續段落亦以 eSIM510來舉例。在一實施例中,當edge-to-cloud時,邊界服務端4可提供使用者設備5各種型態的用戶身分模組,例如eSIM510、通用行動通訊系統用戶身分模組(universal mobile telecommunications system subscriber identity module,USIM)520等;為方便說明,後續段落亦以USIM520來舉例。 In one embodiment, when cloud-to-edge, the cloud server 3 can provide various types of user identity modules for the user equipment 5, such as eSIM510; for the convenience of description, the following paragraphs also refer to Take eSIM510 as an example. In one embodiment, when edge-to-cloud, the edge server 4 can provide various types of subscriber identity modules for the user equipment 5, such as eSIM510, universal mobile telecommunications system subscriber identity module (universal mobile telecommunications system subscriber) identity module, USIM) 520, etc.; for the convenience of description, the subsequent paragraphs also take USIM 520 as an example.

此外,在一實施例中,代理伺服器2可設置有一訊息轉換映射表(mapping table)6,其可具備雲端服務端3與邊界服務端4之間的訊息格式之轉換資訊,以實現兩者之間的訊息格式轉換。 In addition, in one embodiment, the proxy server 2 can be provided with a message conversion mapping table 6, which can have conversion information of the message format between the cloud server 3 and the border server 4, so as to realize the two Convert between message formats.

藉此,通訊系統1的系統架構已可被理解。接著將說明第一認證機制及第二認證機制的流程。 Thereby, the system architecture of the communication system 1 can be understood. Next, the flow of the first authentication mechanism and the second authentication mechanism will be described.

首先說明第一認證機制,亦即cloud-to-edge情況的認證機制。請同時參考圖1至圖2(B),其中圖2(A)是本發明一實施例的通訊系統執行第一認證機制的訊號傳輸示意圖,圖2(B)是本發明一實施例的通訊方法(第一認證機制)的細部流程圖。 First, the first authentication mechanism, that is, the authentication mechanism in the cloud-to-edge case will be described. Please refer to FIG. 1 to FIG. 2(B) at the same time, wherein FIG. 2(A) is a schematic diagram of signal transmission for executing the first authentication mechanism in a communication system according to an embodiment of the present invention, and FIG. 2(B) is a communication diagram of an embodiment of the present invention. Detailed flowchart of the method (first authentication mechanism).

如圖2(A)及圖2(B)所示,第一認證機制可包含一第一認證請求階段(步驟S201~S204)、一第一請求回應階段(步驟S205~S208)及一第一認證確認階段(步驟S209~S214)。 As shown in FIG. 2(A) and FIG. 2(B), the first authentication mechanism may include a first authentication request phase (steps S201-S204), a first request-response phase (steps S205-S208), and a first Authentication confirmation stage (steps S209 to S214).

首先說明第一認證請求階段:首先步驟S201被執行,使用者設備5對邊界服務端4發起服務請求。服務請求可例如是連接請求(attach request),亦即使用者設備5欲連接至邊界服務端4的核心網路。在一實施例中,服務請求(attach request)包含了使用者設備5的一國際移動用戶識別碼(international mobile subscriber identity,IMSI)。在一實施例中,國際移動用戶識別碼可由雲端服務端3提供。 First, the first authentication request stage is described: first, step S201 is executed, and the user equipment 5 initiates a service request to the border server 4 . The service request may be, for example, an attach request, that is, the user equipment 5 wants to connect to the core network of the border server 4 . In one embodiment, the service request (attach request) includes an international mobile subscriber identity (IMSI) of the user equipment 5 . In one embodiment, the international mobile subscriber identity can be provided by the cloud server 3 .

之後步驟S202被執行,邊界服務端4的移動性管理實體410取得國際移動用戶識別碼,並傳送一認證請求(authentication request)至代理伺服器2,其中認證請求包含國際移動用戶識別碼。 After step S202 is executed, the mobility management entity 410 of the border server 4 obtains the IMS and sends an authentication request to the proxy server 2, wherein the authentication request includes the IMS.

之後步驟S203被執行,代理伺服器2的虛擬歸屬用戶伺服器211取得認證請求,並將認證請求傳遞至虛擬使用者212,而虛擬使用者212根據認證請求而傳送一登入請求(login request)至雲端服務端3。在一實施例中,登入請求是基於一般網站登入方式所產生的請求訊息,其可包含登入帳號(ID)、登入密碼(pwd)及國際移動用戶識別碼,且不限於此。 Then step S203 is executed, the virtual home user server 211 of the proxy server 2 obtains the authentication request, and transmits the authentication request to the virtual user 212, and the virtual user 212 transmits a login request (login request) to the authentication request. Cloud server 3. In one embodiment, the login request is a request message generated based on a common website login method, which may include a login account (ID), a login password (pwd) and an international mobile user identity, but is not limited thereto.

之後步驟S204被執行,雲端服務端3校驗(verify)國際移動用戶識別碼,亦即雲端服務端3可將國際移動用戶識別碼與雲端資料庫310中的資料進行匹配,以確認使用者設備5的帳戶是否為雲端服務端3的帳戶。由於使用者設備5的eSIM510是由雲端服務端3提供,因此雲端服務端3的資料庫310中可儲存有使用者設備5的國際移動用戶識別碼。而當國際移動用戶識別碼與雲端資料庫310中的資料匹配時(亦即確認使用者設備5為合法時),雲端伺服器3對虛擬使用者212發出回應,反之則停止運作。在一實施例中,雲端服務端3亦可進一步驗證登入帳號(ID)及登入密碼(pwd),但並非限定。藉此,第一認證請求階段可完成。 After step S204 is executed, the cloud server 3 verifies the international mobile subscriber identity, that is, the cloud server 3 can match the international mobile subscriber identity with the data in the cloud database 310 to confirm the user equipment Whether the account of 5 is the account of cloud server 3. Since the eSIM 510 of the user equipment 5 is provided by the cloud server 3 , the database 310 of the cloud server 3 can store the International Mobile Subscriber Identity of the user equipment 5 . When the international mobile subscriber ID matches the data in the cloud database 310 (ie, when it is confirmed that the user equipment 5 is valid), the cloud server 3 sends a response to the virtual user 212 , otherwise it stops working. In one embodiment, the cloud server 3 can further verify the login account (ID) and the login password (pwd), but it is not limited. Thereby, the first authentication request phase can be completed.

