US20190246270A1 - Communication system, subscriber-information management apparatus, information acquisition method, non-transitory computer-readable medium, and communication terminal - Google Patents
Communication system, subscriber-information management apparatus, information acquisition method, non-transitory computer-readable medium, and communication terminal Download PDFInfo
- Publication number
- US20190246270A1 US20190246270A1 US16/311,463 US201716311463A US2019246270A1 US 20190246270 A1 US20190246270 A1 US 20190246270A1 US 201716311463 A US201716311463 A US 201716311463A US 2019246270 A1 US2019246270 A1 US 2019246270A1
- Authority
- US
- United States
- Prior art keywords
- communication terminal
- security
- information
- network slice
- identification information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/18—Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/22—Processing or transfer of terminal data, e.g. status or physical capabilities
- H04W8/24—Transfer of terminal data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/12—Access point controller devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W92/00—Interfaces specially adapted for wireless communication networks
- H04W92/16—Interfaces between hierarchically similar devices
- H04W92/24—Interfaces between hierarchically similar devices between backbone network devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/14—Backbone network devices
Definitions
- the present disclosure relates to a communication system, a subscriber-information management apparatus, an information acquisition method, and a program, and relates to, for example, a communication system, a subscriber-information management apparatus, an information acquisition method, and a program that perform security processing.
- IoT internet-of-things
- Non Patent Literature 1 discloses, in Annex B, the configuration of a core network to which network slicing is applied.
- Network slicing is a technique for dividing a core network in order for each providing service to efficiently accommodate a large number of IoT terminals.
- Non Patent Literature 1 further discloses, in Section 5.1, that each divided network (network slice system) needs to be customized or optimized.
- Non Patent Literature 2 discloses, in Section 6.2, the configuration of a key used for security processing in Evolved packet system (EPS). Specifically, a universal subscriber identity module (USIM) and an authentication center (AuC) each have a master key K. The USIM and the AuC each generate a confidentiality key (CK) and an integrity key (IK) with the master key K.
- EPS Evolved packet system
- USIM universal subscriber identity module
- AuC authentication center
- the USIM and the AuC each generate a confidentiality key (CK) and an integrity key (IK) with the master key K.
- a user equipment (UE) and a home subscriber server (HSS) each generate a key K ASME with the CK, the IK, and a serving network identity (SNID).
- An SNID is an ID for identifying a network operator.
- the UE and a mobility management entity (MME) each generate, with the key K ASME , a key used for security processing in a core network and a radio access network.
- security processing such as encryption of messages and prevention of message tampering (assurance of message integrity), is performed with the keys generated in this manner.
- Non Patent Literature 1 When the network slicing disclosed in Non Patent Literature 1 is applied, keys different in each network slice system can be used to enhance the independency of each network slice system and to improve the security.
- the configuration of the key disclosed in Non Patent Literature 2 shows that a UE uses one key K ASME in a core network.
- the configuration of the key disclosed in Non Patent Literature 2 is used for a core network to which network slicing is applied, keys different in each network slice system cannot be generated. Accordingly, it is difficult to enhance the independency of each network slice system and to improve the security.
- a purpose of the present disclosure is to provide a communication system, a subscriber-information management apparatus, an information acquisition method, and a program that are capable of maintaining a high security level in each divided network (network slice system) in the case of applying network slicing to a core network.
- a communication system includes a subscriber-information management apparatus configured to manage subscriber information of a communication terminal; and a security apparatus configured to manage identification information of the communication terminal in association with security information used in at least one network slice system usable by the communication terminal, wherein the subscriber-information management apparatus acquires, using the identification information of the communication terminal and identification information of a network slice system used by the communication terminal, security information used in the network slice system used by the communication terminal from the security apparatus.
- a subscriber-information management apparatus includes a communication means for communicating with a security apparatus that manages identification information of a communication terminal in association with security information used in at least one network slice system usable by the communication terminal; and a management means for managing identification information of the network slice system associated with the security apparatus, wherein the communication means acquires, using the identification information of the communication terminal and identification information of a network slice system used by the communication terminal, security information used in the network slice system used by the communication terminal from the security apparatus.
- An information acquisition method includes managing a security apparatus that manages identification information of a communication terminal in association with security information used in at least one network slice system usable by the communication terminal, and identification information of the network slice system associated with the security apparatus; and acquiring, using the identification information of the communication terminal and identification information of a network slice system used by the communication terminal, security information used in the network slice system used by the communication terminal from the security apparatus.
- a program for causing a computer to execute according to a fourth exemplary aspect of the present disclosure includes managing a security apparatus that manages identification information of a communication terminal in association with security information used in at least one network slice system usable by the communication terminal, and identification information of the network slice system associated with the security apparatus; and acquiring, using the identification information of the communication terminal and identification information of a network slice system used by the communication terminal, security information used in the network slice system used by the communication terminal from the security apparatus.
- a communication system a subscriber-information management apparatus, an information acquisition method, and a program that are capable of maintaining a high security level in each divided network (network slice system) in the case of applying network slicing to a core network.
- FIG. 1 is a diagram showing a configuration of a communication system according to a first embodiment.
- FIG. 2 is a diagram showing a configuration of a communication system according to a second embodiment.
- FIG. 3 is a diagram showing a configuration of an AuC according to the second embodiment.
- FIG. 4 is a diagram showing information managed by the AuC according to the second embodiment.
- FIG. 5 is a diagram showing a configuration of an HSS according to the second embodiment.
- FIG. 6 is a diagram showing information managed by the HSS according to the second embodiment.
- FIG. 7 is a diagram showing a configuration of a UE according to the second embodiment.
- FIG. 8 is a diagram showing a procedure of Attach processing according to the second embodiment.
- FIG. 9 is a diagram showing a procedure of AKA processing according to the second embodiment.
- FIG. 10 is a diagram explaining derivation of a service key by the AuC according to the second embodiment.
- FIG. 11 is a diagram explaining derivation of a service key by the UE according to the second embodiment.
- FIG. 12 is a diagram showing information managed by the AuC according to the second embodiment.
- FIG. 13 is a diagram showing a configuration of a communication system according to a third embodiment.
- FIG. 14 is a diagram showing a configuration of the UE according to each embodiment.
- FIG. 15 is a diagram showing a configuration of the AuC and the HSS according to each embodiment.
- a communication system in FIG. 1 includes a subscriber-information management apparatus 10 and a security apparatus 20 .
- the subscriber-information management apparatus 10 and the security apparatus 20 may be a computer apparatus that operates by a processor executing a program stored in a memory.
- the subscriber-information management apparatus 10 manages subscriber information of at least one communication terminal.
- the communication terminal may be, for example, a mobile phone terminal, a smartphone terminal, a computer apparatus having a communication function, or the like.
- the communication terminal may be an IoT terminal, a machine-to-machine (M2M) terminal, a machine-type-communication (MTC) terminal, or the like.
- M2M machine-to-machine
- MTC machine-type-communication
- the subscriber information may be, for example, contract information related to a user using the communication terminal, position information of the communication terminal, information for identifying the communication terminal, or the like.
- the security apparatus 20 manages information for identifying the communication terminal (identification information of the communication terminal) in association with security information used in at least one network slice system usable by the communication terminal.
- the security information is unique information for each network slice system.
- the security information may be key information used to authenticate the communication terminal.
- the security information may be key information used to encrypt data or to perform integrity assurance processing, or the like.
- the security information may be a master key used to generate key information used for authentication or encryption.
- the security information may be a security algorithm used to perform security processing, or the like.
- the subscriber-information management apparatus 10 acquires, using the identification information of the communication terminal and the identification information of a network slice system used by the communication terminal, security information used in the network slice system used by the communication terminal from the security apparatus 20 .
- the communication system in FIG. 1 enables the subscriber-information management apparatus 10 to acquire the security information used in the network slice system used by the communication terminal. This enables the subscriber-information management apparatus 10 to use different security information in each network slice system used by the communication terminal. As a result, it is possible to enhance the independency of each network slice system and to improve the security of the core network as a whole.
- the communication system in FIG. 2 includes a core network 100 , a 5G radio access network (RAN) 80 , and a user equipment (UE) 90 .
- the core network 100 may be, for example, a network defined in 3rd Generation Partnership Project (3GPP).
- the term “UE” is used as a general term for communication terminals in 3GPP. Although one UE 90 is shown in FIG. 2 , the communication system in FIG. 2 may include a plurality of UEs 90 .
- the 5G RAN 80 is a network that provides a radio channel to the UE 90 .
- the 5G RAN 80 may include, for example, a base station, and further include a base-station control apparatus that controls the base station, or the like.
- the 5G RAN 80 is, for example, a next-generation RAN that achieves a low-delay and broadband radio frequency, or the like.
- the term “5G RAN” is used as a RAN used in a next generation, but the name of the RAN used in a next generation is not limited to “5G RAN”.
- the core network 100 includes a home subscriber server (HSS) 30 , an authentication center (AuC) 40 , an AuC 50 , an AuC 60 , a control plane function (CPF) entity 70 (hereinafter, referred to as a CPF 70 ), a network slice (NS) system 110 , an NS system 120 , and an NS system 130 .
- the AuCs may be in the same apparatus as the HSS 30 , and some functions of the AuCs may be implemented in the HSS 30 . Alternatively, the each AuC may be in each NS system.
- the HSS 30 is equivalent to the subscriber-information management apparatus 10 in FIG. 1 .
- the HSS 30 manages subscriber information of the UE 90 .
- the HSS 30 may be replaced with a home location register (HLR).
- the HSS 30 has a key management function.
- the HSS 30 transmits key information to each NS system.
- the key management function is for managing which node apparatus or which NS system the key information of a UE has been transmitted to.
- the key management function is for managing the type or the like of the key information transmitted to a node apparatus or an NS system.
- the HSS 30 may have a part of the key management function, and an apparatus different from the HSS 30 may have the other function. Alternatively, an apparatus different from the HSS 30 may have all the function of the key management function.
- the AuC 40 , the AuC 50 , and the AuC 60 (hereinafter, referred to as the AuC 40 and the like) each are equivalent to the security apparatus 20 in FIG. 1 .
- the AuC 40 and the like each manage key information used for security processing for the UE 90 .
- the AuC 40 and the like each further manage a parameter related to the security processing for the UE 90 .
- the parameter related to the security processing is, for example, a parameter used for integrity assurance processing, confidentiality processing, or encryption processing in a non-access stratum (NAS).
- the NAS is a layer used for communication between the UE 90 or the like and the core network 100 .
- the parameter related to the security processing may be a parameter used for integrity assurance processing, confidentiality processing, or encryption processing in an access stratum (AS).
- the AS is a layer used for communication between the 5G RAN 80 and the UE 90 .
- the parameter related to the security processing may be a parameter defining the length of a key.
- the length of a key is represented by, for example, the number of bits.
- the parameter related to the security processing may be a parameter indicating an encryption algorithm, a key generation algorithm, authentication algorithm, or the like.
- the CPF 70 is an apparatus that processes C-Plane data related to the UE 90 in the core network 100 .
- the C-Plane data may be referred to as control data.
- the CPF 70 is an apparatus that processes control data, and may be referred to as a control apparatus.
- the CPF 70 may have a function equivalent to a mobility management entity (MME) defined in 3GPP.
- MME mobility management entity
- the NS system 110 is a communication system used to provide a service different from those of the NS system 120 and the NS system 130 .