接著說明第一請求回應階段:步驟S205被執行,當當國際移動用戶識別碼與雲端資料庫310中的資料匹配時,雲端服務端3可產生一認證聲明(claim)做為回應,並將認證聲明傳送至虛擬使用者212,其中認證聲明包含一認證向量(authentication vector,AV),其中認證向量包含確認使用者設備5的eSIM510的合法性的資訊。在一實 施例中,驗證向量可包含一期望回應(XRES)、一認證值(AUTN)、一亂數(RAND)及一通信期金鑰(Kasme),但不限於此。 Next, the first request response stage is described: Step S205 is executed, when the IMSID matches the data in the cloud database 310, the cloud server 3 can generate a claim as a response, and send the claim Sent to the virtual user 212 , wherein the authentication statement includes an authentication vector (AV), wherein the authentication vector includes information to confirm the validity of the eSIM 510 of the user equipment 5 . in a real In an embodiment, the verification vector may include an expected response (XRES), an authentication value (AUTN), a random number (RAND), and a communication session key (Kasme), but is not limited thereto.

之後步驟S206被執行,虛擬使用者212將包含認證向量的認證請求回應(authentication response)傳遞至虛擬歸屬用戶伺服器211,因此虛擬歸屬用戶伺服器211、移動性管理實體410及使用者設備5可透過認證向量進行EPS-AKA認證。一般而言,EPS-AKA認證是由核心網路端(例如邊界服務端4)的實體歸屬用戶伺服器提供認證向量,並透過移動性管理實體410對使用者設備5提出認證挑戰(challenge),而使用者設備5透過eSIM510計算出挑戰回應(RES)來達成認證,然而由於在cloud-to-edge情況下,僅有雲端服務端4具備使用者設備5及帳戶的相關資料,因此cloud-to-edge的EPS-AKA認證必須透過代理伺服器2的虛擬歸屬用戶伺服器211來扮演實體歸屬用戶伺服器的角色,並以雲端服務端4提供的認證向量做為EPS-AKA認證的認證向量。 After step S206 is executed, the virtual user 212 transmits the authentication response including the authentication vector to the virtual home user server 211, so the virtual home user server 211, the mobility management entity 410 and the user equipment 5 can EPS-AKA certification through the certification vector. Generally speaking, the EPS-AKA authentication is provided by the physical home user server of the core network side (such as the border server 4 ) to provide an authentication vector, and the mobility management entity 410 presents an authentication challenge to the user equipment 5, The user equipment 5 calculates the challenge response (RES) through the eSIM 510 to achieve authentication. However, in the case of cloud-to-edge, only the cloud server 4 has the relevant information of the user equipment 5 and the account, so cloud-to-edge -The EPS-AKA authentication of the edge must play the role of the physical home user server through the virtual home user server 211 of the proxy server 2, and use the authentication vector provided by the cloud server 4 as the authentication vector of EPS-AKA authentication.

之後步驟S207被執行,虛擬歸屬用戶伺服器211傳送包含認證向量的認證請求回應至移動性管理實體410,移動性管理實體410保留期望回應(XRES)及通信期金鑰(Kasme),並將認證值(AUTN)及亂數(RAND)做為認證挑戰而傳送至使用者設備5。在一實施例中,認證值(AUTN)及亂數(RAND)可經由通信期金鑰(Kasme)而形成加密訊息,而正確的使用者設備5亦會具備通信期金鑰(Kasme),因此可進行解鎖。 After step S207 is executed, the virtual home user server 211 sends an authentication request response including an authentication vector to the mobility management entity 410, and the mobility management entity 410 retains the expected response (XRES) and the communication period key (Kasme), and authenticates the The value (AUTN) and the random number (RAND) are sent to the user equipment 5 as an authentication challenge. In an embodiment, the authentication value (AUTN) and the random number (RAND) can be encrypted by the communication period key (Kasme), and the correct user equipment 5 will also have the communication period key (Kasme), so Can be unlocked.

之後步驟S208被執行,使用者設備5的eSIM510可根據認證值(AUTN)確認欲連接的核心網路的合法性,並根據亂數(RAND)計算出挑戰回應(RES)。藉此,第一請求回應階段可被完成。 After step S208 is executed, the eSIM 510 of the user equipment 5 can confirm the legitimacy of the core network to be connected according to the authentication value (AUTN), and calculate the challenge response (RES) according to the random number (RAND). Thereby, the first request response phase can be completed.

接著說明第一認證確認階段: 首先,步驟S209被執行,使用者設備5將計算出的挑戰回應(RES)回傳至移動性管理實體410。之後步驟S210被執行,移動性管理實體410將挑戰回應(RES)與期望回應(XRES)進行比較。假如挑戰回應(RES)與期望回應(XRES)吻合,則步驟S211被執行,移動性管理實體410傳送認證完成訊息至使用者設備5,並使邊界服務端4開始對使用者設備5提供服務。反之,則停止運作。藉此,使用者設備5及邊界服務端4之間的雙向認證(例如核心網路合法性的認證及使用者設備5的認證挑戰)可完成。 Next, the first authentication confirmation stage is described: First, step S209 is executed, and the user equipment 5 returns the calculated challenge response (RES) to the mobility management entity 410 . After step S210 is performed, the mobility management entity 410 compares the challenge response (RES) with the expected response (XRES). If the challenge response (RES) matches the expected response (XRES), step S211 is executed, the mobility management entity 410 transmits an authentication completion message to the user equipment 5 and enables the border server 4 to start providing services to the user equipment 5 . Otherwise, stop working. Thereby, the two-way authentication between the user equipment 5 and the border server 4 (for example, the authentication of the core network validity and the authentication challenge of the user equipment 5) can be completed.