- the NS system 120 is a communication system used to provide a service different from that of the NS system 130 .
- the service provided by each NS system may be, for example, an automatic driving service, a service related to a smart meter, a vending-machine management service, or the like.
- the services provided by the NS systems are not limited to these services, and various services are provided.
- FIG. 2 shows that the CPF 70 is disposed in the core network 100 and does not belong to any of the NS system 110 , the NS system 120 , and the NS system 130 .
- the CPF 70 may belong to any one of the NS system 110 , the NS system 120 , and the NS system 130 , or may be included in each of the NS system 110 , the NS system 120 , and the NS system 130 .
- the AuC 50 and the AuC 60 each have a configuration similar to that of the AuC 40 .
- the AuC 40 includes a communication unit 41 , a security-information management unit 42 , and an NS-key generation unit 43 .
- the communication unit 41 may be a transmitter and a receiver.
- the communication unit 41 , the security-information management unit 42 , and the NS-key generation unit 43 may be software or a module that performs processing by a processor executing a program stored in a memory.
- the communication unit 41 , the security-information management unit 42 , and the NS-key generation unit 43 may be hardware such as a circuit or a chip.
- the communication unit 41 transmits data mainly to the HSS 30 .
- the security-information management unit 42 manages the security information associated with each UE 90 .
- the security-information management unit 42 manages an international mobile subscriber identity (IMSI), a network slice identity (NSID), and a master key K in association with each other.
- IMSI international mobile subscriber identity
- NSID network slice identity
- the IMSI is identification information used to identify the UE 90 .
- the NSID is identification information used to identify the NS system.
- FIG. 4 shows that the UE, the IMSI of which is 001, can use the NS system 110 and the NS system 120 .
- FIG. 4 further shows that a master key Ka_001 used for the security processing in the NS system 110 and a master key Kb_001 used for the security processing in the NS system 120 are assigned to the UE, the IMSI of which is 001.
- the IMSI of which is 002 With the UE, the IMSI of which is 002, usable NS systems and master keys K used for the security processing in the NS systems are associated.
- FIG. 4 shows that the security-information management unit 42 manages master keys related to a plurality of NS systems
- the security-information management unit 42 may manage a master key related to one NS system.
- the AuC 40 may be used as an apparatus that manages the master key K related to the NS system 110 .
- the security-information management unit 42 may not manage information related to the NSID, and may manage the IMSI and the master key K in association with each other.
- the NS-key generation unit 43 generates a service key Ksv used in each NS system with the master key K. For example, the NS-key generation unit 43 generates, with the master key Ka_001, a service key Ksv-A used in the NS system 110 by the UE, the IMSI of which is 001. The NS-key generation unit 43 further generates, with the master key Kb_001, a service key Ksv-B used in the NS system 120 by the UE, the IMSI of which is 001. Similarly, the NS-key generation unit 43 generates a service key Ksv used by the UE, the IMSI of which is 002.
- the HSS 30 includes a communication unit 31 and an information management unit 32 .
- the communication unit 31 and the information management unit 32 may be software or a module that performs processing by a processor executing a program stored in a memory.
- the communication unit 31 and the information management unit 32 may be hardware such as a circuit or a chip.
- the communication unit 31 may be transmitter and a receiver.
- the communication unit 31 transmits data to the AuC 40 , the AuC 50 , and the AuC 60 .
- the communication unit 31 further transmits data to a node apparatus constituting the NS system 110 , a node apparatus constituting the NS system 120 , and a node apparatus constituting the NS system 130 .
- the information management unit 32 manages information in which the AuC 40 and the like are associated with the NS systems.
- the information managed by the information management unit 32 is described with reference to FIG. 6 .
- FIG. 6 shows that the AuC 40 is associated with the NS system 110 to the NS system 130 , and that the AuC 50 is associated with NS system 140 to NS system 160 .
- the association of the AuC 40 with the NS system 110 to the NS system 130 means that the AuC 40 manages the master key K used by each UE for the security processing in the NS system 110 to the NS system 130 .
- the UE 90 includes a communication unit 91 and an NS-key generation unit 92 .
- the communication unit 91 and the NS-key generation unit 92 may be software or a module that performs processing by a processor executing a program stored in a memory.
- the communication unit 91 and the NS-key generation unit 92 may be hardware such as a circuit or a chip.
- the communication unit 91 may be a transmitter and a receiver.
- the communication unit 91 transmits data mainly to a base station constituting the 5G RAN 80 , or the like.
- the NS-key generation unit 92 generates, with the master key K, a service key Ksv used in each NS system. For example, it is assumed that the NS-key generation unit 92 can use the NS system 110 and the NS system 120 . In this case, the NS-key generation unit 92 generates a service key Ksv-A used in the NS system 110 with the master key Ka_001, and generates a service key Ksv-B used in the NS system 120 with the master key Kb_001.
- the communication unit 91 may include a plurality of SIMs, and manage a different master key K for each SIM.
- each SIM may be associated with any one of the NS systems.
- a procedure of Attach processing related to the UE 90 according to the second embodiment of the present disclosure is described with reference to FIG. 8 .
- the UE 90 starts processing for connecting to the 5G RAN 80 (S 11 ).
- the UE 90 connects to a base station via a radio communication channel to communicate with a base station disposed in the 5G RAN 80 .
- the UE 90 transmits an Attach request message to the CPF 70 via the 5G RAN 80 (S 12 ).
- the UE 90 uses a service provided by, for example, the NS system 110 .
- the UE 90 transmits an Attach request message, in which the IMSI of the UE 90 and the NSID indicating the NS system 110 are set, to the CPF 70 .
- the UE 90 may set a plurality of NSIDs.
- authentication-and-key-agreement (AKA) processing is performed among the UE 90 , the CPF 70 , the HSS 30 , and the AuC 40 (S 13 ).
- AKA processing it is possible for the UE 90 and the HSS 30 to confirm that the service key Ksv-A generated by the UE 90 matches the service key Ksv-A generated by the AuC 40 .
- the UE 90 has set a plurality of NSIDs in the Attach request message, a service key Ksv is generated for each NS system.
- the service key Ksv generated for each NS system by the UE 90 matches the service key Ksv generated for each NS system by the AuC 40 in the AKA processing in step S 13 .
- the service key Ksv may be authenticated by performing processing other than the AKA processing among the UE 90 , the CPF 70 , the HSS 30 , and the AuC 40 .
- the UE 90 can use, with the service key Ksv-A, the service provided by the NS system 110 .
- the UE 90 may transmit password information input by a user operating the UE 90 or the like to the apparatus included in the NS system 110 .
- the apparatus included in the NS system 110 may provide the service to the UE 90 when the correctness of the transmitted password is confirmed.
- the apparatus included in the NS system 110 may hold the service key Ksv-A related to the UE 90 in advance.
- the apparatus included in the NS system 110 may acquire the service key Ksv-A from the HSS 30 or the AuC 40 .
- the apparatus included in the NS system 110 may perform the AKA processing and provide the service to the UE 90 when the service key Ksv-A held by the apparatus itself matches the service key Ksv-A held by the UE 90 .
- FIG. 8 shows that the UE 90 transmits an Attach request message, in which the IMSI of the UE 90 and the NSID indicating the NS system 110 are set, to the CPF 70 in step S 12 .
- the UE 90 may transmit an Attach request message, in which the IMSI alone is set, to the CPF 70 .
- the UE 90 transmits an Attach request message, in which the IMSI and the identification information of the NS systems to be used are set, to the CPF 70 .
- the AKA processing in step S 13 in FIG. 8 is described in detail with reference to FIG. 9 .
- the CPF 70 transmits an Authentication data request message to the HSS 30 (S 21 ).
- the Authentication data request message contains the international mobile subscriber identity (IMSI) of the UE 90 and the NSID indicating a NS system that the UE 90 desires to use.
- the NSID is, for example, the identification information indicating the NS system 110 .
- the HSS 30 transmits an Auth data create request message to the AuC 40 (S 22 ).
- the Auth data create request message contains the IMSI of the UE 90 and the NSID indicating the NS system that the UE 90 desires to use. It is assumed that the NSID is the identification information indicating the NS system 110 in FIG. 9 .
- the HSS 30 can identify, using the information shown in FIG. 6 , the AuC associated with the NSID specified by the UE 90 .
- the HSS 30 has received the NSID indicating the NS system 110 .
- the HSS 30 can identify, using the information shown in FIG. 6 , the transmission destination of the Auth data create request message as the AuC 40 .
- the HSS 30 identifies the AuC associated with a default NS system determined in advance.
- the default NS system may be determined for each UE in advance, or may be determined in accordance with the priority managed by the HSS 30 .
- the priority may be determined for each UE.
- the HSS 30 manages the information associating the IMSI of the UE 90 with the NS system usable by the UE 90 as the subscriber information.
- the HSS 30 can identify, with the IMSI transmitted from the CPF 70 , the NS system usable by the UE 90 .
- the HSS 30 manages a plurality of NSIDs connectable by the UE 90 as subscriber data in some cases. In such a case, the HSS 30 may repeatedly transmit Auth data create request messages to the AuC 40 and the like corresponding to all the NSIDs indicated by the subscriber data.
- the AuC 40 derives the service key Ksv-A with a key derivation function (KDF) (S 23 ).
- KDF key derivation function
- the processing of the NS-key generation unit 43 of the AuC 40 for deriving a service key Ksv with the KDF is described with reference to FIG. 10 .
- FIG. 10 shows that an expected response (XRES), an authentication token (AUTN), and a service key Ksv are output as a result of input of the master key K, the NSID, a random number (RAND), and a sequence number (SQN) to the KDF.
- the KDF is, for example, a derivation function such as HMAC-SHA-25.
- the master key K input to the KDF is assumed to be a service key Ka associated with the NS system 110 .
- the service key Ksv output from the KDF is assumed to be the service key Ksv-A used in the NS system 110 .
- the AuC 40 transmits an Auth data create response message to the HSS 30 (S 24 ).
- the Auth data create response message contains a RAND, an XRES, a Ksv-A, a Ksv-A_ID, and an AUTN.
- the RAND contained in an Authentication data response message is the same as the RAND used as the input parameter when the Ksv-A and the like are generated in step S 23 .
- the XRES, the Ksv-A, and the AUTN are the same as the XRES, the Ksv-A, and the AUTN generated in step S 23 .
- the Ksv-A_ID is identification information identifying the Ksv-A.
- the HSS 30 When the HSS 30 repeatedly transmits the Auth data create request messages to a plurality of AuCs, the HSS 30 confirms that all the AuCs return the respective corresponding Auth data create response messages, and, then, sets the RAND, the XRES, the Ksv-A, the Ksv-A_ID, and the AUTN contained in each Auth data create response message in an Authentication data response message for each corresponding NSID.
- the HSS 30 transmits an Authentication data response message to the CPF 70 (S 25 ).
- the Authentication data response message contains the RAND, the XRES, the Ksv-A, the Ksv-A_ID, and the AUTN contained in the Auth data create response message transmitted in step S 24 .
- the RAND, the XRES, the Ksv-A, the Ksv-A_ID, and the AUTN are set for each NSID in some cases.
- the CPF 70 transmits an Authentication request message to the UE 90 via a 5G RAN 42 (S 26 ).
- the Authentication request message contains a RAND, an AUTN, and a Ksv-A_ID.
- the RAND, the AUTN, and the Ksv-A_ID are the RAND, the AUTN, and the Ksv-A_ID received from the HSS 30 in step S 25 .