此外,為了使雲端服務端3亦得知使用者設備5已完成認證,步驟S212至S214可被執行。在步驟S212至S214中,移動性管理實體410發送一更新訊息至代理伺服器2,而虛擬歸屬用戶伺服器211及虛擬使用者212將更新訊息傳送至雲端服務端3。在一實施例中,此更新訊息不僅包含使用者設備5已被認證的資訊,亦包含移動性管理實體410的資訊,因此雲端服務端3可記錄移動性管理實體410的資訊,藉此只要第一認證機制被完成過一次,雲端服務端3與邊界服務端4可形成一聯盟(federation),未來兩者之間可無須再執行第一認證機制,亦即邊界服務端4與雲端服務端3已形成跨界聯盟。 In addition, in order for the cloud server 3 to also know that the user equipment 5 has completed the authentication, steps S212 to S214 may be performed. In steps S212 to S214 , the mobility management entity 410 sends an update message to the proxy server 2 , and the virtual home user server 211 and the virtual user 212 send the update message to the cloud server 3 . In one embodiment, the update message includes not only the information that the user equipment 5 has been authenticated, but also the information of the mobility management entity 410, so the cloud server 3 can record the information of the mobility management entity 410, so that as long as the first Once the authentication mechanism is completed once, the cloud server 3 and the border server 4 can form a federation, and in the future, the first authentication mechanism will not need to be executed between the two, that is, the border server 4 and the cloud server 3 A cross-border alliance has been formed.

藉此,第一認證機制已可被理解。 Thereby, the first authentication mechanism can be understood.

接著說明第二認證機制,亦即edge-to-cloud情況的認證機制。請同時參考圖1至圖3(B),其中圖3(A)是本發明一實施例的通訊系統執行第二認證機制的訊號傳輸示意圖,圖3(B)是本發明一實施例的通訊方法(第二認證機制)的細部流程圖。 Next, the second authentication mechanism, ie, the authentication mechanism in the edge-to-cloud case, will be described. Please refer to FIG. 1 to FIG. 3(B) at the same time, wherein FIG. 3(A) is a schematic diagram of signal transmission of a communication system executing a second authentication mechanism according to an embodiment of the present invention, and FIG. 3(B) is a communication diagram of an embodiment of the present invention. Detailed flowchart of the method (second authentication mechanism).

如圖3(A)及圖3(B)所示,第二認證機制亦可包含一第二認證請求階段(步驟S301~S305)、一第二請求回應階段(步驟S306~S312)及一第二認證確認階段(步驟S313~S317)。 As shown in FIG. 3(A) and FIG. 3(B), the second authentication mechanism may also include a second authentication request phase (steps S301-S305), a second request-response phase (steps S306-S312), and a first The second authentication confirmation stage (steps S313-S317).

首先說明第二認證請求階段:首先步驟S301被執行,使用者設備5對雲端服務端4發起服務請求,並可自行選擇第三方認證的服務端,例如邊界服務端4。而雲端服務端4可將使用者設備5導向至邊界服務端4,以進行通訊。 First, the second authentication request stage is described: first, step S301 is executed, the user equipment 5 initiates a service request to the cloud server 4 , and can select a third-party authenticated server, such as the boundary server 4 . The cloud server 4 can direct the user equipment 5 to the edge server 4 for communication.

之後步驟S302被執行,使用者設備5傳送認證請求至代理伺服器3的虛擬開放式帳戶提供者214,其中認證請求包含國際移動用戶識別碼。在一實施例中,國際移動用戶識別碼是從使用者設備5的USIM520中取出。 After step S302 is executed, the user equipment 5 transmits an authentication request to the virtual open account provider 214 of the proxy server 3, wherein the authentication request includes the international mobile subscriber identity code. In one embodiment, the International Mobile Subscriber Identity is extracted from the USIM 520 of the user equipment 5 .

之後步驟S303及步驟S304被執行,虛擬開放式帳戶提供者214取得認證請求,並將認證請求傳遞至虛擬使用者設備213,虛擬使用者設備213將認證請求傳送至邊界服務端4的移動性管理實體410。 Then steps S303 and S304 are executed, the virtual open account provider 214 obtains the authentication request, and transmits the authentication request to the virtual user equipment 213, and the virtual user equipment 213 transmits the authentication request to the mobility management of the border server 4 Entity 410.

之後步驟S305被執行,歸屬用戶伺服器420自移動性管理實體410取得國際移動用戶識別碼。由於在edge-to-cloud的情況下,使用者設備5的USIM520是由邊界服務端4提供,因此歸屬用戶伺服器420的資料庫可具備使用者設備5的國際移動用戶識別碼的資料,因此可藉由比對國際移動用戶識別碼與資料庫的資料是否匹配來校驗國際移動用戶識別碼的合法性。當兩者匹配(使用者設備5合法)時,通訊系統1進入第二請求回應階段;反之則停止運作。 After that, step S305 is executed, and the home subscriber server 420 obtains the international mobile subscriber identity code from the mobility management entity 410 . In the case of edge-to-cloud, the USIM 520 of the user equipment 5 is provided by the border server 4, so the database of the home user server 420 can have the information of the international mobile subscriber identity of the user equipment 5, so The legitimacy of the International Mobile Subscriber Identity can be checked by comparing the International Mobile Subscriber Identity with the data in the database. When the two match (the user equipment 5 is valid), the communication system 1 enters the second request response stage; otherwise, it stops working.