- the UE 90 has set a plurality of NSIDs in the Attach request message (S 12 ), the RAND, the AUTN, and the Ksv-A_ID are set for each NSID.
- the UE 90 derives the service key Ksv-A with the KDF (S 27 ).
- the processing of the NS-key generation unit 92 of the UE 90 for deriving the service key Ksv with the KDF is described with reference to FIG. 11 .
- FIG. 11 shows that a response (RES), an SQN, and a service key Ksv are output as a result of input of the master key K, the NSID, the RAND, and the AUTN to the KDF.
- the KDF is, for example, a derivation function such as HMAC-SHA-256.
- the master key K input to the KDF is assumed to be the service key Ka associated with the NS system 110 .
- the service key Ksv output from the KDF is assumed to be the service key Ksv-A used in the NS system 110 . Note that, it is assumed that an NS system accessible by the UE 90 is determined in advance, and that the UE 90 holds the NSID of the NS system in advance.
- the UE 90 transmits an Authentication response message to the CPF 70 via the 5G RAN 80 (S 28 ).
- the Authentication response message contains an RES.
- the RES contained in the Authentication response message is the same as the RES generated in step S 27 .
- the RES is set for each NSID.
- the CPF 70 compares the XRES contained in the Authentication data response message received in step S 25 with the RES contained in the Authentication response message received in step S 28 (S 29 ). When the RES matches the XRES in step S 29 , the CPF 70 can determine that the Ksv-A generated by the AuC 40 matches the Ksv-A generated by the UE 90 . When a plurality of NSIDs is handled, the CPF 70 compares, for each NSID, the RES with the XRES. When the RES has matched the XRES, the CPF 70 notifies the HSS 30 that the RES has matched the XRES, or that the authentication for the Ksv-A has succeeded. The HSS 30 further transmits the Ksv-A_ID and the Ksv-A to the NS system 110 .
- the AuC 40 transmits, to the HSS 30 , an Auth data create error message containing a cause value “No subscription to Network slice” as a response message corresponding to the Auth data create request message.
- the HSS 30 transmits, to the CPF 70 , an Authentication data reject message containing the cause value “No subscription to Network slice”.
- the CPF 70 transmits, to the UE 90 , an Authentication failure message containing a cause value “Access to Network slice not allowed”.
- the UE 90 records the fact that the NSID set in the Attach request message (S 12 ) is not provided in an operator network. Furthermore, the UE 90 may set another NSID, and perform the ATTACH procedure for the same operator network in this case.
- the CPF 70 transmits, to the UE 90 , an Authentication failure message containing a cause value “Network Slice Authentication failed”.
- the UE 90 records the fact that the NSID set in the Attach request message (S 12 ) is not provided in an operator network. Furthermore, the UE 90 may set another NSID and perform the ATTACH procedure for the same operator network in this case.
- the CPF 70 regards that the authentication has failed, and notifies and urges the UE 90 to perform re-ATTACH, or allows the authorized NSIDs to perform connection.
- the operation for each case is as follows.
- the CPF 70 transmits, to the UE 90 , an Authentication failure message containing a cause value “Network Slice Authentication failed”.
- the CPF 70 may set, in the Authentication failure message, an “Authentication status list” indicating the authentication result state of each NSID.
- the UE 90 may set the partially authorized NSIDs and perform the ATTACH procedure for the same operator network.
- the CPF 70 may regard that the authorization has partially succeeded and transmit, to the UE 90 , an Authentication response message containing a cause value “Network Slice Authentication partially failed”.
- the CPF 70 may set, in the Authentication response message, an “Authentication status list” indicating the authentication result state of each NSID.
- the UE 90 recognizes that the authentication for the partially authenticated NSIDs has succeeded.
- the UE 90 may use the services provided by the partially authenticated Network Slices.
- the CPF 70 may notify the network slice system shown in FIG. 2 of the authorized service key Ksv.
- the network slice system may further generate, with the service key Ksv, a necessary service key.
- the network slice system shown in FIG. 2 may further perform authentication operation in cooperation with the HSS 30 .
- the HSS 30 may manage the IMSI of the UE 90 in association with the NSID usable by the UE 90 .
- the HSS 30 receives an Authentication data request message in step S 21 .
- the HSS 30 transmits an error message as a response message corresponding to the Authentication data request message.
- the HSS 30 can request each AuC of association data.
- each AuC can transmit the updated data to the HSS 30 .
- each AuC may manage the IMSI, the NSID, and the access right in association with each other as shown in FIG. 12 .
- the association data is, for example, data in which the IMSI, the NSID, and the access right are associated with each other as shown in FIG. 12 .
- FIG. 12 shows that the UE, the IMSI of which is 003, can access the NS system 110 , but cannot access the NS system 120 and the NS system 130 .
- FIG. 12 further shows that the UE, the IMSI of which is 004, can access the NS system 140 and the NS system 150 , but cannot access the NS system 160 .
- each AuC transmits the updated data to the HSS 30 .
- FIG. 13 shows that a UE 95 moves from a home public land mobile network (HPLMN) 101 , which is a home network, to a visited public land mobile network (VPLMN) 102 .
- HPLMN home public land mobile network
- VPLMN visited public land mobile network
- FIG. 13 shows that the UE 95 roams from the HPLMN 101 to the VPLMN 102 .
- the HPLMN 101 includes an HSS 35 , an AuC 51 , an AuC 52 , a CPF 71 , a diameter edge agent (DEA) 72 , an NS system 111 , and an NS system 112 .
- the UE 95 communicates with the HPLMN 101 via a 5G RAN 81 .
- the VPLMN 102 includes an HSS 36 , an AuC 61 , an AuC 62 , a CPF 73 , a DEA 74 , an NS system 121 , and an NS system 122 .
- the UE 95 communicates with the VPLMN 102 via a 5G RAN 82 .
- the DEA 72 and the DEA 74 are apparatuses that relay a Diameter signal. The configurations except for the DEA 72 and the DEA 74 are similar to that of the communication network shown in FIG. 2 .
- Attach processing is performed in the VPLMN 102 .
- the UE 95 connects to the CPF 73 via the 5G RAN 82 similarly to the Attach processing described in steps S 11 and S 12 in FIG. 8 .
- the CPF 73 determines, as a result of the inquiry to the HSS 36 in step S 13 in FIG. 8 , that the UE 95 is a roaming terminal that uses the HPLMN 101 as the home network.
- the CPF 73 connects to the CPF 71 via the DEA 74 and the DEA 72 .
- the UE 95 performs the AKA processing with the CPF 71 via the CPF 73 , the DEA 74 , and the DEA 72 .
- the UE 95 desires to use, for example, a service provided by the NS system 111 in the HPLMN 101 .
- the UE 95 may perform the AKA processing with the CPF 71 , and communicate with the NS system 111 via, for example, the NS system 121 after the authentication has been completed.
- the VPLMN 102 may determine the NS system 121 as an NS system usable by the roaming terminal in advance. Alternatively, an NS system in the VPLMN 102 corresponding to the NS system 111 in the HPLMN 101 and an NS system in the VPLMN 102 corresponding to the NS system 112 in the HPLMN 101 are determined in advance. For example, the NS system 111 in the HPLMN 101 may be associated with the NS system 121 in the VPLMN 102 , and the NS system 112 in the HPLMN 101 may be associated with the NS system 122 in the VPLMN 102 .
- the UE 95 roams from the HPLMN 101 to the VPLMN 102 , it is possible for UE 95 to access an NS system in the HPLMN 101 via the VPLMN 102 .
- FIG. 14 is a block diagram showing a configuration example of the UE 90 and UE 95 .
- a Radio Frequency (RF) transceiver 1101 performs analog RF signal processing for communication with the 5G RANs 80 , 81 , and 82 .
- the analog RF signal processing performed by the RF transceiver 1101 includes frequency up-conversion, frequency down-conversion, and amplification.
- the RF transceiver 1101 is connected to an antenna 1102 and a baseband processor 1103 .
- the RF transceiver 1101 receives modulated symbol data (or OFDM symbol data) from the baseband processor 1103 , generates a transmission RF signal and supplies the transmission RF signal to the antenna 1102 .
- the RF transceiver 1101 generates a baseband received signal based on a received RF signal received by the antenna 1102 and supplies it to the baseband processor 1103 .
- the baseband processor 1103 performs digital baseband signal processing (data plane processing) and control plane processing for radio communications.
- the digital baseband signal processing includes (a) data compression/decompression, (b) data segmentation/concatenation, (c) transmission format (transmission frame) composition/decomposition, (d) transmission path encoding/decoding, (e) modulation(symbol mapping)/demodulation, and (f) OFDM symbol data (baseband OFDM signal) generation by Inverse Fast Fourier Transform (IFFT) and the like.
- IFFT Inverse Fast Fourier Transform
- control plane processing includes communication management of Layer 1 (e.g., transmission power control), Layer 2 (e.g., radio resource management and hybrid automatic repeat request (HARQ) processing), and Layer 3 (e.g., attach, mobility, and signaling related to call management).
- Layer 1 e.g., transmission power control
- Layer 2 e.g., radio resource management and hybrid automatic repeat request (HARQ) processing
- Layer 3 e.g., attach, mobility, and signaling related to call management.
- the digital baseband signal processing by the baseband processor 1103 may include signal processing of Packet Data Convergence Protocol (PDCP) layer, Radio Link Control (RLC) layer, MAC layer, and PHY layer. Further, the control plane processing by the baseband processor 1103 may include processing of Non-Access Stratum (NAS) protocol, RRC protocol, and MAC CE.
- PDCP Packet Data Convergence Protocol
- RLC Radio Link Control
- MAC Medium Access Stratum
- MAC CE Non-Access Stratum
- the baseband processor 1103 may include a modem processor (e.g., Digital Signal Processor (DSP)) that performs digital baseband signal processing and a protocol stack processor (e.g., Central Processing Unit (CPU) or Micro Processing Unit (MPU)) that performs control plane processing.
- DSP Digital Signal Processor
- protocol stack processor e.g., Central Processing Unit (CPU) or Micro Processing Unit (MPU)
- the protocol stack processor that performs control plane processing may be made common to an application processor 1104 , which is described below.
- the application processor 1104 is also called a CPU, an MPU, a microprocessor or a processor core.
- the application processor 1104 may include a plurality of processors (a plurality of processor cores).
- the application processor 1104 implements each function of the UE 90 and the UE 95 by running a system software program (Operating System (OS)) and various application programs (e.g., call application, web browser, mailer, camera control application, music playback application etc.) read from a memory 1106 or a memory, which is not shown.
- OS Operating System
- the baseband processor 1103 and the application processor 1104 may be integrated into one chip.
- the baseband processor 1103 and the application processor 1104 may be implemented as one System on Chip (SoC) device 1105 .
- SoC System on Chip
- the SoC device is also called a system Large Scale Integration (LSI) or a chip set in some cases.
- the memory 1106 is a volatile memory, a nonvolatile memory, or a combination of them.
- the memory 1106 may include a plurality of memory devices that are physically independent of one another.
- the volatile memory is a Static Random Access Memory (SRAM), a Dynamic RAM (DRAM), or a combination of them, for example.
- the nonvolatile memory is a mask Read Only Memory (MROM), an Electrically Erasable Programmable ROM (EEPROM), a flash memory, a hard disk drive, or a combination of them, for example.
- the memory 1106 may include an external memory device that is accessible from the baseband processor 1103 , the application processor 1104 and the SoC 1105 .
- the memory 1106 may include an internal memory device that is integrated into the baseband processor 1103 , the application processor 1104 or the SoC 1105 . Further, the memory 1106 may include a memory in a Universal Integrated Circuit Card (UICC).
- UICC Universal Integrated Circuit Card
- the memory 1106 may store a software module (computer program) containing a group of instructions and data for performing the processing by the UE 90 and the UE 95 described in the above plurality of embodiments.
- the baseband processor 1103 or the application processor 1104 may be configured to perform the processing of the UE 90 and the UE 95 described in the above embodiments by reading the software module from the memory 1106 and executing it.
- FIG. 15 is a block diagram showing a configuration example of the AuC 40 , the AuC 50 , the AuC 51 , the AuC 52 , the AuC 60 , the AuC 61 , the AuC 62 , the HSS 30 , the HSS 35 , and the HSS 36 (hereinafter, referred to as the AuC 40 and the like).
- the AuC 40 and the like includes a network interface 1211 , a processor 1202 , and a memory 1203 .
- the network interface 1201 is used to communicate with network nodes (e.g., the radio communication device 21 ).
- the network interface 1201 may include a network interface card (NIC) that complies with the IEEE 802.3 series, for example.
- NIC network interface card
- the processor 1202 reads and runs software (computer program) from the memory 1203 and thereby executes processing of the AuC 40 and the like that is described with reference to the sequence charts and the flowcharts in the embodiments described above.
- the processor 1202 may be a microprocessor, an MPU or a CPU, for example.
- the processor 1202 may include a plurality of processors.
- the memory 1203 is a combination of a volatile memory and a nonvolatile memory.
- the memory 1203 may include a storage that is placed apart from the processor 1202 .
- the processor 1202 may access the memory 1203 through an I/O interface, which is not shown.
- the memory 1203 is used to store a group of software modules.
- the processor 1202 reads and runs the group of software modules from the memory 1203 and can thereby perform the processing of the AuC 40 and the like described in the above embodiments.
- each of processors included in the UE 90 , the UE 95 , the AuC 40 , the AuC 50 , the AuC 51 , the AuC 52 , the AuC 60 , the AuC 61 , the AuC 62 , the HSS 30 , the HSS 35 and the HSS 36 runs one or a plurality of programs including a group of instructions for causing a computer to perform the algorithms described using the drawings.
- the program can be stored and provided to the computer using any type of non-transitory computer readable medium.
- the non-transitory computer readable medium includes any type of tangible storage medium.
- non-transitory computer readable medium examples include magnetic storage media (such as floppy disks, magnetic tapes, hard disk drives, etc.), optical magnetic storage media (e.g. magneto-optical disks), CD-ROM (Read Only Memory), CD-R, CD-R/W, DVD-ROM (Digital Versatile Disc Read Only Memory), DVD-R (DVD Recordable)), DVD-R DL (DVD-R Dual Layer)), DVD-RW (DVD ReWritable)), DVD-RAM), DVD+R), DVR+R DL), DVD+RW), BD-R (Blu-ray (registered trademark) Disc Recordable)), BD-RE (Blu-ray (registered trademark) Disc Rewritable)), BD-ROM), and semiconductor memories (such as mask ROM, PROM (Programmable ROM), EPROM (Erasable PROM), flash ROM, RAM (Random Access Memory), etc.).
- magnetic storage media such as floppy disks, magnetic tapes, hard disk
- the program may be provided to a computer using any type of transitory computer readable medium.
- Examples of the transitory computer readable medium include electric signals, optical signals, and electromagnetic waves.
- the transitory computer readable medium can provide the program to a computer via a wired communication line such as an electric wire or optical fiber or a wireless communication line.
Abstract
A purpose of the present disclosure is to provide a communication system that are capable of maintaining a high security level in each divided network in the case of applying network slicing to a core network. A communication system according to the present disclosure includes a subscriber-information management apparatus (10) configured to manage subscriber information of a communication terminal; and a security apparatus (20) configured to manage identification information of the communication terminal in association with security information used in at least one network slice system usable by the communication terminal. The subscriber-information management apparatus (10) acquires, using the identification information of the communication terminal and identification information of a network slice system used by the communication terminal, security information used in the network slice system used by the communication terminal from the security apparatus (20).
Description
- The present disclosure relates to a communication system, a subscriber-information management apparatus, an information acquisition method, and a program, and relates to, for example, a communication system, a subscriber-information management apparatus, an information acquisition method, and a program that perform security processing.
- In recent years, internet-of-things (IoT) services have been studied. For IoT services, a large number of terminals that autonomously communicate without user operation (hereinafter, referred to as IoT terminals) are used. For this reason, in order for service providers to provide IoT services using a large number of IoT terminals, it is desired to efficiently accommodate a large number of IoT terminals in networks managed by network operators or the like.
-
Non Patent Literature 1 discloses, in Annex B, the configuration of a core network to which network slicing is applied. Network slicing is a technique for dividing a core network in order for each providing service to efficiently accommodate a large number of IoT terminals.Non Patent Literature 1 further discloses, in Section 5.1, that each divided network (network slice system) needs to be customized or optimized. - On the other hand,
Non Patent Literature 2 discloses, in Section 6.2, the configuration of a key used for security processing in Evolved packet system (EPS). Specifically, a universal subscriber identity module (USIM) and an authentication center (AuC) each have a master key K. The USIM and the AuC each generate a confidentiality key (CK) and an integrity key (IK) with the master key K. - Then, a user equipment (UE) and a home subscriber server (HSS) each generate a key KASME with the CK, the IK, and a serving network identity (SNID). An SNID is an ID for identifying a network operator. Then, the UE and a mobility management entity (MME) each generate, with the key KASME, a key used for security processing in a core network and a radio access network.
- In EPS, security processing, such as encryption of messages and prevention of message tampering (assurance of message integrity), is performed with the keys generated in this manner.
-
- [Non Patent Literature 1] 3GPP TR23.799 V0.2.0 (2016 February) Annex B, 5.1 Key issue 1: Support of network slicing
- [Non Patent Literature 2] 3GPP TS 33.401 V13.2.0 (2016 March) 6.2 EPS key hierarchy
- When the network slicing disclosed in
Non Patent Literature 1 is applied, keys different in each network slice system can be used to enhance the independency of each network slice system and to improve the security. However, the configuration of the key disclosed inNon Patent Literature 2 shows that a UE uses one key KASME in a core network. Thus, although the configuration of the key disclosed inNon Patent Literature 2 is used for a core network to which network slicing is applied, keys different in each network slice system cannot be generated. Accordingly, it is difficult to enhance the independency of each network slice system and to improve the security. - A purpose of the present disclosure is to provide a communication system, a subscriber-information management apparatus, an information acquisition method, and a program that are capable of maintaining a high security level in each divided network (network slice system) in the case of applying network slicing to a core network.
- A communication system according to a first exemplary aspect of the present disclosure includes a subscriber-information management apparatus configured to manage subscriber information of a communication terminal; and a security apparatus configured to manage identification information of the communication terminal in association with security information used in at least one network slice system usable by the communication terminal, wherein the subscriber-information management apparatus acquires, using the identification information of the communication terminal and identification information of a network slice system used by the communication terminal, security information used in the network slice system used by the communication terminal from the security apparatus.
- A subscriber-information management apparatus according to a second exemplary aspect of the present disclosure includes a communication means for communicating with a security apparatus that manages identification information of a communication terminal in association with security information used in at least one network slice system usable by the communication terminal; and a management means for managing identification information of the network slice system associated with the security apparatus, wherein the communication means acquires, using the identification information of the communication terminal and identification information of a network slice system used by the communication terminal, security information used in the network slice system used by the communication terminal from the security apparatus.
- An information acquisition method according to a third exemplary aspect of the present disclosure includes managing a security apparatus that manages identification information of a communication terminal in association with security information used in at least one network slice system usable by the communication terminal, and identification information of the network slice system associated with the security apparatus; and acquiring, using the identification information of the communication terminal and identification information of a network slice system used by the communication terminal, security information used in the network slice system used by the communication terminal from the security apparatus.
- A program for causing a computer to execute according to a fourth exemplary aspect of the present disclosure includes managing a security apparatus that manages identification information of a communication terminal in association with security information used in at least one network slice system usable by the communication terminal, and identification information of the network slice system associated with the security apparatus; and acquiring, using the identification information of the communication terminal and identification information of a network slice system used by the communication terminal, security information used in the network slice system used by the communication terminal from the security apparatus.
- According to the present disclosure, it is possible to provide a communication system, a subscriber-information management apparatus, an information acquisition method, and a program that are capable of maintaining a high security level in each divided network (network slice system) in the case of applying network slicing to a core network.
-
FIG. 1 is a diagram showing a configuration of a communication system according to a first embodiment. -
FIG. 2 is a diagram showing a configuration of a communication system according to a second embodiment. -
FIG. 3 is a diagram showing a configuration of an AuC according to the second embodiment. -
FIG. 4 is a diagram showing information managed by the AuC according to the second embodiment. -
FIG. 5 is a diagram showing a configuration of an HSS according to the second embodiment. -
FIG. 6 is a diagram showing information managed by the HSS according to the second embodiment. -
FIG. 7 is a diagram showing a configuration of a UE according to the second embodiment. -
FIG. 8 is a diagram showing a procedure of Attach processing according to the second embodiment. -
FIG. 9 is a diagram showing a procedure of AKA processing according to the second embodiment. -
FIG. 10 is a diagram explaining derivation of a service key by the AuC according to the second embodiment. -
FIG. 11 is a diagram explaining derivation of a service key by the UE according to the second embodiment. -
FIG. 12 is a diagram showing information managed by the AuC according to the second embodiment. -
FIG. 13 is a diagram showing a configuration of a communication system according to a third embodiment. -
FIG. 14 is a diagram showing a configuration of the UE according to each embodiment. -
FIG. 15 is a diagram showing a configuration of the AuC and the HSS according to each embodiment. - Hereinafter, embodiments of the present disclosure are described with reference to the drawings. A communication system in
FIG. 1 includes a subscriber-information management apparatus 10 and asecurity apparatus 20. The subscriber-information management apparatus 10 and thesecurity apparatus 20 may be a computer apparatus that operates by a processor executing a program stored in a memory. - The subscriber-
information management apparatus 10 manages subscriber information of at least one communication terminal. The communication terminal may be, for example, a mobile phone terminal, a smartphone terminal, a computer apparatus having a communication function, or the like. The communication terminal may be an IoT terminal, a machine-to-machine (M2M) terminal, a machine-type-communication (MTC) terminal, or the like. - The subscriber information may be, for example, contract information related to a user using the communication terminal, position information of the communication terminal, information for identifying the communication terminal, or the like.