接著說明第二請求回應階段:首先步驟S306被執行,當國際移動用戶識別碼與資料庫的資料匹配時,歸屬用戶伺服器420產生認證聲明做為認證請求結果,並將認證請求結果 傳遞至移動性管理實體410,其中認證聲明亦包含認證向量,且認證向量亦包含認證值(AUTN)、亂數(RAND)、期望回應(XRES)及通信期金鑰(Kasme),但不限於此。 Next, the second request response stage will be described: first, step S306 is executed. When the IMSID matches the data in the database, the home user server 420 generates an authentication statement as the authentication request result, and sends the authentication request result Passed to the mobility management entity 410, wherein the authentication statement also includes the authentication vector, and the authentication vector also includes the authentication value (AUTN), random number (RAND), expected response (XRES) and communication period key (Kasme), but not limited to this.

之後步驟S307被執行,移動性管理實體410保留期望回應(XRES),並將認證值(AUTN)及亂數(RAND)做為認證挑戰而傳送至代理伺服器3的虛擬使用者設備213。在一實施例中,歸屬用戶伺服器420及移動性管理實體410可將虛擬使用者設備213視為EPS-AKA認證的使用者設備,因此移動性管理實體410可對虛擬使用者設備213提出認證挑戰,而虛擬使用者設備213則會將認證挑戰轉發給使用者設備5來進行處理,並自使用者設備5處取得挑戰回應。此外,在一實施例中,認證值(AUTN)及亂數(RAND)可透過通信期金鑰(Kasme)形成加密訊息,且加密訊息可經由通信期金鑰(Kasme)解鎖。 After step S307 is executed, the mobility management entity 410 retains the expected response (XRES), and transmits the authentication value (AUTN) and the random number (RAND) to the virtual user equipment 213 of the proxy server 3 as an authentication challenge. In one embodiment, the home user server 420 and the mobility management entity 410 may regard the virtual user equipment 213 as an EPS-AKA certified user equipment, so the mobility management entity 410 may authenticate the virtual user equipment 213 The virtual user equipment 213 forwards the authentication challenge to the user equipment 5 for processing, and obtains a challenge response from the user equipment 5 . In addition, in one embodiment, the authentication value (AUTN) and the random number (RAND) can form an encrypted message through the communication session key (Kasme), and the encrypted message can be unlocked through the communication session key (Kasme).

之後步驟S308及S309被執行,代理伺服器3透過其虛擬使用者設備213及虛擬開放式帳戶提供者214將認證值(AUTN)及亂數(RAND)傳送至使用者設備5,而使用者設備5透過認證值(AUTN)確認核心網路(邊界服務端4)的合法性,並透過亂數(RAND)計算出挑戰回應(RES)。 Then steps S308 and S309 are executed, the proxy server 3 transmits the authentication value (AUTN) and random number (RAND) to the user equipment 5 through its virtual user equipment 213 and the virtual open account provider 214, and the user equipment 5. Confirm the legitimacy of the core network (border server 4) through the authentication value (AUTN), and calculate the challenge response (RES) through the random number (RAND).

之後步驟S310至S312被執行,使用者設備5將挑戰回應(RES)回傳至代理伺服器3,代理伺服器3進而將挑戰回應(RES)傳送至移動性管理實體410。藉此,第二請求回應階段可完成。 After that, steps S310 to S312 are executed, the user equipment 5 sends the challenge response (RES) back to the proxy server 3 , and the proxy server 3 further sends the challenge response (RES) to the mobility management entity 410 . Thereby, the second request response phase can be completed.

接著說明第二認證確認階段:首先步驟S313被執行,移動性管理實體410比較挑戰回應(RES)與期望回應(XRES)。 Next, the second authentication and confirmation phase is described: first, step S313 is executed, and the mobility management entity 410 compares the challenge response (RES) with the expected response (XRES).

當兩者匹配時,步驟S314及S315被執行,移動性管理實體410將認證完成訊息傳送至虛擬使用者設備213,而虛擬使用者設備213將認證完成訊息傳遞至虛擬開放式帳戶提供者214,虛擬開放式帳戶提供者214根據已確認訊息傳送一權證(token)至使用者設備5。 When the two match, steps S314 and S315 are executed, the mobility management entity 410 transmits the authentication completion message to the virtual user equipment 213, and the virtual user equipment 213 transmits the authentication completion message to the virtual open account provider 214, The virtual open account provider 214 transmits a token to the user equipment 5 according to the confirmation message.

之後步驟S316及S317被執行,使用者設備5根據權證傳送一驗證碼至雲端服務端3,而雲端服務端3可向虛擬開放式帳戶提供者214校驗驗證碼是否正確,當正確時即可開始對使用者設備5提供服務。此外,雲端服務端3亦可更新移動性管理實體410的資訊,以供日後使用,藉此第二認證機制可無須再執行,亦即雲端服務端3與邊界服務端4已形成跨界聯盟。 After that, steps S316 and S317 are executed, the user equipment 5 transmits a verification code to the cloud server 3 according to the certificate, and the cloud server 3 can verify whether the verification code is correct to the virtual open account provider 214. The service to the user equipment 5 is started. In addition, the cloud server 3 can also update the information of the mobility management entity 410 for future use, whereby the second authentication mechanism does not need to be executed, that is, the cloud server 3 and the border server 4 have formed a cross-border alliance.

藉此,第二認證機制的運作流程已可被理解。 Thereby, the operation flow of the second authentication mechanism can be understood.

本發明的通訊方法亦可被延伸應用。圖4是本發明另一實施例的通訊方法的細部流程圖,並請同時參考圖1至圖3(B)。需注意的是,雖圖4實施例是以cloud-to-edge的情況來舉例,但該領域技術人士可依此推知edge-to-cloud的情況時的實施方式。 The communication method of the present invention can also be extended and applied. FIG. 4 is a detailed flowchart of a communication method according to another embodiment of the present invention, and please refer to FIGS. 1 to 3(B) at the same time. It should be noted that although the embodiment shown in FIG. 4 is an example of the cloud-to-edge situation, those skilled in the art can infer the implementation of the edge-to-cloud situation accordingly.

如圖4所示,首先步驟S401被執行,當雲端服務端3的帳戶使用邊界服務端4所提供的服務時,使用者設備5可將累積的流量資訊傳送至雲端服務端3。之後步驟S402被執行,雲端服務端3可將流量資訊傳送至代理伺服器2。之後步驟S403被執行,代理伺服器2可將流量資訊轉換為邊界服務端4所能辨識的訊息格式(例如3GPP協定),並傳送至邊界服務端4。之後步驟S404被執行,邊界服務端4根據流量資訊產生收費資訊,並回傳收費資訊至代理伺服器2。之後步驟S405被執行,代理伺服器2將收費資訊轉換成雲端服務端3所能辨識的訊息格 式(例如OIDC協定),並傳送至雲端服務端3。之後步驟S406被執行,使用者設備5自雲端服務端3取得邊界服務端4的收費資訊。 As shown in FIG. 4 , first step S401 is executed. When the account of the cloud server 3 uses the service provided by the edge server 4 , the user equipment 5 can transmit the accumulated traffic information to the cloud server 3 . After step S402 is executed, the cloud server 3 can transmit the traffic information to the proxy server 2 . After step S403 is executed, the proxy server 2 can convert the traffic information into a message format (eg, 3GPP protocol) recognized by the border server 4 , and transmit the data to the border server 4 . After that, step S404 is executed, and the border server 4 generates charging information according to the traffic information, and returns the charging information to the proxy server 2 . Then step S405 is executed, and the proxy server 2 converts the charging information into a message format that can be recognized by the cloud server 3 formula (such as the OIDC protocol), and send it to the cloud server 3 . After that, step S406 is executed, and the user equipment 5 obtains the charging information of the border server 4 from the cloud server 3 .

由此可知,雲端服務端3與邊界服務端4之間的跨界收費可透過代理伺服器2完成。 From this, it can be seen that the cross-border charging between the cloud server 3 and the border server 4 can be completed through the proxy server 2 .

本發明的通訊系統亦可進一步改良。圖5(A)是本發明另一實施例的通訊系統1的細部流程圖,並請同時參考圖1至圖4。 The communication system of the present invention can also be further improved. FIG. 5(A) is a detailed flow chart of the communication system 1 according to another embodiment of the present invention, and please refer to FIGS. 1 to 4 at the same time.

如圖5(A)所示,通訊系統1可更包含一第二代理伺服器7,其中第二代理伺服器7與代理伺服器3具備相同配置。第二代理伺服器7可設置於雲端服務端3與一第二邊界服務端8之間,並透過執行第一認證機制及第二認證機制而做為雲端服務端3與一第二邊界服務端8之間的通訊中介。 As shown in FIG. 5(A), the communication system 1 may further include a second proxy server 7, wherein the second proxy server 7 and the proxy server 3 have the same configuration. The second proxy server 7 can be disposed between the cloud server 3 and a second border server 8, and acts as the cloud server 3 and a second border server by executing the first authentication mechanism and the second authentication mechanism Communication intermediary between 8.

在本實施例中,當邊界服務端4的帳戶欲使用第二邊界服務端8的服務時,只要雲端服務端3與邊界服務端4之間已形成跨界聯盟,且雲端伺服端3與第二邊界服務端8之間亦已透過第二代理伺服器7而形成跨界聯盟,則邊界服務端4的帳戶即可透過代理伺服器2、雲端服務端3、第二代理伺服器7而與第二邊界服務端8進行雙向認證及訊息交流。本發明不限於此。 In this embodiment, when the account of the border server 4 wants to use the services of the second border server 8, as long as a cross-border alliance has been formed between the cloud server 3 and the border server 4, and the cloud server 3 and the first A cross-border alliance has also been formed between the two border servers 8 through the second proxy server 7 , and the account of the border server 4 can communicate with the proxy server 2 , the cloud server 3 , and the second proxy server 7 through The second border server 8 performs two-way authentication and information exchange. The present invention is not limited to this.

圖5(B)是本發明又另一實施例的通訊系統1的細部流程圖,並請同時參考圖1至圖3(B)及圖5(A)。 FIG. 5(B) is a detailed flow chart of the communication system 1 according to still another embodiment of the present invention, and please refer to FIGS. 1 to 3(B) and 5(A) at the same time.

如圖5(B)所示,通訊系統1可更包含一第三代理伺服器9,其中第三代理伺服器9與代理伺服器3具備相同配置,並可設置於邊界服務端4與一第二雲端服務端10之間。第三代理伺服器9可透過執行第一認證機制及第二認證機制而做為第二雲端服務端10與邊界服務端4之間的通訊中介。 As shown in FIG. 5(B), the communication system 1 may further include a third proxy server 9, wherein the third proxy server 9 and the proxy server 3 have the same configuration, and can be set on the border server 4 and a first proxy server 9 between two cloud servers 10 . The third proxy server 9 can act as a communication intermediary between the second cloud server 10 and the border server 4 by executing the first authentication mechanism and the second authentication mechanism.

在本實施例中,當雲端服務端3的帳戶欲使用第二雲端服務端10的服務時,只要邊界服務端4與雲端服務端3已形成跨界聯盟,且邊界服務端4亦與第二雲端服務端10之間亦已形成跨界聯盟,則雲端服務端3的帳戶即可透過代理伺服器2、邊界服務端4、第三代理伺服器9而與第二雲端服務端10進行雙向認證及訊息交流。 In this embodiment, when the account of the cloud server 3 wants to use the services of the second cloud server 10, as long as the border server 4 and the cloud server 3 have formed a cross-border alliance, and the border server 4 is also connected with the second cloud server 10 A cross-border alliance has also been formed between the cloud servers 10, so that the account of the cloud server 3 can perform mutual authentication with the second cloud server 10 through the proxy server 2, the border server 4, and the third proxy server 9. and information exchange.