- The
security apparatus 20 manages information for identifying the communication terminal (identification information of the communication terminal) in association with security information used in at least one network slice system usable by the communication terminal. The security information is unique information for each network slice system. The security information may be key information used to authenticate the communication terminal. The security information may be key information used to encrypt data or to perform integrity assurance processing, or the like. The security information may be a master key used to generate key information used for authentication or encryption. The security information may be a security algorithm used to perform security processing, or the like. - The subscriber-
information management apparatus 10 acquires, using the identification information of the communication terminal and the identification information of a network slice system used by the communication terminal, security information used in the network slice system used by the communication terminal from thesecurity apparatus 20. - As described above, the communication system in
FIG. 1 enables the subscriber-information management apparatus 10 to acquire the security information used in the network slice system used by the communication terminal. This enables the subscriber-information management apparatus 10 to use different security information in each network slice system used by the communication terminal. As a result, it is possible to enhance the independency of each network slice system and to improve the security of the core network as a whole. - A configuration example of a communication system according to a second embodiment of the present disclosure is described with reference to
FIG. 2 . The communication system inFIG. 2 includes acore network 100, a 5G radio access network (RAN) 80, and a user equipment (UE) 90. Thecore network 100 may be, for example, a network defined in 3rd Generation Partnership Project (3GPP). - The term “UE” is used as a general term for communication terminals in 3GPP. Although one
UE 90 is shown inFIG. 2 , the communication system inFIG. 2 may include a plurality ofUEs 90. - The
5G RAN 80 is a network that provides a radio channel to theUE 90. The5G RAN 80 may include, for example, a base station, and further include a base-station control apparatus that controls the base station, or the like. The5G RAN 80 is, for example, a next-generation RAN that achieves a low-delay and broadband radio frequency, or the like. The term “5G RAN” is used as a RAN used in a next generation, but the name of the RAN used in a next generation is not limited to “5G RAN”. - A configuration example of the
core network 100 is described. Thecore network 100 includes a home subscriber server (HSS) 30, an authentication center (AuC) 40, anAuC 50, anAuC 60, a control plane function (CPF) entity 70 (hereinafter, referred to as a CPF 70), a network slice (NS)system 110, anNS system 120, and anNS system 130. The AuCs may be in the same apparatus as theHSS 30, and some functions of the AuCs may be implemented in theHSS 30. Alternatively, the each AuC may be in each NS system. - The
HSS 30 is equivalent to the subscriber-information management apparatus 10 inFIG. 1 . TheHSS 30 manages subscriber information of theUE 90. TheHSS 30 may be replaced with a home location register (HLR). TheHSS 30 has a key management function. TheHSS 30 transmits key information to each NS system. The key management function is for managing which node apparatus or which NS system the key information of a UE has been transmitted to. The key management function is for managing the type or the like of the key information transmitted to a node apparatus or an NS system. TheHSS 30 may have a part of the key management function, and an apparatus different from theHSS 30 may have the other function. Alternatively, an apparatus different from theHSS 30 may have all the function of the key management function. - The
AuC 40, theAuC 50, and the AuC 60 (hereinafter, referred to as theAuC 40 and the like) each are equivalent to thesecurity apparatus 20 inFIG. 1 . TheAuC 40 and the like each manage key information used for security processing for theUE 90. TheAuC 40 and the like each further manage a parameter related to the security processing for theUE 90. The parameter related to the security processing is, for example, a parameter used for integrity assurance processing, confidentiality processing, or encryption processing in a non-access stratum (NAS). The NAS is a layer used for communication between theUE 90 or the like and thecore network 100. The parameter related to the security processing may be a parameter used for integrity assurance processing, confidentiality processing, or encryption processing in an access stratum (AS). The AS is a layer used for communication between the5G RAN 80 and theUE 90. - The parameter related to the security processing may be a parameter defining the length of a key. The length of a key is represented by, for example, the number of bits. The parameter related to the security processing may be a parameter indicating an encryption algorithm, a key generation algorithm, authentication algorithm, or the like.
- The
CPF 70 is an apparatus that processes C-Plane data related to theUE 90 in thecore network 100. The C-Plane data may be referred to as control data. TheCPF 70 is an apparatus that processes control data, and may be referred to as a control apparatus. In addition, theCPF 70 may have a function equivalent to a mobility management entity (MME) defined in 3GPP. - The
NS system 110 is a communication system used to provide a service different from those of theNS system 120 and theNS system 130. TheNS system 120 is a communication system used to provide a service different from that of theNS system 130. The service provided by each NS system may be, for example, an automatic driving service, a service related to a smart meter, a vending-machine management service, or the like. The services provided by the NS systems are not limited to these services, and various services are provided. -
FIG. 2 shows that theCPF 70 is disposed in thecore network 100 and does not belong to any of theNS system 110, theNS system 120, and theNS system 130. However, theCPF 70 may belong to any one of theNS system 110, theNS system 120, and theNS system 130, or may be included in each of theNS system 110, theNS system 120, and theNS system 130. - Next, a configuration example of the
AuC 40 according to the second embodiment of the present disclosure is described with reference toFIG. 3 . TheAuC 50 and theAuC 60 each have a configuration similar to that of theAuC 40. TheAuC 40 includes a communication unit 41, a security-information management unit 42, and an NS-key generation unit 43. The communication unit 41 may be a transmitter and a receiver. - The communication unit 41, the security-
information management unit 42, and the NS-key generation unit 43 may be software or a module that performs processing by a processor executing a program stored in a memory. The communication unit 41, the security-information management unit 42, and the NS-key generation unit 43 may be hardware such as a circuit or a chip. - The communication unit 41 transmits data mainly to the
HSS 30. - The security-
information management unit 42 manages the security information associated with eachUE 90. Here, the information managed by the security-information management unit 42 is described with reference toFIG. 4 . The security-information management unit 42 manages an international mobile subscriber identity (IMSI), a network slice identity (NSID), and a master key K in association with each other. The IMSI is identification information used to identify theUE 90. The NSID is identification information used to identify the NS system. -
FIG. 4 shows that the UE, the IMSI of which is 001, can use theNS system 110 and theNS system 120.FIG. 4 further shows that a master key Ka_001 used for the security processing in theNS system 110 and a master key Kb_001 used for the security processing in theNS system 120 are assigned to the UE, the IMSI of which is 001. With the UE, the IMSI of which is 002, usable NS systems and master keys K used for the security processing in the NS systems are associated. - Although
FIG. 4 shows that the security-information management unit 42 manages master keys related to a plurality of NS systems, the security-information management unit 42 may manage a master key related to one NS system. For example, theAuC 40 may be used as an apparatus that manages the master key K related to theNS system 110. In this case, the security-information management unit 42 may not manage information related to the NSID, and may manage the IMSI and the master key K in association with each other. - Returning to
FIG. 3 , the NS-key generation unit 43 generates a service key Ksv used in each NS system with the master key K. For example, the NS-key generation unit 43 generates, with the master key Ka_001, a service key Ksv-A used in theNS system 110 by the UE, the IMSI of which is 001. The NS-key generation unit 43 further generates, with the master key Kb_001, a service key Ksv-B used in theNS system 120 by the UE, the IMSI of which is 001. Similarly, the NS-key generation unit 43 generates a service key Ksv used by the UE, the IMSI of which is 002. - A configuration example of the
HSS 30 according to the second embodiment of the present disclosure is described with reference toFIG. 5 . TheHSS 30 includes acommunication unit 31 and aninformation management unit 32. Thecommunication unit 31 and theinformation management unit 32 may be software or a module that performs processing by a processor executing a program stored in a memory. Alternatively, thecommunication unit 31 and theinformation management unit 32 may be hardware such as a circuit or a chip. Thecommunication unit 31 may be transmitter and a receiver. - The
communication unit 31 transmits data to theAuC 40, theAuC 50, and theAuC 60. Thecommunication unit 31 further transmits data to a node apparatus constituting theNS system 110, a node apparatus constituting theNS system 120, and a node apparatus constituting theNS system 130. - The
information management unit 32 manages information in which theAuC 40 and the like are associated with the NS systems. Here, the information managed by theinformation management unit 32 is described with reference toFIG. 6 .FIG. 6 shows that theAuC 40 is associated with theNS system 110 to theNS system 130, and that theAuC 50 is associated withNS system 140 toNS system 160. The association of theAuC 40 with theNS system 110 to theNS system 130 means that theAuC 40 manages the master key K used by each UE for the security processing in theNS system 110 to theNS system 130. - A configuration example of the
UE 90 according to the second embodiment of the present disclosure is described with reference toFIG. 7 . TheUE 90 includes acommunication unit 91 and an NS-key generation unit 92. Thecommunication unit 91 and the NS-key generation unit 92 may be software or a module that performs processing by a processor executing a program stored in a memory. Alternatively, thecommunication unit 91 and the NS-key generation unit 92 may be hardware such as a circuit or a chip. Thecommunication unit 91 may be a transmitter and a receiver. - The
communication unit 91 transmits data mainly to a base station constituting the5G RAN 80, or the like. - The NS-
key generation unit 92 generates, with the master key K, a service key Ksv used in each NS system. For example, it is assumed that the NS-key generation unit 92 can use theNS system 110 and theNS system 120. In this case, the NS-key generation unit 92 generates a service key Ksv-A used in theNS system 110 with the master key Ka_001, and generates a service key Ksv-B used in theNS system 120 with the master key Kb_001. - For example, the
communication unit 91 may include a plurality of SIMs, and manage a different master key K for each SIM. In addition, each SIM may be associated with any one of the NS systems. - A procedure of Attach processing related to the
UE 90 according to the second embodiment of the present disclosure is described with reference toFIG. 8 . - First, the
UE 90 starts processing for connecting to the 5G RAN 80 (S11). For example, theUE 90 connects to a base station via a radio communication channel to communicate with a base station disposed in the5G RAN 80. - Then, the
UE 90 transmits an Attach request message to theCPF 70 via the 5G RAN 80 (S12). TheUE 90 uses a service provided by, for example, theNS system 110. In this case, theUE 90 transmits an Attach request message, in which the IMSI of theUE 90 and the NSID indicating theNS system 110 are set, to theCPF 70. TheUE 90 may set a plurality of NSIDs. - Then, authentication-and-key-agreement (AKA) processing is performed among the
UE 90, theCPF 70, theHSS 30, and the AuC 40 (S13). By performing the AKA processing in step S13, it is possible for theUE 90 and theHSS 30 to confirm that the service key Ksv-A generated by theUE 90 matches the service key Ksv-A generated by theAuC 40. When theUE 90 has set a plurality of NSIDs in the Attach request message, a service key Ksv is generated for each NS system. In this case, it is confirmed that the service key Ksv generated for each NS system by theUE 90 matches the service key Ksv generated for each NS system by theAuC 40 in the AKA processing in step S13. The service key Ksv may be authenticated by performing processing other than the AKA processing among theUE 90, theCPF 70, theHSS 30, and theAuC 40. - After the AKA processing in step S13 is performed, the
UE 90 can use, with the service key Ksv-A, the service provided by theNS system 110. For example, when theUE 90 accesses an apparatus included in theNS system 110, theUE 90 may transmit password information input by a user operating theUE 90 or the like to the apparatus included in theNS system 110. The apparatus included in theNS system 110 may provide the service to theUE 90 when the correctness of the transmitted password is confirmed. - Alternatively, the apparatus included in the
NS system 110 may hold the service key Ksv-A related to theUE 90 in advance. For example, the apparatus included in theNS system 110 may acquire the service key Ksv-A from theHSS 30 or theAuC 40. The apparatus included in theNS system 110 may perform the AKA processing and provide the service to theUE 90 when the service key Ksv-A held by the apparatus itself matches the service key Ksv-A held by theUE 90. -
FIG. 8 shows that theUE 90 transmits an Attach request message, in which the IMSI of theUE 90 and the NSID indicating theNS system 110 are set, to theCPF 70 in step S12. On the other hand, when the number of NS systems usable by theUE 90 is one, and the NS system usable by theUE 90 is managed by theHSS 30 as the subscriber information, theUE 90 may transmit an Attach request message, in which the IMSI alone is set, to theCPF 70. When the number of NS systems usable by theUE 90 is more than one, theUE 90 transmits an Attach request message, in which the IMSI and the identification information of the NS systems to be used are set, to theCPF 70. - The AKA processing in step S13 in
FIG. 8 is described in detail with reference toFIG. 9 . First, theCPF 70 transmits an Authentication data request message to the HSS 30 (S21). The Authentication data request message contains the international mobile subscriber identity (IMSI) of theUE 90 and the NSID indicating a NS system that theUE 90 desires to use. The NSID is, for example, the identification information indicating theNS system 110. - Then, the
HSS 30 transmits an Auth data create request message to the AuC 40 (S22). The Auth data create request message contains the IMSI of theUE 90 and the NSID indicating the NS system that theUE 90 desires to use. It is assumed that the NSID is the identification information indicating theNS system 110 inFIG. 9 . TheHSS 30 can identify, using the information shown inFIG. 6 , the AuC associated with the NSID specified by theUE 90. Here, theHSS 30 has received the NSID indicating theNS system 110. Thus, theHSS 30 can identify, using the information shown inFIG. 6 , the transmission destination of the Auth data create request message as theAuC 40. When theUE 90 does not specify the NSID, theHSS 30 identifies the AuC associated with a default NS system determined in advance. The default NS system may be determined for each UE in advance, or may be determined in accordance with the priority managed by theHSS 30. The priority may be determined for each UE. - It is assumed that the number of NS systems usable by the
UE 90 is one, and that theHSS 30 manages the information associating the IMSI of theUE 90 with the NS system usable by theUE 90 as the subscriber information. In this case, theHSS 30 can identify, with the IMSI transmitted from theCPF 70, the NS system usable by theUE 90. TheHSS 30 manages a plurality of NSIDs connectable by theUE 90 as subscriber data in some cases. In such a case, theHSS 30 may repeatedly transmit Auth data create request messages to theAuC 40 and the like corresponding to all the NSIDs indicated by the subscriber data. - Then, the
AuC 40 derives the service key Ksv-A with a key derivation function (KDF) (S23). Here, the processing of the NS-key generation unit 43 of theAuC 40 for deriving a service key Ksv with the KDF is described with reference toFIG. 10 . -
FIG. 10 shows that an expected response (XRES), an authentication token (AUTN), and a service key Ksv are output as a result of input of the master key K, the NSID, a random number (RAND), and a sequence number (SQN) to the KDF. The KDF is, for example, a derivation function such as HMAC-SHA-25. Here, the master key K input to the KDF is assumed to be a service key Ka associated with theNS system 110. The service key Ksv output from the KDF is assumed to be the service key Ksv-A used in theNS system 110. - Returning to
FIG. 9 , theAuC 40 transmits an Auth data create response message to the HSS 30 (S24). The Auth data create response message contains a RAND, an XRES, a Ksv-A, a Ksv-A_ID, and an AUTN. The RAND contained in an Authentication data response message is the same as the RAND used as the input parameter when the Ksv-A and the like are generated in step S23. The XRES, the Ksv-A, and the AUTN are the same as the XRES, the Ksv-A, and the AUTN generated in step S23. The Ksv-A_ID is identification information identifying the Ksv-A. When theHSS 30 repeatedly transmits the Auth data create request messages to a plurality of AuCs, theHSS 30 confirms that all the AuCs return the respective corresponding Auth data create response messages, and, then, sets the RAND, the XRES, the Ksv-A, the Ksv-A_ID, and the AUTN contained in each Auth data create response message in an Authentication data response message for each corresponding NSID. - Then, the
HSS 30 transmits an Authentication data response message to the CPF 70 (S25). The Authentication data response message contains the RAND, the XRES, the Ksv-A, the Ksv-A_ID, and the AUTN contained in the Auth data create response message transmitted in step S24. The RAND, the XRES, the Ksv-A, the Ksv-A_ID, and the AUTN are set for each NSID in some cases. - Then, the
CPF 70 transmits an Authentication request message to theUE 90 via a 5G RAN 42 (S26). The Authentication request message contains a RAND, an AUTN, and a Ksv-A_ID. The RAND, the AUTN, and the Ksv-A_ID are the RAND, the AUTN, and the Ksv-A_ID received from theHSS 30 in step S25. When theUE 90 has set a plurality of NSIDs in the Attach request message (S12), the RAND, the AUTN, and the Ksv-A_ID are set for each NSID. - Then, the
UE 90 derives the service key Ksv-A with the KDF (S27). Here, the processing of the NS-key generation unit 92 of theUE 90 for deriving the service key Ksv with the KDF is described with reference toFIG. 11 . -
FIG. 11 shows that a response (RES), an SQN, and a service key Ksv are output as a result of input of the master key K, the NSID, the RAND, and the AUTN to the KDF. The KDF is, for example, a derivation function such as HMAC-SHA-256. Here, the master key K input to the KDF is assumed to be the service key Ka associated with theNS system 110. The service key Ksv output from the KDF is assumed to be the service key Ksv-A used in theNS system 110. Note that, it is assumed that an NS system accessible by theUE 90 is determined in advance, and that theUE 90 holds the NSID of the NS system in advance. - Returning to
FIG. 9 , theUE 90 transmits an Authentication response message to theCPF 70 via the 5G RAN 80 (S28). The Authentication response message contains an RES. The RES contained in the Authentication response message is the same as the RES generated in step S27. When a plurality of NSIDs has been set in the Authentication request message (S26), the RES is set for each NSID. - Then, the
CPF 70 compares the XRES contained in the Authentication data response message received in step S25 with the RES contained in the Authentication response message received in step S28 (S29). When the RES matches the XRES in step S29, theCPF 70 can determine that the Ksv-A generated by theAuC 40 matches the Ksv-A generated by theUE 90. When a plurality of NSIDs is handled, theCPF 70 compares, for each NSID, the RES with the XRES. When the RES has matched the XRES, theCPF 70 notifies theHSS 30 that the RES has matched the XRES, or that the authentication for the Ksv-A has succeeded. TheHSS 30 further transmits the Ksv-A_ID and the Ksv-A to theNS system 110. - Next, the case in which an error occurs in the AKA processing related to the
UE 90 is described. For example, when theUE 90 cannot use the NSID set in an Auth data create request, theAuC 40 transmits, to theHSS 30, an Auth data create error message containing a cause value “No subscription to Network slice” as a response message corresponding to the Auth data create request message. TheHSS 30 transmits, to theCPF 70, an Authentication data reject message containing the cause value “No subscription to Network slice”. In addition, theCPF 70 transmits, to theUE 90, an Authentication failure message containing a cause value “Access to Network slice not allowed”. In this case, theUE 90 records the fact that the NSID set in the Attach request message (S12) is not provided in an operator network. Furthermore, theUE 90 may set another NSID, and perform the ATTACH procedure for the same operator network in this case. - When the authentication in step S29 has failed, the
CPF 70 transmits, to theUE 90, an Authentication failure message containing a cause value “Network Slice Authentication failed”. In this case, theUE 90 records the fact that the NSID set in the Attach request message (S12) is not provided in an operator network. Furthermore, theUE 90 may set another NSID and perform the ATTACH procedure for the same operator network in this case. - In addition, the operation when the authentication for some NSIDs has succeeded although the authentication for a plurality of NSIDs has been performed is descried. In this case, the
CPF 70 regards that the authentication has failed, and notifies and urges theUE 90 to perform re-ATTACH, or allows the authorized NSIDs to perform connection. The operation for each case is as follows. - The case in which the
CPF 70 regards that the authentication has failed, and notifies and urges theUE 90 to perform re-ATTACH: - The
CPF 70 transmits, to theUE 90, an Authentication failure message containing a cause value “Network Slice Authentication failed”. In this case, theCPF 70 may set, in the Authentication failure message, an “Authentication status list” indicating the authentication result state of each NSID. In this case, theUE 90 may set the partially authorized NSIDs and perform the ATTACH procedure for the same operator network. - The case in which the
CPF 70 allows the authorized NSIDs to perform connection: - The
CPF 70 may regard that the authorization has partially succeeded and transmit, to theUE 90, an Authentication response message containing a cause value “Network Slice Authentication partially failed”. In this case, theCPF 70 may set, in the Authentication response message, an “Authentication status list” indicating the authentication result state of each NSID. In this case, theUE 90 recognizes that the authentication for the partially authenticated NSIDs has succeeded. In this case, theUE 90 may use the services provided by the partially authenticated Network Slices. - Next, the operation when the authorization for the NSID set by the
UE 90 in the Attach request message (S12) has succeeded is described. TheCPF 70 may notify the network slice system shown inFIG. 2 of the authorized service key Ksv. In addition, the network slice system may further generate, with the service key Ksv, a necessary service key. The network slice system shown inFIG. 2 may further perform authentication operation in cooperation with theHSS 30. - Furthermore, the
HSS 30 may manage the IMSI of theUE 90 in association with the NSID usable by theUE 90. In this case, theHSS 30 receives an Authentication data request message in step S21. When theUE 90 cannot use the NSID set in the Authentication data request message, theHSS 30 transmits an error message as a response message corresponding to the Authentication data request message. TheHSS 30 can request each AuC of association data. When updating the association data, each AuC can transmit the updated data to theHSS 30. For example, each AuC may manage the IMSI, the NSID, and the access right in association with each other as shown inFIG. 12 . The association data is, for example, data in which the IMSI, the NSID, and the access right are associated with each other as shown inFIG. 12 .FIG. 12 shows that the UE, the IMSI of which is 003, can access theNS system 110, but cannot access theNS system 120 and theNS system 130.FIG. 12 further shows that the UE, the IMSI of which is 004, can access theNS system 140 and theNS system 150, but cannot access theNS system 160. When updating the data shown inFIG. 12 , each AuC transmits the updated data to theHSS 30. - Next, a configuration example of a communication system according to a third embodiment of the present disclosure is described with reference to
FIG. 13 .FIG. 13 shows that aUE 95 moves from a home public land mobile network (HPLMN) 101, which is a home network, to a visited public land mobile network (VPLMN) 102. In other words,FIG. 13 shows that theUE 95 roams from theHPLMN 101 to theVPLMN 102. - The
HPLMN 101 includes anHSS 35, anAuC 51, anAuC 52, aCPF 71, a diameter edge agent (DEA) 72, an NS system 111, and anNS system 112. TheUE 95 communicates with theHPLMN 101 via a5G RAN 81. TheVPLMN 102 includes anHSS 36, anAuC 61, anAuC 62, aCPF 73, aDEA 74, anNS system 121, and anNS system 122. TheUE 95 communicates with theVPLMN 102 via a5G RAN 82. TheDEA 72 and theDEA 74 are apparatuses that relay a Diameter signal. The configurations except for theDEA 72 and theDEA 74 are similar to that of the communication network shown inFIG. 2 . - When the
UE 95 moves from theHPLMN 101 to theVPLMN 102, Attach processing is performed in theVPLMN 102. In this case, theUE 95 connects to theCPF 73 via the5G RAN 82 similarly to the Attach processing described in steps S11 and S12 inFIG. 8 . - Then, the