藉此,本發明的通訊系統1可透過代理伺服器的設置而持續與不同通訊系統建立聯盟關係,使得單一帳號可使用的跨界服務持續增加。 Thereby, the communication system 1 of the present invention can continuously establish an alliance relationship with different communication systems through the setting of the proxy server, so that the cross-border services that can be used by a single account are continuously increased.

透過本發明的通訊系統及通訊方法,使用者只需具備單一帳戶,即可通用於雲端服務端及邊界服務端,相較於現有技術,本發明的通訊系統可具備十足便利性。此外,本發明的通訊方法可具備完整的認證機制,具備十足安全性。 Through the communication system and the communication method of the present invention, the user only needs to have a single account, which can be used for both the cloud server and the border server. Compared with the prior art, the communication system of the present invention can have full convenience. In addition, the communication method of the present invention can have a complete authentication mechanism and is fully secure.

上述實施例僅係為了方便說明而舉例而已,本發明所主張之權利範圍自應以申請專利範圍所述為準,而非僅限於上述實施例。 The above-mentioned embodiments are only examples for convenience of description, and the scope of the claims claimed in the present invention should be based on the scope of the patent application, rather than being limited to the above-mentioned embodiments.

1:通訊系統 1: Communication system

2:代理伺服器 2: Proxy server

3:雲端服務端 3: Cloud server

4:邊界服務端 4: Boundary server

5:使用者設備 5: User Equipment

6:訊息轉換映射表 6: Message conversion mapping table

21a:第一認證機制執行模組 21a: The first authentication mechanism execution module

21b:第二認證機制執行模組 21b: Second Authentication Mechanism Execution Module

211:虛擬歸屬用戶伺服器 211: Virtual home user server

212:虛擬使用者 212: Virtual User

213:虛擬使用者設備 213: Virtual User Equipment

214:虛擬開放式帳戶提供者 214: Virtual Open Account Provider

310:雲端資料庫 310: Cloud Database

320:依賴端 320: Dependent side

410:移動性管理實體 410: Mobility Management Entity

420:歸屬用戶伺服器 420: home user server

510:嵌入式用戶身分模組 510: Embedded User Identity Module

520:通用行動通訊系統用戶身分模組 520: Universal Mobile Communication System User Identity Module

Claims (4)