CPF 73 determines, as a result of the inquiry to theHSS 36 in step S13 inFIG. 8 , that theUE 95 is a roaming terminal that uses theHPLMN 101 as the home network. Thus, theCPF 73 connects to theCPF 71 via theDEA 74 and theDEA 72. TheUE 95 performs the AKA processing with theCPF 71 via theCPF 73, theDEA 74, and theDEA 72. It is assumed that theUE 95 desires to use, for example, a service provided by the NS system 111 in theHPLMN 101. In this case, theUE 95 may perform the AKA processing with theCPF 71, and communicate with the NS system 111 via, for example, theNS system 121 after the authentication has been completed. - The
VPLMN 102 may determine theNS system 121 as an NS system usable by the roaming terminal in advance. Alternatively, an NS system in theVPLMN 102 corresponding to the NS system 111 in theHPLMN 101 and an NS system in theVPLMN 102 corresponding to theNS system 112 in theHPLMN 101 are determined in advance. For example, the NS system 111 in theHPLMN 101 may be associated with theNS system 121 in theVPLMN 102, and theNS system 112 in theHPLMN 101 may be associated with theNS system 122 in theVPLMN 102. - As described above, although the
UE 95 roams from theHPLMN 101 to theVPLMN 102, it is possible forUE 95 to access an NS system in theHPLMN 101 via theVPLMN 102. - Configuration examples of the
UE 90, theAuCs 40 to 60 and theHSS 30 described in the plurality of embodiments above are described hereinafter. -
FIG. 14 is a block diagram showing a configuration example of theUE 90 andUE 95. A Radio Frequency (RF)transceiver 1101 performs analog RF signal processing for communication with the5G RANs RF transceiver 1101 includes frequency up-conversion, frequency down-conversion, and amplification. TheRF transceiver 1101 is connected to anantenna 1102 and abaseband processor 1103. Specifically, theRF transceiver 1101 receives modulated symbol data (or OFDM symbol data) from thebaseband processor 1103, generates a transmission RF signal and supplies the transmission RF signal to theantenna 1102. Further, theRF transceiver 1101 generates a baseband received signal based on a received RF signal received by theantenna 1102 and supplies it to thebaseband processor 1103. - The
baseband processor 1103 performs digital baseband signal processing (data plane processing) and control plane processing for radio communications. The digital baseband signal processing includes (a) data compression/decompression, (b) data segmentation/concatenation, (c) transmission format (transmission frame) composition/decomposition, (d) transmission path encoding/decoding, (e) modulation(symbol mapping)/demodulation, and (f) OFDM symbol data (baseband OFDM signal) generation by Inverse Fast Fourier Transform (IFFT) and the like. On the other hand, the control plane processing includes communication management of Layer 1 (e.g., transmission power control), Layer 2 (e.g., radio resource management and hybrid automatic repeat request (HARQ) processing), and Layer 3 (e.g., attach, mobility, and signaling related to call management). - For example, in the case of LTE and LTE-Advanced, the digital baseband signal processing by the
baseband processor 1103 may include signal processing of Packet Data Convergence Protocol (PDCP) layer, Radio Link Control (RLC) layer, MAC layer, and PHY layer. Further, the control plane processing by thebaseband processor 1103 may include processing of Non-Access Stratum (NAS) protocol, RRC protocol, and MAC CE. - The
baseband processor 1103 may include a modem processor (e.g., Digital Signal Processor (DSP)) that performs digital baseband signal processing and a protocol stack processor (e.g., Central Processing Unit (CPU) or Micro Processing Unit (MPU)) that performs control plane processing. In this case, the protocol stack processor that performs control plane processing may be made common to anapplication processor 1104, which is described below. - The
application processor 1104 is also called a CPU, an MPU, a microprocessor or a processor core. Theapplication processor 1104 may include a plurality of processors (a plurality of processor cores). Theapplication processor 1104 implements each function of theUE 90 and theUE 95 by running a system software program (Operating System (OS)) and various application programs (e.g., call application, web browser, mailer, camera control application, music playback application etc.) read from amemory 1106 or a memory, which is not shown. - In several implementations, as shown in the dotted line (1105) in
FIG. 24 , thebaseband processor 1103 and theapplication processor 1104 may be integrated into one chip. In other words, thebaseband processor 1103 and theapplication processor 1104 may be implemented as one System on Chip (SoC)device 1105. The SoC device is also called a system Large Scale Integration (LSI) or a chip set in some cases. - The
memory 1106 is a volatile memory, a nonvolatile memory, or a combination of them. Thememory 1106 may include a plurality of memory devices that are physically independent of one another. The volatile memory is a Static Random Access Memory (SRAM), a Dynamic RAM (DRAM), or a combination of them, for example. The nonvolatile memory is a mask Read Only Memory (MROM), an Electrically Erasable Programmable ROM (EEPROM), a flash memory, a hard disk drive, or a combination of them, for example. For example, thememory 1106 may include an external memory device that is accessible from thebaseband processor 1103, theapplication processor 1104 and theSoC 1105. Thememory 1106 may include an internal memory device that is integrated into thebaseband processor 1103, theapplication processor 1104 or theSoC 1105. Further, thememory 1106 may include a memory in a Universal Integrated Circuit Card (UICC). - The
memory 1106 may store a software module (computer program) containing a group of instructions and data for performing the processing by theUE 90 and theUE 95 described in the above plurality of embodiments. In several implementations, thebaseband processor 1103 or theapplication processor 1104 may be configured to perform the processing of theUE 90 and theUE 95 described in the above embodiments by reading the software module from thememory 1106 and executing it. -
FIG. 15 is a block diagram showing a configuration example of theAuC 40, theAuC 50, theAuC 51, theAuC 52, theAuC 60, theAuC 61, theAuC 62, theHSS 30, theHSS 35, and the HSS 36 (hereinafter, referred to as theAuC 40 and the like). Referring toFIG. 15 , theAuC 40 and the like includes a network interface 1211, aprocessor 1202, and amemory 1203. Thenetwork interface 1201 is used to communicate with network nodes (e.g., the radio communication device 21). Thenetwork interface 1201 may include a network interface card (NIC) that complies with the IEEE 802.3 series, for example. - The
processor 1202 reads and runs software (computer program) from thememory 1203 and thereby executes processing of theAuC 40 and the like that is described with reference to the sequence charts and the flowcharts in the embodiments described above. Theprocessor 1202 may be a microprocessor, an MPU or a CPU, for example. Theprocessor 1202 may include a plurality of processors. - The
memory 1203 is a combination of a volatile memory and a nonvolatile memory. Thememory 1203 may include a storage that is placed apart from theprocessor 1202. In this case, theprocessor 1202 may access thememory 1203 through an I/O interface, which is not shown. - In the example of
FIG. 15 , thememory 1203 is used to store a group of software modules. Theprocessor 1202 reads and runs the group of software modules from thememory 1203 and can thereby perform the processing of theAuC 40 and the like described in the above embodiments. - As described with reference to
FIGS. 14 and 15 , each of processors included in theUE 90, theUE 95, theAuC 40, theAuC 50, theAuC 51, theAuC 52, theAuC 60, theAuC 61, theAuC 62, theHSS 30, theHSS 35 and theHSS 36 runs one or a plurality of programs including a group of instructions for causing a computer to perform the algorithms described using the drawings. The program can be stored and provided to the computer using any type of non-transitory computer readable medium. The non-transitory computer readable medium includes any type of tangible storage medium. Examples of the non-transitory computer readable medium include magnetic storage media (such as floppy disks, magnetic tapes, hard disk drives, etc.), optical magnetic storage media (e.g. magneto-optical disks), CD-ROM (Read Only Memory), CD-R, CD-R/W, DVD-ROM (Digital Versatile Disc Read Only Memory), DVD-R (DVD Recordable)), DVD-R DL (DVD-R Dual Layer)), DVD-RW (DVD ReWritable)), DVD-RAM), DVD+R), DVR+R DL), DVD+RW), BD-R (Blu-ray (registered trademark) Disc Recordable)), BD-RE (Blu-ray (registered trademark) Disc Rewritable)), BD-ROM), and semiconductor memories (such as mask ROM, PROM (Programmable ROM), EPROM (Erasable PROM), flash ROM, RAM (Random Access Memory), etc.). The program may be provided to a computer using any type of transitory computer readable medium. Examples of the transitory computer readable medium include electric signals, optical signals, and electromagnetic waves. The transitory computer readable medium can provide the program to a computer via a wired communication line such as an electric wire or optical fiber or a wireless communication line. - It should be noted that the present invention is not limited to the above-described embodiments and may be varied in many ways within the scope of the present invention. Further, in this disclosure, embodiments can be combined as appropriate.
- While the disclosure has been particularly shown and described with reference to embodiments thereof, the disclosure is not limited to these embodiments. It will be understood by those of ordinary skill in the art that various changes in form and details may be made therein without departing from the spirit and scope of the present disclosure as defined by the claims.
- This application is based upon and claims the benefit of priority from Japanese patent application No. 2016-140760 filed on Jul. 15, 2016, the disclosure of which is incorporated herein in its entirety by reference.
-
-
- 10 Subscriber-information management apparatus
- 20 Security apparatus
- 30 HSS
- 31 Communication unit
- 32 Information management unit
- 35 HSS
- 36 HSS
- 40 AuC
- 41 Communication unit
- 42 Security-information management unit
- 43 NS-key generation unit
- 50 AuC
- 51 AuC
- 52 AuC
- 60 AuC
- 61 AuC
- 62 AuC
- 70 CPF
- 71 CPF
- 72 DEA
- 73 CPF
- 74 DEA
- 80 5G RAN
- 81 5G RAN
- 82 5G RAN
- 90 UE
- 91 Communication unit
- 92 NS-key generation unit
- 95 UE
- 100 Core network
- 101 HPLMN
- 102 VPLMN
- 110 NS system
- 111 NS system
- 112 NS system
- 120 NS system
- 121 NS system
- 122 NS system
- 130 NS system
Claims (13)
1. A subscriber-information management apparatus comprising:
at least one memory storing instructions, and
at least one processor configured to execute the instructions to;
communicate with a security apparatus that manages identification information of a communication terminal in association with security information used in at least one network slice system usable by the communication terminal, and
manage identification information of the network slice system associated with the security apparatus,
acquire, using the identification information of the communication terminal and identification information of a network slice system used by the communication terminal, security information used in the network slice system used by the communication terminal from the security apparatus.
2. The subscriber-information management apparatus according to claim 1 , wherein
when the security apparatus manages the security information used in the at least one network slice system,
the subscriber-information management apparatus transmits the identification information of the communication terminal to the security apparatus and acquires the security information from the security apparatus.
3. The subscriber-information management apparatus according to claim 1 , wherein
when the security apparatus manages first security information used in a first network slice system and second security information used in a second network slice system,
the subscriber-information management apparatus transmits the identification information of the communication terminal and the identification information of the network slice system used by the communication terminal to the security apparatus and acquires the first security information or the second security information from the security apparatus.
4. The subscriber-information management apparatus according to claim 3 ,
wherein the subscriber-information management apparatus manages the identification information of the network slice system associated with the security apparatus and transmits, when the identification information of the network slice system used by the communication terminal is transmitted from the communication terminal, the identification information of the communication terminal and the identification information of the network slice system used by the communication terminal to the security apparatus associated with the network slice system.
5. The subscriber-information management apparatus according to claim 4 ,
wherein the subscriber-information management apparatus acquires, when managing the identification information of the communication terminal in association with identification information of one network slice system usable by the communication terminal, the security information from the security apparatus using the identification information of the communication terminal transmitted from the communication terminal.