一種通訊系統,用於進行一邊界服務端(4)及一雲端服務端(3)之間的第三方認證,包含:一第一認證機制執行模組(21a),設置於一代理伺服器(2),用於執行一第一認證機制,並包含一虛擬歸屬用戶伺服器(virtual home subscriber server,V HSS)(211)及一虛擬使用者(virtual user equipment,vUSER)(212),其中該虛擬歸屬用戶伺服器(211)用於與該邊界服務端(4)的一移動性管理實體(mobility management entity,MME)(410)進行通訊,該虛擬使用者(212)用於與該雲端服務端(3)進行通訊;其中,當該雲端服務端(3)的一帳戶欲使用該邊界服務端(4)的服務時,該第一認證機制執行模組(21a)執行該第一認證機制,其中該第一認證機制包含步驟:當該使用者設備(5)對該邊界服務端(4)發出一服務請求,且該雲端服務端(3)確認該使用者設備(5)的一國際移動用戶辨識碼合法時,藉由該虛擬使用者(212)接收該雲端服務端(3)提供的一認證向量,並由該虛擬歸屬用戶伺服器(211)、該移動性管理實體(410)及該使用者設備(5)根據該認證向量進行演進分組系統-認證密鑰協商協議(evolved packet system-authentication and key agreement,EPS-AKA)之證認。 A communication system for performing third-party authentication between a border server (4) and a cloud server (3), comprising: a first authentication mechanism execution module (21a) arranged on a proxy server ( 2), for executing a first authentication mechanism, and including a virtual home subscriber server (virtual home subscriber server, V HSS) (211) and a virtual user (virtual user equipment, vUSER) (212), wherein the The virtual home user server (211) is used to communicate with a mobility management entity (MME) (410) of the border server (4), and the virtual user (212) is used to communicate with the cloud service The terminal (3) communicates; wherein, when an account of the cloud server (3) wants to use the service of the border server (4), the first authentication mechanism execution module (21a) executes the first authentication mechanism , wherein the first authentication mechanism includes the step: when the user equipment (5) sends a service request to the border server (4), and the cloud server (3) confirms an international authentication of the user equipment (5) When the mobile user identification code is valid, the virtual user (212) receives an authentication vector provided by the cloud server (3), and the virtual home user server (211), the mobility management entity (410) and the user equipment (5) performs Evolved Packet System-Authentication and Key Agreement (EPS-AKA) authentication according to the authentication vector. 如請求項1所述的通訊系統,其中更包含一第二認證機制執行模組(21b),設置於該代理伺服器(2),用於執行一第二認證機制,並包含一虛擬使用者設備(virtual user equipment,vUE)(213)及一虛擬開放式身分提供者(virtual open ID provider,OP)(214),該虛擬使用者設備(213)用於與該邊界服務端(4)的該移動性管理實體(410)進行通訊,該虛擬開放式身分提供者(214)用於與該雲端 服務端(3)及一使用者設備(5)進行通訊,其中當該邊界服務端(4)的一帳戶欲使用該雲端服務端(3)的服務時,第二認證機制執行模組(21b)執行該第二認證機制,其中該第二認證機制包含步驟:當該使用者設備(5)對該雲端服務端(3)提出一服務請求,且該邊界服務端(4)的一歸屬用戶伺服器(420)確認該使用者設備(5)的一國際移動用戶辨識碼合法時,藉由該虛擬使用者設備(213),經由該移動性管理實體(410),接收該歸屬用戶伺服器(420)提供的一認證向量,並藉由該虛擬使用者設備(213)及該虛擬開放式身分提供者(214)將該認證向量傳送至傳送至該使用者設備(5),使該使用者設備(5)對根據該認證向量計算出一挑戰回應參數(RES),以及藉由該歸屬用戶伺服器(420)、該移動性管理實體(410)及該虛擬使用者設備(213)及該使用者設備(5),根據該認證向量及該挑戰回應參數(RES)進行進行EPS-AKA之認證,以及藉由該虛擬開放式身分提供者(214)、該雲端服務端(3)及該使用者設備(5)進行開放式身分連結(openID connect,OIDC)之認證;以及當EPS-AKA之認證完成時,藉由該虛擬開放式身分提供者(214)提供一權證(token)至使用者設備(5),其中該雲端服務端(3)根據該權證提供服務。 The communication system according to claim 1, further comprising a second authentication mechanism execution module (21b) disposed in the proxy server (2) for executing a second authentication mechanism, and including a virtual user equipment (virtual user equipment, vUE) (213) and a virtual open ID provider (virtual open ID provider, OP) (214), the virtual user equipment (213) is used for communication with the border server (4) The mobility management entity (410) communicates with the virtual open identity provider (214) for the cloud The server (3) communicates with a user equipment (5), wherein when an account of the border server (4) wants to use the service of the cloud server (3), a second authentication mechanism execution module (21b) ) execute the second authentication mechanism, wherein the second authentication mechanism comprises the steps: when the user equipment (5) makes a service request to the cloud server (3), and a home user of the border server (4) When the server (420) confirms that an international mobile subscriber identity code of the user equipment (5) is valid, the virtual user equipment (213) receives the home user server through the mobility management entity (410) (420) provides an authentication vector and transmits the authentication vector to the user equipment (5) by the virtual user equipment (213) and the virtual open identity provider (214) to enable the use of The user equipment (5) calculates a challenge response parameter (RES) according to the authentication vector, and uses the home user server (420), the mobility management entity (410) and the virtual user equipment (213) and The user equipment (5) performs EPS-AKA authentication according to the authentication vector and the challenge response parameter (RES), and uses the virtual open identity provider (214), the cloud server (3) and The user equipment (5) performs open ID connect (OIDC) authentication; and when the EPS-AKA authentication is completed, the virtual open ID provider (214) provides a token to the User equipment (5), wherein the cloud server (3) provides services according to the warrant. 一種通訊方法,透過一通訊系統(1)執行,用於進行一邊界服務端(4)及一雲端服務端(3)之間的第三方認證,該通訊方法包含步驟:當該雲端服務端(3)的一帳戶欲使用該邊界服務端(4)的服務時,藉由設置於一代理伺服器(2)的一第一認證機制執行模組(21a)執行一第一認證機制,其中該第一認證機制執行模組(21a)包含一虛擬歸屬用戶伺服器(211)及一虛擬使用者(212),該虛擬歸屬用戶伺服器(211)用於與該邊界服務端(4)的一移動性管理實體 (410)進行通訊,該虛擬使用者(212)用於與該雲端服務端(3)進行通訊,其中該第一認證機制包含步驟:當該使用者設備(5)對該邊界服務端(4)發出一服務請求時,藉由該移動性管理實體(410)、該虛擬歸屬用戶伺服器(211)及該虛擬使用者(212),將該使用者設備(5)的一國際移動用戶辨識碼傳送至該雲端服務端(3)進行校驗;以及當該使用者設備(5)對該邊界服務端(4)發出一服務請求,且該雲端服務端(3)確認該使用者設備(5)的一國際移動用戶辨識碼合法時,藉由該虛擬使用者(212)接收該雲端服務端(3)提供的一認證向量,並由該虛擬歸屬用戶伺服器(211)、該移動性管理實體(410)及該使用者設備(5)根據該認證向量進行演進分組系統-認證密鑰協商協議之證認。 A communication method, executed by a communication system (1), for performing third-party authentication between a border server (4) and a cloud server (3), the communication method comprising the steps of: when the cloud server ( When an account of 3) wants to use the service of the border server (4), a first authentication mechanism execution module (21a) provided in a proxy server (2) executes a first authentication mechanism, wherein the The first authentication mechanism execution module (21a) includes a virtual home user server (211) and a virtual user (212), and the virtual home user server (211) is used for a communication with the border server (4). Mobility Management Entity (410) to communicate, the virtual user (212) is used to communicate with the cloud server (3), wherein the first authentication mechanism comprises the step of: when the user equipment (5) communicates with the boundary server (4) ) sends out a service request, by means of the mobility management entity (410), the virtual home user server (211) and the virtual user (212), to identify an international mobile user of the user equipment (5) The code is sent to the cloud server (3) for verification; and when the user equipment (5) sends a service request to the border server (4), and the cloud server (3) confirms that the user equipment ( 5) When an international mobile subscriber identity code of 5) is valid, the virtual user (212) receives an authentication vector provided by the cloud server (3), and the virtual home user server (211), the mobility The management entity (410) and the user equipment (5) perform EPS-Authenticated Key Agreement Protocol authentication according to the authentication vector. 如請求項3所述的通訊方法,其更包含步驟:當該邊界服務端(4)的一帳戶欲使用該雲端服務端(3)的服務時,藉由設置於該代理伺服器(2)的一第二認證機制執行模組(21b)執行一第二認證機制,其中該第二認證機制執行模組(21b)包含一虛擬使用者設備(213)及一虛擬開放式身分提供者(214),該虛擬使用者設備(213)用於與該邊界服務端(4)的該移動性管理實體(410)進行通訊,該虛擬開放式身分提供者(214)用於與該雲端服務端(3)及一使用者設備(5)進行通訊,其中該第二認證機制包含步驟:當該使用者設備(5)對該雲端服務端(3)提出一服務請求時,藉由該虛擬開放式身分提供者(214)、該虛擬使用者設備(213)及該移動性管理實體(410),將該使用者設備(5)的一國際移動用戶辨識碼傳送至該歸屬用戶伺服器(420)進行校驗; 當該使用者設備(5)對該雲端服務端(3)提出一服務請求,且該邊界服務端(4)的一歸屬用戶伺服器(420)確認該使用者設備(5)的一國際移動用戶辨識碼合法時,藉由該虛擬使用者設備(213),經由該移動性管理實體(410),接收該歸屬用戶伺服器(420)提供的一認證向量,並藉由該虛擬使用者設備(213)及該虛擬開放式身分提供者(214)將該認證向量傳送至傳送至該使用者設備(5),使該使用者設備(5)對根據該認證向量計算出一挑戰回應參數(RES),以及藉由該歸屬用戶伺服器(420)、該移動性管理實體(410)及該虛擬使用者設備(213)及該使用者設備(5),根據該認證向量及該挑戰回應參數(RES)進行進行EPS-AKA之認證,以及藉由該虛擬開放式身分提供者(214)、該雲端服務端(3)及該使用者設備(5)進行開放式身分連結(openID connect,OIDC)之認證;以及當EPS-AKA之認證完成時,藉由該虛擬開放式身分提供者(214)提供一權證(token)至使用者設備(5),其中該雲端服務端(3)根據該權證提供服務。 The communication method according to claim 3, further comprising the step of: when an account of the border server (4) wants to use the service of the cloud server (3), by setting the proxy server (2) a second authentication mechanism execution module (21b) executes a second authentication mechanism, wherein the second authentication mechanism execution module (21b) comprises a virtual user equipment (213) and a virtual open identity provider (214) ), the virtual user equipment (213) is used to communicate with the mobility management entity (410) of the border server (4), and the virtual open identity provider (214) is used to communicate with the cloud server ( 3) communicate with a user equipment (5), wherein the second authentication mechanism includes the step of: when the user equipment (5) makes a service request to the cloud server (3), through the virtual open The identity provider (214), the virtual user equipment (213) and the mobility management entity (410) transmit an international mobile subscriber identity of the user equipment (5) to the home user server (420) check; When the user equipment (5) makes a service request to the cloud server (3), and a home user server (420) of the border server (4) confirms an international mobile of the user equipment (5) When the user identification code is valid, use the virtual user equipment (213) to receive an authentication vector provided by the home user server (420) through the mobility management entity (410), and use the virtual user equipment (213) and the virtual open identity provider (214) transmit the authentication vector to the user equipment (5), so that the user equipment (5) responds to a challenge response parameter ( RES), and by the home user server (420), the mobility management entity (410) and the virtual user equipment (213) and the user equipment (5), according to the authentication vector and the challenge response parameter (RES) perform EPS-AKA authentication, and perform open ID connect (OIDC) through the virtual open identity provider (214), the cloud server (3) and the user equipment (5) ) authentication; and when the EPS-AKA authentication is completed, the virtual open identity provider (214) provides a token to the user equipment (5), wherein the cloud server (3) according to the Warrants provide services.
TW109142195A 2020-12-01 2020-12-01 Communication system and communication method TWI755951B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW109142195A TWI755951B (en) 2020-12-01 2020-12-01 Communication system and communication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW109142195A TWI755951B (en) 2020-12-01 2020-12-01 Communication system and communication method

Publications (2)

Publication Number Publication Date
TWI755951B true TWI755951B (en) 2022-02-21
TW202224396A TW202224396A (en) 2022-06-16

Family

ID=81329219

Family Applications (1)

Application Number Title Priority Date Filing Date
TW109142195A TWI755951B (en) 2020-12-01 2020-12-01 Communication system and communication method

Country Status (1)

Country Link
TW (1) TWI755951B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140146673A1 (en) * 2012-11-26 2014-05-29 Verizon Patent And Licensing Inc. Selection of virtual network elements
US20150271169A1 (en) * 2014-03-23 2015-09-24 Avaya Inc. Authentication of client devices in networks
TW201807961A (en) * 2012-09-27 2018-03-01 內數位專利控股公司 End-to-end architecture, API framework, discovery, and access in a virtualized network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201807961A (en) * 2012-09-27 2018-03-01 內數位專利控股公司 End-to-end architecture, API framework, discovery, and access in a virtualized network
US20140146673A1 (en) * 2012-11-26 2014-05-29 Verizon Patent And Licensing Inc. Selection of virtual network elements
US20150271169A1 (en) * 2014-03-23 2015-09-24 Avaya Inc. Authentication of client devices in networks

Also Published As

Publication number Publication date
TW202224396A (en) 2022-06-16

Similar Documents

Publication Publication Date Title
US11895157B2 (en) Network security management method, and apparatus
RU2414086C2 (en) Application authentication
US10917790B2 (en) Server trust evaluation based authentication
JP5199405B2 (en) Authentication in communication systems
EP3750342B1 (en) Mobile identity for single sign-on (sso) in enterprise networks
US8543814B2 (en) Method and apparatus for using generic authentication architecture procedures in personal computers
EP3120591B1 (en) User identifier based device, identity and activity management system
EP2536095B1 (en) Service access authentication method and system
US10348721B2 (en) User authentication
US8611859B2 (en) System and method for providing secure network access in fixed mobile converged telecommunications networks
CN111630882B (en) User equipment, authentication server, medium, and method and system for determining key
WO2008006306A1 (en) Method and device for deriving local interface key
US20110035592A1 (en) Authentication method selection using a home enhanced node b profile
KR20100085185A (en) Inter-working function for a communication system
WO2008080351A1 (en) Wireless local network operation method based on wapi
TWI755951B (en) Communication system and communication method
WO2012126299A1 (en) Combined authentication system and authentication method
US20160344716A1 (en) Implicit Challenge Authentication Process
CN116868609A (en) User equipment authentication and authorization procedure for edge data networks
WO2018137239A1 (en) Authentication method, authentication server, and core network equipment
CN117678255A (en) Edge enabler client identification authentication procedure
WO2013123849A1 (en) Resource admission and control method, bng, and pdp
CN115843447A (en) Network authentication of user equipment access to edge data networks
KR20050016605A (en) Inter-working function for a communication system