6. The subscriber-information management apparatus according to claim 1 ,
wherein the security apparatus determines, based on information associating the identification information of the communication terminal with identification information of the at least one network slice system usable by the communication terminal, whether to transmit the security information to the subscriber-information management apparatus.
7. The subscriber-information management apparatus according to claim 1 ,
wherein the subscriber-information management apparatus receives, via a control apparatus disposed in a core network and not in any network slice system, the identification information of the communication terminal and the identification information of the network slice system used by the communication terminal from the communication terminal or receives the identification information of the communication terminal from the communication terminal.
8. (canceled)
9. (canceled)
10. (canceled)
11. A communication system comprising:
a communication terminal;
a control apparatus configured to process control data in a core network;
a subscriber-information management apparatus configured to store subscriber information of the communication terminal; and
a security apparatus configured to perform authentication processing for the communication terminal in cooperation with the subscriber-information management apparatus via the control apparatus, wherein
the communication terminal transmits, to the control apparatus, identification information of a network slice that the communication terminal desires to use, and
the communication terminal communicates, after the authentication processing has succeeded, with the network slice that the communication terminal desires to use based on the identification information of the network slice that the communication terminal desires to use.
12. The communication system according to claim 11 , wherein
the communication terminal transmits identification information of the communication terminal to the control apparatus, and
the control apparatus select the security apparatus from a plurality of security apparatuses based on the identification information of the communication terminal.
13. A communication terminal comprising:
at least one memory storing instructions, and
at least one processor configured to execute the instructions to;
transmit, to a control apparatus that processes control data in a core network, identification information of a network slice that the communication terminal desires to use;
receive, via the control apparatus, first security information used for authentication processing by the core network;
transmit second security information corresponding to the first security information to the control apparatus; and
communicate, after the communication terminal has been authenticated by the core network based on the second security information, with the network slice that the communication terminal desires to use based on the identification information of the network slice that the communication terminal desires to use.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2016-140760 | 2016-07-15 | ||
JP2016140760 | 2016-07-15 | ||
PCT/JP2017/025680 WO2018012611A1 (en) | 2016-07-15 | 2017-07-14 | Communication system, subscriber information management device, information acquisition method, non-transitory computer readable medium, and communication terminal |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2017/025680 A-371-Of-International WO2018012611A1 (en) | 2016-07-15 | 2017-07-14 | Communication system, subscriber information management device, information acquisition method, non-transitory computer readable medium, and communication terminal |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/853,403 Continuation US11153751B2 (en) | 2016-07-15 | 2020-04-20 | Communication system, subscriber-information management apparatus, information acquisition method, non-transitory computer-readable medium, and communication terminal |
Publications (1)
Publication Number | Publication Date |
---|---|
US20190246270A1 true US20190246270A1 (en) | 2019-08-08 |
Family
ID=60952096
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/311,463 Abandoned US20190246270A1 (en) | 2016-07-15 | 2017-07-14 | Communication system, subscriber-information management apparatus, information acquisition method, non-transitory computer-readable medium, and communication terminal |
US16/853,403 Active US11153751B2 (en) | 2016-07-15 | 2020-04-20 | Communication system, subscriber-information management apparatus, information acquisition method, non-transitory computer-readable medium, and communication terminal |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/853,403 Active US11153751B2 (en) | 2016-07-15 | 2020-04-20 | Communication system, subscriber-information management apparatus, information acquisition method, non-transitory computer-readable medium, and communication terminal |
Country Status (6)
Country | Link |
---|---|
US (2) | US20190246270A1 (en) |
EP (2) | EP3767983A1 (en) |
JP (2) | JP6773116B2 (en) |
KR (2) | KR102193511B1 (en) |
CN (1) | CN109479193B (en) |
WO (1) | WO2018012611A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190261180A1 (en) * | 2016-10-31 | 2019-08-22 | Huawei Technologies Co., Ltd. | Network authentication method, and related device and system |
US20200162919A1 (en) * | 2018-11-16 | 2020-05-21 | Lenovo (Singapore) Pte. Ltd. | Accessing a denied network resource |
US20200274759A1 (en) * | 2017-10-23 | 2020-08-27 | Nolia Solutions and Nerworks Oy | Network slice configuration |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3860180A4 (en) * | 2018-09-28 | 2021-09-01 | NEC Corporation | Core network device, communication terminal, communication system, authentication method, and communication method |
CN111865872B (en) * | 2019-04-26 | 2021-08-27 | 大唐移动通信设备有限公司 | Method and equipment for realizing terminal security policy in network slice |
CN111414645B (en) * | 2020-03-19 | 2022-07-05 | 中国电子科技集团公司第三十研究所 | Safe HSS/UDM design method and system for realizing privacy protection function |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140171029A1 (en) * | 2011-07-08 | 2014-06-19 | Nokia Corporation | Method and apparatus for authenticating subscribers to long term evolution telecommunication networks or universal mobile telecommunications system |
US20160353465A1 (en) * | 2015-06-01 | 2016-12-01 | Huawei Technologies Co., Ltd. | System and Method for Virtualized Functions in Control and Data Planes |
US20170164212A1 (en) * | 2015-09-29 | 2017-06-08 | Telefonaktiebolaget L M Ericsson (Publ) | Network slice management |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100904215B1 (en) * | 2008-11-19 | 2009-06-25 | 넷큐브테크놀러지 주식회사 | System and method for managing access to network based on user authentication |
KR101504717B1 (en) * | 2010-09-16 | 2015-03-23 | 에스케이텔레콤 주식회사 | System and method for terminal authentication processing |
CN103843379B (en) * | 2012-08-08 | 2018-09-21 | 华为技术有限公司 | Information processing method and device |
EP3072263B1 (en) * | 2013-11-18 | 2017-10-25 | Telefonaktiebolaget LM Ericsson (publ) | Multi-tenant isolation in a cloud environment using software defined networking |
KR20150116092A (en) * | 2014-04-04 | 2015-10-15 | 한국전자통신연구원 | Method and apparatus for partitoning newtork based on slicing |
EP3132627B1 (en) | 2014-04-17 | 2018-10-03 | Mavenir Systems, Inc. | Gsm a3/a8 authentication in an ims network |
US10074178B2 (en) | 2015-01-30 | 2018-09-11 | Dental Imaging Technologies Corporation | Intra-oral image acquisition alignment |
US9930524B2 (en) * | 2015-06-22 | 2018-03-27 | Verizon Patent And Licensing Inc. | Detecting a second user device identifier based on registration of a first user device identifier |
JP6725703B2 (en) * | 2016-02-16 | 2020-07-22 | アイディーエーシー ホールディングス インコーポレイテッド | Network slicing operation |
CN108886678B (en) * | 2016-03-21 | 2020-03-10 | 华为技术有限公司 | Message interaction method, device and system |
JP2019096918A (en) * | 2016-04-05 | 2019-06-20 | シャープ株式会社 | Terminal, base station device, mme (mobility management entity) and communication control method |
-
2017
- 2017-07-14 US US16/311,463 patent/US20190246270A1/en not_active Abandoned
- 2017-07-14 JP JP2018527677A patent/JP6773116B2/en active Active
- 2017-07-14 KR KR1020207021917A patent/KR102193511B1/en active IP Right Grant
- 2017-07-14 CN CN201780044013.0A patent/CN109479193B/en active Active
- 2017-07-14 EP EP20194811.4A patent/EP3767983A1/en not_active Withdrawn
- 2017-07-14 EP EP17827734.9A patent/EP3487198A1/en not_active Withdrawn
- 2017-07-14 WO PCT/JP2017/025680 patent/WO2018012611A1/en unknown
- 2017-07-14 KR KR1020197004154A patent/KR102140521B1/en active IP Right Grant
-
2020
- 2020-04-20 US US16/853,403 patent/US11153751B2/en active Active
- 2020-09-29 JP JP2020163072A patent/JP6962432B2/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140171029A1 (en) * | 2011-07-08 | 2014-06-19 | Nokia Corporation | Method and apparatus for authenticating subscribers to long term evolution telecommunication networks or universal mobile telecommunications system |
US20160353465A1 (en) * | 2015-06-01 | 2016-12-01 | Huawei Technologies Co., Ltd. | System and Method for Virtualized Functions in Control and Data Planes |
US20170164212A1 (en) * | 2015-09-29 | 2017-06-08 | Telefonaktiebolaget L M Ericsson (Publ) | Network slice management |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190261180A1 (en) * | 2016-10-31 | 2019-08-22 | Huawei Technologies Co., Ltd. | Network authentication method, and related device and system |
US10848970B2 (en) * | 2016-10-31 | 2020-11-24 | Huawei Technologies Co., Ltd. | Network authentication method, and related device and system |
US11272365B2 (en) * | 2016-10-31 | 2022-03-08 | Huawei Technologies Co., Ltd. | Network authentication method, and related device and system |
US20200274759A1 (en) * | 2017-10-23 | 2020-08-27 | Nolia Solutions and Nerworks Oy | Network slice configuration |
US11848871B2 (en) | 2017-10-23 | 2023-12-19 | Nokia Solutions And Networks Oy | Network slice management |
US11902174B2 (en) * | 2017-10-23 | 2024-02-13 | Nokia Solutions And Networks Oy | Network slice configuration |
US20200162919A1 (en) * | 2018-11-16 | 2020-05-21 | Lenovo (Singapore) Pte. Ltd. | Accessing a denied network resource |
Also Published As
Publication number | Publication date |
---|---|
JP2021010174A (en) | 2021-01-28 |
KR20190030714A (en) | 2019-03-22 |
WO2018012611A1 (en) | 2018-01-18 |
EP3767983A1 (en) | 2021-01-20 |
KR102193511B1 (en) | 2020-12-21 |
EP3487198A4 (en) | 2019-05-22 |
US11153751B2 (en) | 2021-10-19 |
CN109479193B (en) | 2021-10-01 |
CN109479193A (en) | 2019-03-15 |
JP6962432B2 (en) | 2021-11-05 |
EP3487198A1 (en) | 2019-05-22 |
KR20200093086A (en) | 2020-08-04 |
US20200252798A1 (en) | 2020-08-06 |
JPWO2018012611A1 (en) | 2019-05-16 |
JP6773116B2 (en) | 2020-10-21 |
KR102140521B1 (en) | 2020-08-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11153751B2 (en) | Communication system, subscriber-information management apparatus, information acquisition method, non-transitory computer-readable medium, and communication terminal | |
US10939294B2 (en) | Network access identifier including an identifier for a cellular access network node | |
US11265705B2 (en) | Communication system, communication terminal, AMF entity, and communication method | |
US11722891B2 (en) | User authentication in first network using subscriber identity module for second legacy network | |
US11937079B2 (en) | Communication terminal, core network device, core network node, network node, and key deriving method | |
US20190274072A1 (en) | Communication system, security device, communication terminal, and communication method | |
US20190110195A1 (en) | Key derivation method, communication system, communication terminal, and communication device | |
CN112020869A (en) | Unified subscription identifier management in a communication system | |
WO2018139588A1 (en) | Communication terminal, information management method, and computer-readable medium | |
US20230209343A1 (en) | Network-assisted attachment for hybrid subscribers |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: NEC CORPORATION, JAPAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ITO, HIRONORI;PRASAD, ANAND RAGHAWA;KUNZ, ANDREAS;AND OTHERS;SIGNING DATES FROM 20181206 TO 20181210;REEL/FRAME:047819/0045 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |